POSTFIX: Receiving Bounce/NDR Messages

stlouis79 · 03-09-2010, 10:25 AM

Hi All,

I have a Postfix Mail Server configured for sending out email via a "relayhost", however I have a small problem that I need some assistance to resolve.

I am able to send emails no problems, to any account, but I cannot seem to figure out how to get "bounce/NDR" messages to be sent to the email addresses I'm using to relay the messages. My Postfix Server is NOT configured to receive inbound emails.

Here is my current setup:

Primary Mail Server: Zimbra Collaboration Suite (ZCS 5) running on CentOS 5. This is my REAL email server, which has a fully qualified domain name, and utilizes DNS for delivery. This Server works great, and bounce/ndr messages are sent back to sender, as expected.

2nd Email Server: Postfix running on CentOS 5, using my Primary Mail Server (Zimbra) as it's "relayhost". I have designated an email account on Zimbra for this purpose. (eg. relayuser@mydomain.com)

I have some scripts that will send out emails using "mutt" on my postfix server (as root), and have configured my .muttrc to set the "Reply To:" address (for root), to the valid user on my Zimbra Server.

When I send emails to VALID email address, they work great, I receive them and the "Reply To:" address is correctly set, as expected.

If I send an email to an INVALID email address, the message leaves my Postfix Queue and is accepted by my Zimbra Server, but I do NOT get a bounce/ndr message to the "reply to:" account, nor does it bounce back to my postfix server (which i do NOT want it to do anyhow).

How can I configure postfix to alter the message envelope/header so that it sends NDR/Bounce messages to the relay account on my Zimbra Server.

It seems like these NDR/Bounce go off to never ever land.

Any assistance would be much appreciated... A good article that explains this would be great, so I understand what I'm doing wrong...

Thanks in advance.

rweaver · 03-09-2010, 01:03 PM

You're basically asking how to make your zimbra machine backscatter.

A lot of servers that don't reject at runtime will never send a failure message back because it would be backscatter 99% of the time as the mail headers are forged, the zimbra machine is likely not sending a message out that the mail wasn't deliverable because it's configured to avoid backscatter (as it should be.)

I'm not sure there is a good solution to this that doesn't cause backscatter and likely get you listed on many RBLs.

never say never · 03-09-2010, 01:12 PM

Basically, I think this is your problem, since your postfix server 'is not configured to receive mail' the bounce/NDR is never received by the postfix server. I am betting the 'From' address is that of root@postfixserver.

Bounce / NDR must goto the FROM address, they will not be sent to the "Reply To" address, because it is not a reply, it is a failure. Is the FROM address a valid deliverable address?

Here is what I think is happening:

Your postfix server sends a message to someone@xyz.com. This message is relayed to your Zimbra server for processing.

Your Zimbra Server attempts to contact xyz.com and receives a '500 error' (a fatal delivery error). You Zimbra Server attempts to contact your Postfix server to notify of the NDR, that connection Fails.

A quick check of the logs on the Zimbra Server should confirm that this is the case.

If this is the case then you need either, use a valid 'from' address or set postfix up to accept e-mails and forward them to the Zimbra Account of your choice. If you choose the latter, you may still not receive bounces if the message is passed beyond the Zimbra Server before it is bounced, unless the FROM address is a VALID and DELIVERABLE address.

At least this is what I think its happening based on a quick first read.

The logs will tell the tail. Hope this is useful to you.

rweaver · 03-09-2010, 01:18 PM

Also a copy of the full headers of one of the messages in question would be useful to see (edit out identifying information on a consistent basis)

never say never · 03-09-2010, 01:32 PM

This does not appear to be backscatter. It appears he simply wants the bounce to goto a e-mail account on a different server. It is only backscatter if the From address is forged, which does not appear to be the case.

Quote:

rweaver said: "I'm not sure there is a good solution to this that doesn't cause backscatter and likely get you listed on many RBLs."

The proper solution is DON'T ACCEPT an e-mail you can't deliver on your server. That is how you prevent being the source of backscatter.

For instance, I send an e-mail to no-one@xyz. The MX Server for xyz should check to see if no-one@xyz is deliverable BEFORE the SMTP connection with the sending server ends. That way my server is not responsible for sending the bounce.

In postfix this is done with "reject_unverified_recipient". Postfix even keeps a DB of valid addresses so it doesn't have to repeatedly check with the downstream server for the same address.

A properly configured server will ALWAYS send a DSN, if needed, but it will never accept a message without knowing that it should be able to deliver that message.

stlouis79 · 03-10-2010, 08:22 AM

Thank everyone for the responses... I'm going to try a few things and will update later on my situation.