I have a problem with backscatter. Spammers send emails to non existent username @ existent domain hosted on my server. I am trying to abort the session instead of sending bounce messages back to forged sender addresses. I tried adding reject_unverified_recipient, but that doesn't seem to work.
When I check mailq, I can see many stuck "user doesn't exist" bounce emails from MAILER_DAEMON to non existent recipients.
Here is my postconf -n
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 102400000
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
resolve_numeric_domain = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain, reject_unverified_recipient, permit_auth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/domain.com.chain.crt
smtpd_tls_cert_file = /etc/ssl/certs/domain.com.crt
smtpd_tls_key_file = /etc/ssl/private/domain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_domains = mysql:/etc/postfix/sqlconf/virtual_alias_domains.cf
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
This is the master.cf file
smtp inet n - - - - smtpd
-o content_filter=spamassassin
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
smtps inet n - - - - smtpd
-o content_filter=checkhook
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
spamassassin unix - n n - - pipe
user=spamfilter argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
checkhook unix - n n - - pipe
user=www-data argv=/etc/postfix/scripts/send ${sender} ${recipient}
Here are some logs that were made when I tried to send to invalid local recipient.
Jan 22 19:09:34 ip-12345 postfix/qmgr[19938]: CF96B20013B: from=<[email protected]>, size=249, nrcpt=1 (queue active)
Jan 22 19:09:35 ip-12345 postfix/pickup[19939]: 982D320013D: uid=5007 from=<[email protected]>
Jan 22 19:09:35 ip-12345 postfix/pipe[21485]: CF96B20013B: to=<[email protected]>, relay=spamassassin, delay=18, delays=16/0/0/1.2, dsn=2.0.0, status=sent (delivered via spamassassin service)
Jan 22 19:09:35 ip-12345 postfix/qmgr[19938]: CF96B20013B: removed
Jan 22 19:09:35 ip-12345 postfix/cleanup[21477]: 982D320013D: message-id=<[email protected]>
Jan 22 19:09:35 ip-12345 postfix/qmgr[19938]: 982D320013D: from=<[email protected]>, size=1333, nrcpt=1 (queue active)
Jan 22 19:09:35 ip-12345 dovecot: auth: Debug: master in: USER#0111#[email protected]#011service=lda
Jan 22 19:09:35 ip-12345 dovecot: auth-worker(14636): Debug: sql([email protected]): SELECT '/var/vmail/[email protected]' as home, 'vmail' as uid, 'vmail' as gid, concat('*:storage=', quota_kb) AS quota_rule, concat('*:messages=', quota_msg) AS quota_rule2 FROM users WHERE username = 'nonexistentx' AND domain = 'localdomain.com' and active=1
Jan 22 19:09:35 ip-12345 dovecot: auth-worker(14636): sql([email protected]): unknown user
Jan 22 19:09:35 ip-12345 dovecot: auth: Debug: userdb out: NOTFOUND#0111
Jan 22 19:09:35 ip-12345 postfix/pipe[21400]: 982D320013D: to=<[email protected]>, relay=dovecot, delay=0.07, delays=0.05/0/0/0.02, dsn=5.1.1, status=bounced (user unknown)
Jan 22 19:09:35 ip-12345 postfix/cleanup[21396]: A8B0720013C: message-id=<[email protected]>
Jan 22 19:09:35 ip-12345 postfix/bounce[21474]: 982D320013D: sender non-delivery notification: A8B0720013C
Jan 22 19:09:35 ip-12345 postfix/qmgr[19938]: A8B0720013C: from=<>, size=3394, nrcpt=1 (queue active)
Jan 22 19:09:35 ip-12345 postfix/qmgr[19938]: 982D320013D: removed
Jan 22 19:09:35 ip-12345 postfix/smtp[21496]: A8B0720013C: to=<[email protected]>, relay=none, delay=0.03, delays=0/0.01/0.02/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=sender.ocm type=A: Host not found)
Jan 22 19:09:35 ip-12345 postfix/qmgr[19938]: A8B0720013C: removed
Perhaps you can check the solutions from the Postfix Backscatter Howto.
And if you really want to get rid of persistent backscatter/spammers, you might want to implement a fail2ban policy combined with postscreen. Postscreen alone eliminates practically all the spammers, with minimal resource usage, and it's very easy to implement, since it's already part of postfix.
You could either disable bounce in master.cf
Or configure an spf check (there are modules in perl and python or with amavis/spamassassin) to discard messages that do not pass spf checks and not generate the bounce for ilegal sources, but still being able to notify legal mail sources (full quotas, message size over limit, old addresses that are not longer attended, etc)