After getting hit with a number of dictionary attacks on our websites and
experienced the server load and queue jump to extraordinary levels we
decided to do a little testing to find out how chk_user works and the best
setting for the vpopmail catch-all.
Assuming you have compiled qmail with the chk_user option it turns out that
mis-addressed email is only rejected at the SMTP entry when you have the
catch-all set to 'bounce'. If you have the catch-all set to 'delete' the
dictionary attack spam is accepted into the queue and then deleted later
when the mail is delivered to the domain.
Therefore, we concluded that 'catch-all bounce' is the best setting.
We determined the above by executing telnet sessions to port 25 of the
mailserver. Only with catch-all set to bounce did chk_user reject the
delivery during the SMTP conversation.
Best Regards,
Jeff Koch
