Who's sending this mail to "Bad destination mailbox address"

ssfrstlstnm · 04-29-2008, 07:54 AM

I keep getting this in log messages. It happens everyday. Seems to be to just random bad addresses. I typically get from 5 to 15 of these per day. Should I be worried? How can I stop this?

Quote:

6 Sent via SMTP ---------------------------------------------------------------------------
1 aaonline.org
1 dalionline.com
1 pacificpumps.cn
1 sharpinsurance.com
1 teaspoonsugar.com
1 wildernessskishop.com

6 Bounce (local) --------------------------------------------------------------------------
6 5.1.1: Permanent Failure: Addressing Status: Bad destination mailbox address

acid_kewpie · 04-29-2008, 08:14 AM

Any other mail server in the world has the theoretical right to want to talk to you, and that's what's going on here. What is also happening is that you are refusing to pass on the mail, due to a presumably correct config file. they can ask you to do whatever they want, and it's up to you to say yes or no, and these were no's. The quantity isn't huge, but if you did want to reduce it further you could use software like fail2ban to read these logs and block the ip addresses who sent it. on balance *I* probably wouldn't bother...

ssfrstlstnm · 04-29-2008, 08:43 AM

Thanks for the quick reply. I feel much better now

ssfrstlstnm · 06-18-2008, 10:00 AM

Maybe I'm wrong, but if postfix was denying the sender shouldn't I get a "relay access denied" in my logs. The error that I am getting is "bad destination mailbox address". This seems to indicate to me that the messages ARE being sent by postfix.

However, if someone was using my postfix for spamming I would expect to see thousands of emails going out. I am only seeing 5 - 20 per day. Of those, only a couple are valid and ALL the others get the "bad destination mailbox address" error. I'm confused

Mr. C. · 06-18-2008, 05:36 PM

This output (from postfix-logwatch) shows:

your server tried to SEND (via SMTP) to those 6 domains
6 messages were locally bounced

Do you have a content filter running?
Are you performing recipient validation ?

I'd suspect these messages are messages your server accepted, but then could not deliver, and it tried to send a bounce, and the bounce could not be delivered because the domains are bogus.

Show the appropriate log lines to verify, and output from postconf -n.

ssfrstlstnm · 06-18-2008, 09:13 PM

This is one of the bounced messages from the log file:

Code:

Jun 16 16:52:35 develop postfix/qmgr[7288]: 1EB39427E: from=<polemicmb6@mediative.de>, size=7751, nrcpt=1 (queue active)
Jun 16 16:52:36 develop postfix/smtp[16334]: E6222428D: to=<polemicmb6@mediative.de>, relay=mail.insightbb.com[74.128.0.21]:25, delay=0.47, delays=0.01/0.02/0.22/0.22, dsn=2.0.0, status=sent (250 ok:  Message 156249750 accepted)

Here is the output of postconf -n

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 4h
home_mailbox = Maildir/
inet_interfaces = all
local_recipient_maps =
mailbox_size_limit = 0
mydestination = $mydomain, localhost.localdomain, localhost, mydomain.com
mydomain = mydomain.com
myhostname = mydomain.com
mynetworks = 127.0.0.0/8 192.168.1.0/24
myorigin = $mydomain
recipient_delimiter = +
relay_domains = $mydomain, localhost.localdomain, localhost, mydomain.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost = mail.insightbb.com
smtp_generic_maps = hash:/etc/postfix/rewrite
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanomymous
smtp_sasl_type = cyrus
smtp_tls_loglevel = 3
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated,                                permit_mynetworks,                 check_client_access hash:/etc/postfix/client_access,                                reject_unauth_destination
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, permit
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/random

I have replaced my domain name with mydomain.com. My mail is relayed through my isp (insightbb.com). The only people that should be sending mail on this server are myself and my drupal sites.

Mr. C. · 06-18-2008, 09:36 PM

The log lines shown only indicate mail was successfully sent by your server to your ISP. There are no (local) bounces indicated here. Look for status=bounced and show the log lines relating to the queue IDs for the bounced messages.

I've been presuming that the 6 domains listed in the initial post are not your domains, and you are wondering why mail is being unexpectedly sent to those domains. If your users have not sent those messages, then either:

1) your server is an open relay
2) your server is accepting messages for unlisted users and then bouncing messages back to likely innocent servers (i.e. your server is a source of backscatter; this can get your server blacklisted).

There should be no "OK" values in your file /etc/postfix/client_access, as this can make you an open relay given your smtpd_recipient_restrictions.

ssfrstlstnm · 06-19-2008, 09:37 PM

Thanks for your help!

Quote:

Originally Posted by Mr. C.

There should be no "OK" values in your file /etc/postfix/client_access, as this can make you an open relay given your smtpd_recipient_restrictions.

Currently, I have only my own gmail address in my client_access. I'm not sure if this is a security risk. I don't completely understand the postfix documentation. Do you think I should delete this OK for my gmail?

Quote:

Originally Posted by Mr. C.

2) your server is accepting messages for unlisted users and then bouncing messages back to likely innocent servers (i.e. your server is a source of backscatter; this can get your server blacklisted).

I think you are right about this. It looks to me like someone is sending email to a non-existent username i_hate on my server with forged from addresses. Since all of the addresses are bogus and not actually going to any valid server, will this still get me blacklisted? Is there any way to stop my postfix from sending a bounce when it receives mail for a non-existent user?

Code:

Jun 19 11:25:40 develop postfix/bounce[24756]: 9F035427E: sender non-delivery notification: A0CB9428D
Jun 19 19:33:20 develop postfix/local[29949]: B255B427E: to=<i_hate@myserver.com>, relay=local, delay=1.1, delays=1/0.01/0/0.02, dsn=5.1.1, status=bounced (unknown user: "i_hate")
Jun 19 19:33:20 develop postfix/bounce[29951]: B255B427E: sender non-delivery notification: C288A428D
Jun 19 19:56:35 develop postfix/local[29996]: E72C3427E: to=<i_hate@myserver.com>, relay=local, delay=28, delays=28/0.01/0/0.02, dsn=5.1.1, status=bounced (unknown user: "i_hate")

I don't understand the purpose of this nonsense. If he is trying to get me blacklisted why not use valid from addresses?

Mr. C. · 06-19-2008, 10:11 PM

An email address in your client_access file does not make sense. The check_client_access check tests the *client* hostname or IP address. Show the contents of the file if you are uncertain about how it is used. Again, if you have any OK in there, then your server is open to anyone to anyone to relay. The basic SMTP protocol provides no means for ensuring a connecting server provides accurate, truthful information.

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_client_access hash:/etc/postfix/client_access,
reject_unauth_destination

Move the check_client_access *after* the reject_unauth_destination.

Your goal is not to prevent bounces - your goal should be to a) close your system as an open relay, and b) don't accept email for users that don't exist on your system.

Don't think that there is some single person out there trying to use your mail server. Rather, there are millions of owned machines that send to random, dictionary-based email addresses, to or through servers such as yours. Some messages bounce, some are accepted.

Mr. C. · 06-19-2008, 10:21 PM

Also, test your server at:

http://openrbl.org/

ssfrstlstnm · 06-20-2008, 10:14 PM

Thanks so much for your help! I will try your suggestions.