1 Topic by stahr

  • stahr
  • Member
  • Offline
  • Registered: 2017-06-19
  • Posts: 17

Topic: DKIM, DMARC, Quotas, and Bounceback emails

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  0.9.9
- Deployed with iRedMail Easy or the downloadable installer? manually updated
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi, I just added DMARC records a few days ago and have been starting to analyze the forensic reports.  The results have been quite interesting and noticed a few things which seem to me to be issues or at least particular corner cases which may be worth addressing - or perhaps they should be handled administratively.   They all (at this point) involve bounceback emails for users who are at/above their quotas which probably means the account has been abandoned.    That said, these are the issues I've discovered:

1) reported using the servers' hostname full hostname rather than the domain name.  Initially I'd setup a policy of sp=reject because no should be using a sub-domain for email.  But it looks like the servers hostname/helo is used for bounce-back emails which I guess makes sense.  I worked around this by creating new policy for the servers' hostname/sub-domain, but they still fail because....

2) Bounceback's have no DKIM applied. 

3) Postfix seems to accept and attempt delivery of an email despite the user being over quota.  The resulting email is immediately returned rather than queued.  This behavior seems odd to me, but I came from a sendmail background.

In my case, I think the email accounts in question have been abandoned so queuing wouldn't have much of an impact except to return the email a couple of days later, but it would seem the right thing to do would be to have postfix (permanently or temporarily) fail if a user was over their quota, thereby avoiding the entire bounceback situation.



Should I make postfix/main.cf: myhostname be the TLD rather than the machine's fully qualified domain?
Does it make sense to add a dkim signature to bounceback emails?  If so, how?
Is there a way to have postfix check the quota prior to responding with a "250 OK".

Thoughts?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: DKIM, DMARC, Quotas, and Bounceback emails

2) If no DKIM, SPF still matters. Please add SPF record for the server hostname.
3) Postfix doesn't check (used) mailbox quota while accepting email, it accepts and pipes to Dovecot LDA for local delivery, Dovecot checks quota and reject immediately if it's over quota.

stahr wrote:

Is there a way to have postfix check the quota prior to responding with a "250 OK".

I don't think so.
But it's possible to let Dovecot create a socket service for Postfix to check mailbox quota, Postfix can reject immediately if quota exceeded.

3 Reply by stahr

  • stahr
  • Member
  • Offline
  • Registered: 2017-06-19
  • Posts: 17

Re: DKIM, DMARC, Quotas, and Bounceback emails

ZhangHuangbin wrote:
stahr wrote:

Is there a way to have postfix check the quota prior to responding with a "250 OK".

I don't think so.
But it's possible to let Dovecot create a socket service for Postfix to check mailbox quota, Postfix can reject immediately if quota exceeded.

Anyone have instructions which work?

I found a couple of sets of instructions and they seem simple enough, but haven't gotten it to work - the quota-status always responds with "DUNNO".  I suspect it might be related to the fact that I am using an LDAP backend.  I found one reference on a mailing list describing a similar situation, but it references another link which is dead and the followup simply stated that it was now working. :-(

On another note, couldn't this functionality also be written into the existing "check_policy_service" which is iredapd?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: DKIM, DMARC, Quotas, and Bounceback emails

stahr wrote:

Anyone have instructions which work?

This is the DRAFT document (Note: pick up the right section for your iRedMail backend):
https://docs.iredmail.org/upgrade.iredm … 9-1.0.html

5 Reply by stahr

  • stahr
  • Member
  • Offline
  • Registered: 2017-06-19
  • Posts: 17

Re: DKIM, DMARC, Quotas, and Bounceback emails

ZhangHuangbin wrote:
stahr wrote:

Anyone have instructions which work?

This is the DRAFT document (Note: pick up the right section for your iRedMail backend):
https://docs.iredmail.org/upgrade.iredm … 9-1.0.html


That did the trick - I had the dovecot and postfix parts completed, but I was missing the ldap attributes.  As soon as I ran the conversion script, my server started responding with "Mailbox is full"