SMTP verify

Hi,

I had the problem that the only good way to check for valid e-mail
addresses at my firewall, which also does SPAM prevention and virus
scanning etc., is to use SMPT verify. Before I've setup Ciphermail my
internal mail server was the relay and handled this. With Ciphermail as
a relay between the firewall and my mail server hist was no longer
possible. As I found no solution on the web I decided to build my own:

https://wiki.mhcsoftware.de/ciphermail

With this SMTP verify works again. If you know other, better solutions,
please let me know. If you try this and find a bug drop me a note. This
is quick&dirty cut&paste code ... but it works.

cheers
Matthias

Hi Matthias,

Perhaps I misunderstand your requirements but why did you not use the
built-in verify recipients feature? Postfix has the option to verify
whether an internal email address is a valid recipient or not. You can
enable this feature on the MTA page (advanced settings). See "Reject
unverified recipient" on pag 15

https://www.ciphermail.com/documents/html/administration-guide/#pff

Kind regards,

Martijn Brinkers

Hi Martijn,

I had the problem that the only good way to check for valid e-mail
addresses at my firewall, which also does SPAM prevention and virus
scanning etc., is to use SMPT verify. Before I've setup Ciphermail my
internal mail server was the relay and handled this. With Ciphermail as
a relay between the firewall and my mail server hist was no longer
possible. As I found no solution on the web I decided to build my own:

ciphermail [MHC SoftWare Wiki]

With this SMTP verify works again. If you know other, better solutions,
please let me know. If you try this and find a bug drop me a note. This
is quick&dirty cut&paste code ... but it works.

Hi Matthias,

Perhaps I misunderstand your requirements but why did you not use the
built-in verify recipients feature? Postfix has the option to verify
whether an internal email address is a valid recipient or not. You can
enable this feature on the MTA page (advanced settings). See "Reject
unverified recipient" on pag 15

https://www.ciphermail.com/documents/html/administration-guide/#pff

If tried this and it failed. After receiving your mail I did some
further test an now I know why it failed. In the MTA config I read:

My Hostname
the internet hostname of this mail system

My Hostname lead me to enter what is expected: the host name. In my
case: ciphermail.mhc.loc. In main.cf this value is used for
"myhostname". Seems that there is nothing wrong so far, but this is not
true. Sadly Postfix does not use VRFY to check if the address exists. It
tries to do a normal SMTP chat with MAIL FROM and RCPT TO. The problem
is that with the RCPT TO Postfix uses the hostname after the "@":
double-bounce(a)ciphermail.mhc.loc. Postfix uses "myhostname" when
"myorigin" is not set. (see:
Postfix Address Verification). In Ciphermail
Postfix config "myorigin" IS not set. My mailserver replies to this with:

Sent reply to MAIL: 553 5.1.8 Sender address
<double-bounce(a)ciphermail.mhc.loc> domain does not exist

and after the RCPT TO it rejects the Mail. This way EVERY mail gets
rejected. Not because the recipient address does not exist but because
of a missing, correct "myorigin"

When I use a valid domain in "My Hostname", like "mhcsoftware.de", it works.

Some other interesting observations:

Even if I issue a VRFY to the Ciphermail Postfix it uses a SMTP chat any
way to verify the address. My firewall also does not use VRFY and
instead also uses a SMTP chat. As there is a special command to verify
addresses, why does no one make use of it?

Conclusion:

When I fill in a literally wrong value in the "My Hostname" field the
shipped solution works and make mine obsolete.

Suggestion:

Add a field "Mail Domain" to the MTA config and use it as "myorigin" in
the Postfix config.

cheers
Matthias

Zitat von Matthias Henze <lists(a)mhcsoftware.de>:

Some other interesting observations:

Even if I issue a VRFY to the Ciphermail Postfix it uses a SMTP chat
any way to verify the address. My firewall also does not use VRFY
and instead also uses a SMTP chat. As there is a special command to
verify addresses, why does no one make use of it?

cheers
Matthias

The VRFY is from the time where MTA typically accept all destination
addresses and only later on find out if the recipient exists or not.
Today nearly every MTA first check if the recipient is allowed/valid
before accepting a mail so VRFY is useless and sometimes doesn even
work at all. Thats why the address verification is done with RCPT TO.

This is more of a Postfix question so you might have a look here
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

Regards

Andreas

Hi,

after the update to the latest version upstream verification does no
longer work for some reason. Postfix main.cf looks ok to me. I see:

...
djigzo_reject_unverified_recipient = reject
djigzo_unverified_recipient_reject_code = 550
...
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
     ${djigzo_rbl_clients}
     ${djigzo_reject_unverified_recipient? reject_unverified_recipient}

I've no clue why Postfix does not verify the mail addresses.

Any suggestions?

TIA
Matthias

Hi,

after the update to the latest version upstream verification does no
longer work for some reason. Postfix main.cf looks ok to me. I see:

...
djigzo_reject_unverified_recipient = reject
djigzo_unverified_recipient_reject_code = 550
...
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
    ${djigzo_rbl_clients}
    ${djigzo_reject_unverified_recipient? reject_unverified_recipient}

I've no clue why Postfix does not verify the mail addresses.

Why do you think Postfix is not verifying an email address? Did you
receive an email for an invalid email address?

Kind regards,

Martijn Brinkers

Hi,

after the update to the latest version upstream verification does no
longer work for some reason. Postfix main.cf looks ok to me. I see:

...
djigzo_reject_unverified_recipient = reject
djigzo_unverified_recipient_reject_code = 550
...
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
    ${djigzo_rbl_clients}
    ${djigzo_reject_unverified_recipient? reject_unverified_recipient}

I've no clue why Postfix does not verify the mail addresses.

Why do you think Postfix is not verifying an email address?

Doped mails by telnet to invalid addresses an then ...

Did you receive an email for an invalid email address?

... revived error mails. As well as sending mails from external accounts
and then revived error mails

I've reactivated ma old verify script and everything is fine again ...

Matthias

SMTP verification works by checking whether the next server accepts the
email address by sending a RCPT TO SMTP command. If the remote server
does not complain, then Postfix will assume the recipient is valid and
this result cached for some time. Could it be that the next server does
not validate the recipients? i.e., that it always returns that a
recipient is valid?

Kind regards,

Martijn Brinkers

A typical setup of CipherMail is

Exchange <-> CipherMail <-> Internet

Note: Exchange is just an example

With SMTP verification, when an email comes in from the Internet, the
CipherMail gateway "asks" Exchange whether a recipient is valid or not.
If the Exchange server reports that the recipient is valid, CipherMail
will accept the message. This only works if Exchange knows about valid
recipients and does not report "Ok" for every recipient. If for example
Exchange is configured to allow relaying of email for the IP address of
the CipherMail server then Exchange will report "Ok" for every
recipient. You can check whether this is the case by logging into
CipherMail and use telnet to connect to your internal Mail server (in
this example Exchange) and check whether the mail server accepts invalid
recipients

Example:

$ telnet exchange.example.com 25

EHLO test
MAIL FROM:<>
RCPT TO: invalidrecipient(a)example.com

The mail server should report that the recipient
invalidrecipient(a)example.com is an invalid recipient.

Note: the above check should be done from the CipherMail server to make
sure that the IP address used to connect to the internal mail server is
the same as the IP of CipherMail

Kind regards,

Martijn Brinkers