# [SOLVED] Postfix, how to reject in stead of bounce ?

## jecepede

Aloha !

Like so many of us I have followed the Complete Virtual Mail Server guide : https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server

It is working like a charm but I have only one petpeeve. I have a number of elderly users who in stead of choosing someone from the addresbook,

they type the email addres and more often then not, the wohle emial address is typed worng  :Wink: 

Naturally this wrong address will not be handled by my mailserver :

```
Feb  8 17:44:57 postbox postfix/virtual[28164]: D13D09E014B: to=<typo@mydomain.nl>, relay=virtual, delay=0.11, delays=0.05/0.01/0/0.06, dsn=5.1.1, status=bounced (unknown user: "typo@mydomain.nl")
```

The mail gets bounced and.... then gets killed by the mailrelay of the ISP over which I naturally have no control.

Now mind you, they kill it with good reason :

 *Quote:*   

> Feb  8 17:44:58 postbox postfix/smtp[28166]: ED3159E014E: to=<returnaddress@somedomain.com>, relay=smtp.mailrelay.nl[200.54.11.34]:25, delay=0.18, delays=0.04/0.01/0.07/0.06, dsn=5.0.0, status=bounced (host smtp.mailrelay.nl[200.54.11.34] said: 550-Bounce Message refused to prevent mailserver backscatter 550 blacklisting. (in reply to end of DATA command))

 

Now I have read that you can tell Posfix not to bounce but do a more nicer reject. The sender will get an email saying the address is wrong.

However, I'm at this for weeks now and I am not able to get this working. It will allways bounces ????

I am sure that I, in my infinite stupidity, am overlooking something simple but I have no idea what...

Could anyone please point me in the right direction ? If you need config files, I'll gladly post them here   :Razz: 

Cheeeeeeeeeers and stay healthy

Jecepede

----------

## szatox

I don't understand your setup. Why do you even go through ISP's server?

And if you are using ISP's server as a relay, how comes you are getting a reject within the same SMTP conversation?

If you send an email via a relay, it goes like that:

you successfully send to the relay (and disconnect)

relay fails to forward to the recipient's server (because it rejects due to an invalid address)

relay creates a bounce message and attempts to send it whoever is in Return-Path (or From, if RP does not exist)

You seem to be doing something weird there.

So... Do you have your own domain and a public IP address? What does the email's route look like, hop by hop (at least on the part where you can control it?)

Which machine actually creates bounce messages?

----------

## jecepede

Aloha !

Yub I have a public (static) IP address with a mailserver behind it under my own domain. That is indeed why I use my ISP's smpt.mailrelay.nl for outgoing mail.

"reject within the same SMTP conversation" ???

There is no 'same conversation'. The mail is dropped in a queue, scanned for SPAM, scanned for virusses and then it will try to deliver it in one of the mailboxes...

I am not sure  I understand Szatox's question, if there is any...

Let me try to elaborate.

- Someone in the world sends an email to my mailserver. It will go direcly to my machine. No problem there.

- My mailserver does not recognise the mail address due to the fact it is misspelled.

- My mailserver then has to reject the mail with "Sorry address unknown" (outgoing mail goes to my ISP)

- ISP says 'no can't do'. Apparently coz it gets bounced in stead of rejected by my mailserver

So the question :

 How can I make it reject in stead of bounce

Cheeeeeeeeeeeers,

Jecepede

----------

## Ant P.

Postfix's default configuration should reject. Post the output of "comm -23 <(postconf -n | sort) <(postconf -d | sort)", minus any sensitive things like hostnames (we don't need those to debug this).

----------

## szatox

 *Quote:*   

>  Yub I have a public (static) IP address with a mailserver behind it under my own domain. That is indeed why I use my ISP's smpt.mailrelay.nl for outgoing mail. 

 Ok, so if you have your own domain and a public IP address, what is the purpose of ISP's relay in your setup?

Why won't you just send those messages directly where you want them delivered?

----------

## jecepede

Aloha !

[quote="Ant P."]comm -23 <(postconf -n | sort) <(postconf -d | sort)[/color]

Here goes :

```
postbox [PROD]  / # comm -23 <(postconf -n | sort) <(postconf -d | sort)

postconf: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol

alias_maps = mysql:/etc/postfix/mysql-aliases.cf

compatibility_level = 2

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5

home_mailbox = .maildir/

inet_protocols = ipv4

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

local_transport = local

mail_spool_directory = /var/spool/mail

manpage_directory = /usr/share/man

mydestination = localhost.$mydomain, localhost

mydomain = mydomain.nl

relayhost = [smtp.mailrelay.nl]

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_sasl_auth_enable = yes

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

virtual_gid_maps = static:5000

virtual_mailbox_base = /var/vmail

virtual_mailbox_domains = mydomain.nl, myseconddomain.nl, mythirddomain.com, myfourthdomain.nl

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

virtual_minimum_uid = 1000

virtual_uid_maps = static:5000
```

Cheeeeeeeeeeers,

Jecepede

----------

## jecepede

Aloha !

 *szatox wrote:*   

> Ok, so if you have your own domain and a public IP address, what is the purpose of ISP's relay in your setup?
> 
> Why won't you just send those messages directly where you want them delivered?

 

Long story but a lot of ISP's nowadays block mail for various reasons. For example when you have no reverse DNS records.

I helped a friend of mine who had a simular problem with his server. With my server I did not feel like trying to cut trough all the red tape again,

so I use my ISP as a mail relay and in the few years I had this server, it did not gave any problems....

Technically speaking, it still gives no problems. Bounced mail should indeed be stopped due to backscatting.

Cheeeeeeeeeers,

Jecepede

----------

## jecepede

PS: 

 *Ant P. wrote:*   

> Postfix's default configuration should reject.

 

Oh, I was unaware of that   :Smile: 

Cheers,

Jecepede

----------

## szatox

 *Quote:*   

>  Long story but a lot of ISP's nowadays block mail for various reasons. For example when you have no reverse DNS records. 

 Yes, that's why people actually set revdns, spf, dkim, dmarc, and make sure their servers are not open relays.

 *Quote:*   

> Technically speaking, it still gives no problems. Bounced mail should indeed be stopped due to backscatting. 

 Yeah, so your ISP's relay does not bounce messages when it fails to deliver them, which you commend, but also makes you unhappy enough to ask how you can change it.

Confusing AF.

----------

## jecepede

Aloha !

 *szatox wrote:*   

> Confusing

 

Uhmm... apparently you did not read the text correctly. Or I suck at explaning   :Embarassed: 

It is not the ISP that bounces.

It is my mailserver which bounces the mail

(See the supplied log in post#1)

According to Ant P. it should not bounce but reject by default :

 *Ant P. wrote:*   

> Postfix's default configuration should reject.

 

As far as I know I did not change this behaviour but it has apperantly changed.

All I want is for MY mailserver to reject.... not bounce....

Cheeeeeeeers,

Jecepede

----------

## Ant P.

Nothing there looks outright misconfigured, so that's good. I've got a few lines in my config that you don't have; maybe it's one of these.

```
disable_vrfy_command = yes

strict_rfc821_envelopes = yes

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit

smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, permit

smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
```

They were taken from postfix hardening articles around the internet, so they should be safe. Make sure to check the documentation for each though.

(I could be wrong about this - maybe it just sends bounces because you have a relayhost set...)

----------

## freke

I have catchall-adresses on my mailserver, so I don't have the reject/bounce problem, but maybe try changing these to 550 instead of the default 450?:

 *Quote:*   

> Recipient address verification
> 
> As mentioned earlier, recipient address verification is useful to block mail for undeliverable recipients on a mail relay host that does not have a list of all valid recipient addresses. This can help to prevent the mail queue from filling up with MAILER-DAEMON messages.
> 
> Recipient address verification is relatively straightforward and there are no surprises. If a recipient probe fails, then Postfix rejects mail for the recipient address. If a recipient probe succeeds, then Postfix accepts mail for the recipient address. However, recipient address verification probes can increase the load on down-stream MTAs when you're being flooded by backscatter bounces, or when some spammer is mounting a dictionary attack.
> ...

 

EDIT: Not sure this works - tried it on a dummy-domain on my mail-server w/o a catchall-address and it seemed to generate a bounce-mail :/

----------

## freke

In main.cf I'm using

```
virtual_transport = dovecot
```

I can add

```
-o soft_bounce=yes
```

to the dovecot entry in my master.cf, ie.

```
dovecot   unix  -       n       n       -       -       pipe

    -o soft_bounce=yes

    flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${domain}
```

then I get this in my log

```
Feb 13 00:08:49 mail postfix/pipe[26057]: 00E771A802C9: to=<test@sindalsen.dk>, relay=dovecot, delay=0.22, delays=0.11/0/0/0.11, dsn=4.1.1, status=SOFTBOUNCE (user unknown)
```

and no mail generated  :Smile: 

----------

## jecepede

Aloha !

So I have tried a number of things you guys suggested. Low and behold, I got it to work by using :

```
reject_unverified_recipient
```

That was so easy I can't believe I did not think about this myself.

The mail is rejected instead of being bounced and the sender get a "delivery failure notice" in their inbox   :Razz: 

Tthank you all for the suggestions 

Cheeeeeeeeeers and stay safe,

Jecepede

----------

