Sunday, May 07, 2006

Piggy-backing off SpeakEasy's mail rejector

I'm running postfix with spamassassin and procmail on chef. The system works quite well. The amount of spam we see in our mailboxes has come down dramatically compared to a few months ago. I'm using SpeakEasy as default relay to work around a deficiency in SpeakEasy's domain sender verfication.

Patricia is forwarding her mail to a gmail account for easier and faster searching. SpeakEasy's sender domain checks are more stringent occasionally than what I use (and the spam checks on chef are performed on user delivery, not when I accept mail and forward it on to gmail.com). So I regularly end up with entries in my mail queue that are rejected by SpeakEasy (and I have softfail enabled).


-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
473825800 3908 Sat May 6 00:24:50 abcdf@0451.com
(host mail.speakeasy.net[69.17.117.59] said: 553 sorry, your mail was administratively denied. (#5.7.1) (in reply to MAIL FROM command))
_______@gmail.com

3EAED52BF 5611 Thu May 4 23:34:11 huneycu@alma.net
(host mail.speakeasy.net[69.17.117.59] said: 554 refused mailfrom because return MX does not exist (in reply to MAIL FROM command))
_______@gmail.com

60D3E53FF 3900 Sat May 6 00:22:11 dage3@0451.com
(host mail.speakeasy.net[69.17.117.59] said: 553 sorry, your mail was administratively denied. (#5.7.1) (in reply to MAIL FROM command))
_______@gmail.com

DC5E752C3 3303 Wed May 3 23:31:49 czj@0451.com
(host mail.speakeasy.net[69.17.117.59] said: 553 sorry, your mail was administratively denied. (#5.7.1) (in reply to MAIL FROM command))
_______@gmail.com

A579A537C 1538 Fri May 5 14:54:49 awawa@0451.com
(host mail.speakeasy.net[69.17.117.59] said: 553 sorry, your mail was administratively denied. (#5.7.1) (in reply to MAIL FROM command))
_______@gmail.com

-- 18 Kbytes in 5 Requests.


I added the following to /etc/postfix/main.cf:


smtpd_sender_restrictions =
reject_unknown_sender_domain
reject_unverified_sender


The first test will do a DNS lookup on the sender domain and make sure there is either a MX or an A record returned. The second test will actually try to initiate sending an email to the sender ("email callout"). Since I'm smart hosting through SpeakEasy, I'm actually not hitting the destination mail server (and won't participate in e.g. JoeJobbing aol.com). Instead, this just asks SpeakEasy's mail server whether it would allow an email from that domain to go through later when it'll be forwarded to gmail.com after it finally got accepted on chef.

Here's an example SMTP session with this feature enabled:


$ telnet mail.goodcoffee.net 25
Trying 216.27.180.215...
Connected to dsl027-180-215.sfo1.dsl.speakeasy.net (216.27.180.215).
Escape character is '^]'.
220 chef.goodcoffee.net ESMTP Postfix
MAIL FROM:
250 Ok
RCPT TO:
450 : Sender address rejected: undeliverable address:
host mail.speakeasy.net[69.17.117.59] said: 554 refused mailfrom because
return MX does not exist (in reply to MAIL FROM command)
quit
221 Bye
Connection closed by foreign host.


Note how chef responds with the error message from mail.speakeasy.net. The respective maillog entries nicely show how the verify(8) server is calling out to speakeasy.net while the incoming connection is still open.

Oh yes, the MX entry for alma.net is kinda amusing:


$ dig mx alma.net

; <<>> DiG 9.2.4 <<>> mx alma.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6518
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;alma.net. IN MX

;; ANSWER SECTION:
alma.net. 7200 IN MX 0 dev.null.

;; AUTHORITY SECTION:
alma.net. 7195 IN NS ns.buydomains.com.
alma.net. 7195 IN NS this-domain-for-sale.com.

;; ADDITIONAL SECTION:
ns.buydomains.com. 172795 IN A 208.254.3.177

;; Query time: 87 msec
;; SERVER: 192.168.200.1#53(192.168.200.1)
;; WHEN: Sun May 7 09:43:16 2006
;; MSG SIZE rcvd: 132



(Of course, I could just disable the softfail feature of postfix and the annoying entries in my mail queue would go away, but that wouldn't be so interesting...)

Update:
So, that ended up being a really stupid idea. Apparently, the mail check on SpeakEasy's server
failed 95% of the time and all legit mail was blocked (amusingly, spam still got through...). I took this out again. Doesn't seem to work the way I expected.

No comments: