----- Original Message ----- > From: "Victor Duchovni" <victor.ducho...@morganstanley.com> > To: "Wiebe Cazemier" <wi...@halfgaar.net> > Cc: postfix-users@postfix.org > Sent: Friday, 10 June, 2011 5:04:09 PM > Subject: Re: unverified_recipient_tempfail_action = permit > > On Fri, Jun 10, 2011 at 05:00:16PM +0200, Wiebe Cazemier wrote: > > > ----- Original Message ----- > > > From: "Wietse Venema" <wie...@porcupine.org> > > > To: "Wiebe Cazemier" <wi...@halfgaar.net> > > > Cc: postfix-users@postfix.org > > > Sent: Friday, 10 June, 2011 2:50:34 PM > > > Subject: Re: unverified_recipient_tempfail_action = permit > > > > > > Wiebe Cazemier: > > > > - The server is backup MX for mail hosts that I don't know > > > > anything > > > > about. > > > > > > In that case, the backup MX needs to ask the primary MX if the > > > recipient is valid. Otherwise, you become a backscatter source. > > > > > > Wietse > > > > > > > But how can it do that when the primary server is down and while > > not deferring the incoming request? > > It can't. Never before seen recipients will be deferred, recipients > validated while the primary MX was up and cached (for 7-14 days) will > however be accepted. This is good enough, and the best you can do > without getting a recipient feed from the primary MX host. >
Not considering spam, a backup MX cannot know any user on the primary MX, ever, because the only time it will try to verify the recipient address is when the primary is down. Otherwise mail won't be sent to it. And even with spam, then it can happen that the primary will go down 1 minute after or before the cache expires and it will have forgotten about the verified recipient. That's why I was asking if it wouldn't be a good idea to have 'permit' be a viable option for unverified_recipient_tempfail_action. That way, you will not create spam-induced backscatter 99% of the time and still function as a proper backup MX.
