Univention Bugzilla – Bug 51343
Possibility to configure a bounce of deactivated users
Last modified: 2020-11-20 10:50:45 CET
A customer asks for the configuration option of a check when accepting mails by Postfix whether a user is in deactivated. The customer wants to reject the mail in this case. It might be useful to keep the action configurable as well. Forwarding would be an alternative to bounce for other customers. From my point of view the implementation of this feature request (https://forge.univention.org/bugzilla/show_bug.cgi?id=44359) is also a very good alternative in this context.
A simple way to implement this would be by extending `smtpd_recipient_restrictions` with `check_recipient_access hash:/etc/postfix/denied_recipients` in `main.cf`. This file then could have a structure as followed: ``` user@domain.com REJECT <optional message> ```
I tried this, and it worked: ------------------- /etc/postfix/main.cf ------------------- smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, check_recipient_access hash:/etc/postfix/denied_recipients, check_policy_service inet:127.0.0.1:12340 ---------------------------------------------------------------------- ------------------- /etc/postfix/denied_recipients ------ test007@uni.dtr REJECT The optional message to the user. --------------------------------------------------------- $ postmap /etc/postfix/denied_recipients $ service postfix restart ------------------- from my notebook ------------------- $ swaks --to testgr01@uni.dtr --server 10.200.3.11 === Trying 10.200.3.11:25... === Connected to 10.200.3.11. <- 220 m11.uni.dtr ESMTP Postfix -> EHLO sommar <- 250-m11.uni.dtr <- 250-PIPELINING <- 250-SIZE 10240000 <- 250-VRFY <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> MAIL FROM:<dtroeder@sommar> <- 250 2.1.0 Ok -> RCPT TO:<test007@uni.dtr> <** 554 5.7.1 <test007@uni.dtr>: Recipient address rejected: The optional message to the user. -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host. -------------------------------------------------------- This does not work for group addresses, where the user is part of the group. Mails to the groups address still go through and the user receives the message in its inbox. But that's not the scope of this bug. The good thing is, that this doesn't produce a bounce, but a reject during the SMTP dialogue.
To reject all direct mails for a user all its mailPrimaryAddress and mailAternativeAddress(es) must be listed in the file.
When adding '(!(krb5KDCFlags=254))(!(shadowExpire=1))' to the "query_filter" in /etc/postfix/ldap.virtual_mailbox and /etc/postfix/ldap.virtual Postfix will not accept emails for deactivated users in TO/CC anymore, as they are unknown: ------------------------------------------------------------------------------- 550 5.1.1 <user2m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table ------------------------------------------------------------------------------- It will still accept emails for groups containing those users, but when the group is resolved into individual emails, Postfix will reject the deactivated users as unknown and create a bounce email to the sender. Unfortunately that email will reveal all members of the group: (Content partially sanitized of private data, complete message will be attached as private attachment.) ---------------------------------------------------------------------- Subject: Delivery status notification, MTA-BLOCKED From: amavisd-new <postmaster@m11.uni.dtr> To: <sender> Your message WAS SUCCESSFULLY RELAYED to: <user1m@uni.dtr> <user3m@uni.dtr> <user5m@uni.dtr> The message WAS NOT relayed to: <user2m@uni.dtr>: [[127.0.0.1]:10025] said: 550 5.1.1 id=14011-04 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 550 5.1.1 <user2m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table <user4m@uni.dtr>: [[127.0.0.1]:10025] said: 550 5.1.1 id=14011-04 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 550 5.1.1 <user4m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table This delivery report was generated by the program amavisd-new at host m11.uni.dtr. Our internal reference code for your message is 14011-04/fmMEw3nUIaeu Return-Path: <sender> From: sender Message-ID: <20200917163052.1805629@sommar> Subject: test Thu, 17 Sep 2020 16:30:52 +0200 ---- ---- Attachment: dsn_status.dsn ... Diagnostic-Code: smtp; 550 5.1.1 <user2m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table Diagnostic-Code: smtp; 550 5.1.1 <user4m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table ... ---------------------------------------------------------------------- So now the sender knows all 5 users of that group: active: user1m@uni.dtr, user3m@uni.dtr and user5m@uni.dtr deactivated: user2m@uni.dtr and user4m@uni.dtr IMHO that is a severe privacy problem.
The message above was generated by Amavis. Its template can be edited (see /etc/amavis/en_US/template-dsn.txt).
To also catch users deactivated by an expiry date, the LDAP query would have to be adjusted each day. It would have to contain something like this: (!(|(sambaKickoffTime<TODAY)(krb5ValidEnd<TODAY)(shadowExpire<TODAY)))
(In reply to Daniel Tröder from comment #8) > To also catch users deactivated by an expiry date, the LDAP query would have > to be adjusted each day. It would have to contain something like this: > > (!(|(sambaKickoffTime<TODAY)(krb5ValidEnd<TODAY)(shadowExpire<TODAY))) A simple solution could be a cron job that commits the postfix config files with LDAP search filters each night shortly after midnight.
Not tested yet: if Amavis is disabled, IMHO Postfix will expand the mailinglist/group addresses directly during the SMTP-dialogue. It should accept the email and respond with the addresses that were rejected. The senders email server would then create a bounce message for the sender with those. It is also possible, that the expansion takes place after accepting the mail. Then the UCS Postfix would create the bounce message when requeuing the expanded addresses. This scenario must be tested.
Requested by a customer