Our mail system has many addresses which we accept and forward to our users' addresses on other systems (ie, domain.com is a virtual alias domain, and we forward [EMAIL PROTECTED] to [EMAIL PROTECTED], or whatever).
We use both reject_unverified_sender and reject_unverified_recipient to check that the envelope from/to addressed are valid, so we never generate the "obvious" backscatter where you're an naive MX that accepts mail for a bogus addresses at the final destination, and then generate bounces when the recipient turns out to be invalid. However, we're now finding that more and more of our users' final mail destinations are applying SMTP-time spam filtering, so actually reject the message we're trying to forward due to it's contents. Because we've already queued the mail, we then end up generating bogus bounce messages to the original (obviously forged) senders. We're now starting to get people reporting us to the likes of SpamCop for originating backscatter, but in this case I really don't know how we can avoid it. I've considered things like (in order of preference): * forwarding the mail whilst the original sender is connected, and returning any errors to them, so never spooling the mail * never actually generating and sending bounce /mails/ except to local users/destinations (who are using us as their smarthost), because we never accept mail for invalid destinations in any other circumstances * sending the bounces for the user's forwarders to the user's local mailbox, rather than the original sender Unfortunately I don't really know how to do any of them with postfix. I did have a vague idea of doing some address re-writing, and then pretending that the remote MX is a content_filter, but this absolutely terrifies me. Does anyone have any better ideas? Obviously we can look at deploying our own SMTP-time spam rejection with content_filter, but that seems to a) pass the problem on to anyone who's trying to forward mail to us, b) not solve the real issue which is that we can never have /exactly/ the same definition spam as the systems we're forwarding to. Thanks, Rob -- Robert McQueen Bluelinux Internet Services Ltd.
