Preventing Backscatter from relay SMTP servers

Following article is based on Debian SMTP relay servers using Postfix, Amavis and Spamassassin as well as Zimbra Server being the final destination of emails.

Several ways exist to stop this.

One way is to get the incoming emails processed by frontal MTAs amavis and spamassassin filters BEFORE they join the postfix delivery queue. This way the incoming smtp session is kept open and if email is to be bounced it is simply not accepted. The task of NDR is then left to incoming SMTP server and not us. Reference document for Postfix processing before queue is found at: http://www.postfix.org/SMTPD_PROXY_README.html

This method is efficient but as mentioned at the above URL it is resource heavy. SMTP sessions have to be kept open for longer than usually expected and depending on the CPU and memory resources of the server we also have to reduce the number of simultaneous processes. This means that if a large number of messages are coming in, the server can get extremely busy and there are also chances of incoming smtp connections being timed out resulting in unwanted delivery failures for genuine emails.

Following two solutions were investigated and are encouraged instead:

1 – The emails passing through relay MTAs pass through amavis and spamassassin checks. Postfix receives emails, then passes them on to local amavisd process which performs the anti-virus and spamassassin checks and re-injects them back to postfix queue for final delivery or quarantine. Amavis configuration allows us to decide how to treat the “culprit” emails i.e. emails which are virus infected, have banned attachments, are classified spam and have bad headers. Following changes were made to
/etc/amavis/conf.d/20-debian_defaults (This is on Debian based install)

following settings are always present in default config file but with banned and spam destiny set to D_BOUNCE or D_REJECT both of which result in NDR by Postfix. Changing them to D_DISCARD results in them being simply quarantined and nothing is returned to Postfix regarding these. This is ideal as this will not send any NDRs hence no backscatter. There will always be cases when sender would have preferred to receive one but 99% of the time these are generated by spam etc.

$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_PASS;

Now as we DO want NDRs to be generated for our own domain so that if someone from our domain sends such an email and it is intercepted by our relay MTA the sender should be notified. We add to amavis config file following policy bank additionally for ourdomain.net (replace with your domain) and emails from this domain will get this policy applied. We set it to D_BOUNCE hence our domain users will get NDRs if their email is intercepted and quarantined.

$policy_bank{'MYNETS'} = {
bypass_spam_checks_maps => [[qw( .ourdomain.net )]],
bypass_banned_checks_maps => [[qw( .ourdomain.net )]],
final_spam_destiny => D_BOUNCE,
final_virus_destiny => D_BOUNCE,
final_banned_destiny => D_BOUNCE,
};


2 – A lot of NDRs can actually be generated by Zimbra because relay MTA silently accepts all incoming emails and if passed by amavis and spamassassin email are handed over to Zimbra server. If the email is addressed to non-existent recipients NDRs will be generated. Spammers sometime send emails to dictionary generated recipients for domains hence the forged email address then gets all NDRs resulting in relay MTAs being regarded as backscaterrers.

An LDAP as well as Zimbra LDAP source can be used to verify recipients. Three files created in /etc/postfix/ in MTA with following names:


ldap.cf
ldap_zcs_nontls.cf
ldap_zcs_tls.cf


As Zimbra server usually use TLS with certificates we can creat both methods. Actually the nontls method does not work if TLS is enabled on Zimbra.

the files contain following scripts:
ldap.cf

bind = yes
server_host = ldap://our.domain.com
search_base = cn=users,dc=our,dc=domain,dc=com
query_filter = (mail=%s)
result_attribute = uid


ldap_zcs_nontls.cf

server_host = ldap://zimbra.domain.com:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailAlias
version = 3
ldap_cache = yes
ldap_cache_expiry = 600
ldap_cache_size = 64256
bind = no
timeout = 30


ldap_zcs_tls.cf

server_host = ldap://zimbra.domain.com:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
version = 3
start_tls = yes
tls_ca_cert_dir = /etc/postfix/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = *********
timeout = 30


The query_filter and result_attribute are different in nontls and tls file but can be same. These values are (should) be derived from folling files in the /opt/zimbra/conf path of your Zimbra server
ldap_scm.cf
ldap_transport.cf
ldap_vad.cf
ldap_vam.cf
ldap_vmd.cf
ldap_vmm.cf

NOTE that you should verify and modify if required the script from Zimbra files after every Zimbra server upgrade

Additionaly you need to create (TLS script reflects the path we choose) a directory “ca” in /etc/postfix of your relay MTA and copy all contents of /opt/zimbra/conf/ca in this directory. This copies all the required certificate files which will be required to create the TLS LDAP connection from relay MTA to Zimbra LDAP.

In the main.conf file at /etc/postfix of your MTA relay enter the config lines for relay recipient lookup via ldap:


#relay_recipient_maps = proxy:ldap:/etc/postfix/ldap.cf
#relay_recipient_maps = ldap:/etc/postfix/ldap_zcs_nontls.cf
relay_recipient_maps = ldap:/etc/postfix/ldap_zcs_tls.cf


It is preferable to check Zimbra ldap as this returns Aliases as well as Distribution lists (to which in fact you can create another list and entry in main.conf to deny email deliveries from external MTAs). LDAP query against LDAP will not return the aliases unless they exist in the tables.

You should also check for following line in main.conf at /etc/postfix of your relay MTA:


smtpd_recipient_restrictions =
....
reject_unverified_recipient,
....


and if it is present remark it! as this causes SMTP callouts on port 25 to the forwarding server to verify recipients. The problem is that it always return 250 (success code) which is false in case of non-existent recipient!

Also check that SMTP callouts are not being sent to verify senders. If following line is present then it means it is and you should remark it as this can also be considered backscattering.


smtpd_sender_restrictions =
....
reject_unknown_sender
....


Normally smtpd_helo_restrictions, smtpd_sender_restrictions and smtpd_recipient_restrictions look like below:


smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_unknown_hostname,
reject_invalid_hostname,
reject_non_fqdn_hostname,
permit

smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

smtpd_delay_reject = no
allow_untrusted_routing = no
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unauth_pipelining,
# reject_unverified_recipient,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/sender_access,
# check_sender_access dbm:/etc/postfix/check_backscatterer
check_recipient_access hash:/etc/postfix/recipient_access,
# reject_rbl_client list.dsbl.org,
# reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client sbl-xbl.spamhaus.org,
# reject_rbl_client bl.spamcop.net,
# reject_rbl_client list.dsbl.org,
# reject_rbl_client no-more-funn.moensted.dk,
# check_policy_service inet:127.0.0.1:2501,
permit


IMPORTANT NOTE
First of all you should install following package


postfix-ldap


to have ldap support when postfix will be using ldap to verify relay recipients.

Additionally in Debian (not Hardy as this issue is fixed in Hardy) based Postfix there is a bug which result in killing postfix process when relay recipient is being verified via TLS LDAP query. Current workaround (see https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/81242) is by creating, if it does not already exist a directory called dev at path /var/spool/postfix/ and copying files random and urandom from /dev to the dev folder created at /var/spool/postfix. Following commands will achieve that:


mkdir /var/spool/postfix/dev
cp -a /dev/random /dev/urandom /var/spool/postfix/dev


and that is it. restart your postfix and incoming emails from now will get their recipients verified via TLS LDAP queries from Zimbra server and Amavis will not return NDRs for emails which are considered spam, virus infected and with banned attachments for non-domain i.e. external senders. This should prevent your relay MTA to be listed on backscatterer blacklists.