I have a Postfix server that receives mail for virtual aliases and forwards them to the real destination addresses. When the final mail server returns an error the bounce message returned to the sender reveals the final destination email address. Eg. if my server receives mail for [email protected] and tries unsuccessfully to send it to [email protected] the bounce message looks something like this:
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<[email protected]> (expanded from <[email protected]>): host
final.mail.host.com said: 553 5.1.8
<[email protected]>... <some error> (in reply to RCPT TO command)
How do I stop it from revealing the final address?
Figured it out. You need to make sure the mail is rejected, rather than bounced and also set unverified_recipient_reject_reason to avoid revealing the real message. I tried that before, but the trick was the order of the clauses in smtpd_recipient_restrictions:
I previously had the two permit restrictions before reject_unverified_recipient, so they were processed first and mail from any local or authenticated senders was not subject to recipient address verification. It only failed later, after being accepted, and generated a bounce message.
This is still not perfect, because the final MTA can send a bounce message back to the original sender, but there's nothing you can do about that. Relevant Postfix mailing list thread: http://tech.groups.yahoo.com/group/postfix-users/message/251715