On Mon, Jul 31, 2017 at 09:16:46AM +0200, Tomas Macek wrote:
> Hello, our system is sometimes under attack of spammers using
> "NOTIFY=SUCCESS" param in "rcpt to: " header. And because of a random From
> address, the DSN message obviously goes to an nonexistent server or user.
>
> I've read the "Restricting the scope of "success" notifications" topic at
> http://www.postfix.org/DSN_README.html#scope and I'd like to ask you about
> some details:
>
> 1) if I turn off the DSN for the networks outside of $mynetwork, do I
> understand it well, that we will not send them (to the outside world) any
> more DSNs with "user over quota" or "access denied"?
Turning off "DSN" in the server EHLO response will disable
*non-failure* DSN notices. Bounces will continue to be sent as is
normal and expected.
I strongly recommend turning off DSN at the edge of your network,
exposing DSN support only to your internal clients, and ignoring
any DSN support by external servers.
That way your MTA sends DNS success only to your users, and success
notices for remote inbound mail are sent by the remote MTA to its
own users. Your users are notified of success once mail is accepted
by the remote system. Further delegation of notification responsibility
is not IMHO a good idea.
--
Viktor.
