Stopping backscatter with D_REJECT

Todd D. Taft taft at unclet.net
Mon Apr 17 19:50:54 CEST 2017 

As stated in the original message, I have amvisd-new as a pre-queue 
filter, but it's not working all of the time, so I'm still generating 
backscatter.

> I've got amavisd-new set up to run as a pre-queue test in the 
> postfix's master.cf:
> smtp      inet  n       -       n       -       -       smtpd
>  -o smtpd_sasl_auth_enable=yes
>  -o receive_override_options=no_address_mappings
>  -o content_filter=smtp-amavis:127.0.0.1:10024
>  -o smtpd_tls_security_level=may
> smtp-amavis  unix  -    -       y       -       2 smtp
>  -o smtp_data_done_timeout=1200
>  -o disable_dns_lookups=yes
>  -o smtp_send_xforward_command=yes 
> In my amavisd.conf, I've got it set to reject everything bad:
> $final_virus_destiny = D_REJECT;
> $final_banned_destiny     = D_REJECT;
> $final_spam_destiny = D_REJECT;
> $final_bad_header_destiny = D_REJECT; 

Most, but not all of the time, the message will either get passed 
through, or it will get rejected and remain the sending MTA's problem.  
However, there are some times with the current configuration, where 
neither of these things happen and my local system generates a 
backscatter message.  That's what I'm trying to avoid.

--Todd


On 4/17/17 12:06 PM, Michael Orlitzky wrote:
> On 04/17/2017 09:00 AM, Todd D. Taft wrote:
>> I was hoping to avoid dropping messages on the floor for well-behaved
>> servers.  While it's rare, I have found the occasional ham that gets
>> marked as spam.  With D_REJECT, at least the sender gets a notification
>> that the message didn't go through.
>
> You can put amavisd-new in front of postfix, acting as a proxy:
>
>   http://www.postfix.org/SMTPD_PROXY_README.html
>
> In particular, the pros and cons of that approach are listed here:
>
>   http://www.postfix.org/SMTPD_PROXY_README.html#pros_cons
>
> Doing so lets you reject spam immediately, but the trade-off is that 
> it requires more resources because you can't just queue up messages 
> for later scanning.
>
> (This is "not supported" by amavis, but works just fine.)
>

-- 
Todd D. Taft
taft at unclet.net

More information about the amavis-users mailing list