dovecot - Aug 2016 - virtual users, mailer daemon send mails to non existant recipient and dovecot store it

Hello,

Sometime when we receive a spam or virus that is detected as it, mailer 
daemon send a reply to the sender to inform that the message is a spam 
or content viruses.

The problem is that the sender of the spam as something like 
voicemail at ourdomain.fr ( the user voicemail doesn't exist in our database
)

And sometimes dovecot create the directory and store the reply 's mail...


Aug 23 16:07:31 mail3 postfix/cleanup[15687]: C7EEB406FFFD: 
message-id=<20160823140731.C7EEB406FFFD at mail3.ourdomain.fr>
Aug 23 16:07:31 mail3 postfix/qmgr[12987]: C7EEB406FFFD: from=<>, 
size=14280, nrcpt=1 (queue active)
Aug 23 16:07:31 mail3 postfix/bounce[15800]: 824D7406FFFC: sender 
non-delivery notification: C7EEB406FFFD
Aug 23 16:07:31 mail3 postfix/qmgr[12987]: 824D7406FFFC: removed
Aug 23 16:07:31 mail3 dovecot: auth: Debug: master in: 
USER#0111#011voicemail#011service=lda
Aug 23 16:07:31 mail3 dovecot: auth: Debug: userdb out: 
USER#0111#011voicemail#011uid=1001#011gid=1001#011home=/home/vmail/voicemail
Aug 23 16:07:31 mail3 dovecot: lda(voicemail): 
msgid=<20160823140731.C7EEB406FFFD at mail3.ourdomain.fr>: saved mail to
INBOX
Aug 23 16:07:31 mail3 postfix/pipe[15791]: C7EEB406FFFD: 
to=<voicemail at ourdomain.fr>, relay=dovecot, delay=0.02, 
delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 23 16:07:31 mail3 postfix/qmgr[12987]: C7EEB406FFFD: removed

here is the stored mail :

Return-Path: <MAILER-DAEMON>
Delivered-To: voicemail at ourdomain.fr
Received: by mail3.ourdomain.fr (Postfix)
         id C7EEB406FFFD; Tue, 23 Aug 2016 16:07:31 +0200 (CEST)
Date: Tue, 23 Aug 2016 16:07:31 +0200 (CEST)
From: MAILER-DAEMON at ourdomain.fr (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: voicemail at ourdomain.fr
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
         boundary="824D7406FFFC.1471961251/mail3.ourdomain.fr"
Message-Id: <20160823140731.C7EEB406FFFD at mail3.ourdomain.fr>

This is a MIME-encapsulated message.

--824D7406FFFC.1471961251/mail3.ourdomain.fr
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host mail3.ourdomain.fr.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                    The mail system

<existing.user at ourdomain.com> (expanded from
     <existing.user at ourdomain.fr>): host
     mails.collaboration-sfr.com[86.64.240.34] said: 552 5.2.0
     <ae7X1t00115ZlG601e7Xvw> reject for policy reason : spam detected 
in your
     mail (in reply to end of DATA command)

--824D7406FFFC.1471961251/mail3.ourdomain.fr
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; mail3.ourdomain.fr
X-Postfix-Queue-ID: 824D7406FFFC
X-Postfix-Sender: rfc822; voicemail at ourdomain.fr
Arrival-Date: Tue, 23 Aug 2016 16:07:29 +0200 (CEST)

Final-Recipient: rfc822; existing.user at ourdomain.com
Original-Recipient: rfc822;existing.user at ourdomain.fr
Action: failed
Status: 5.2.0
Remote-MTA: dns; mails.collaboration-sfr.com
Diagnostic-Code: smtp; 552 5.2.0 <ae7X1t00115ZlG601e7Xvw> reject for
policy
     reason : spam detected in your mail

--824D7406FFFC.1471961251/mail3.ourdomain.fr
Content-Description: Undelivered Message
Content-Type: message/rfc822

Return-Path: <voicemail at ourdomain.fr>
Received: from 177.222.108.254.dynamic.on.com.br (unknown [177.222.108.254])
         by mail3.ourdomain.fr (Postfix) with ESMTP id 824D7406FFFC
         for <existing.user at ourdomain.fr>; Tue, 23 Aug 2016 16:07:29 
+0200 (CEST)
From:voicemail at ourdomain.fr
To:existing.user at ourdomain.fr
Subject: [Vigor2820 Series] New voice mail message from 01425939048 on 
2016/08/23 11:07:28
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="5A1b791c537d41f1"


--5A1b791c537d41f1
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

Dear existing.user :
         There is a message for you from 01425939048, on 2016/08/23 
11:07:28 .
         You might want to check it when you get a chance.Thanks!



--5A1b791c537d41f1
Content-Type: audio/x-wav; name="Message_from_01425939048.wav.zip"
Content-Transfer-Encoding: BASE64
Content-Description: Voicemail sound attachment.
Content-Disposition: attachment;
filename="Message_from_01425939048.wav.zip"

UEsDBBQAAAAIAGZiF0n9ycl98x4AAE54AAAQAAAAODU5MjE2MjE1MDA4LndzZuxbW2/jWHJ+
dgP9H9hCMJbaHrWuljW2e2FJlCz1iLJk3T39QJG0SIkXNS/WpcdAZgYJctmXBNgE+7jAArkB
uTzkKUD+jLFJ9l+kDnl4Ubd4KM/0dIBgG6ZskfVV1amqU6fqHPb5L1aK/IvXz5+dL1huzk4F
9OdMm1ASf3HYuCq9YZqHr891SzUlBT17/ozC/855weB0aWFKmvo6cPvV9n3nyfkrl8W585CS
WXVqgTyQcmPfATEvbsuVy+7lLULdmLqkTpMLXTM1c70QkhPBMDVZ40SVFQW9X+85P6ZpavCP
...

I don't understand why I don't have the same behavior that when I send a
mail to a non existant address ( <tottttt at ourdomain.fr>: Recipient 
address rejected: User unknown in virtual mailbox table )

How can I fix it?

Thanks a lot!

Samuel

> On August 23, 2016 at 6:57 PM Sam <sr42354 at gmail.com> wrote:
> 
> 
> Hello,
> 
> Sometime when we receive a spam or virus that is detected as it, mailer 
> daemon send a reply to the sender to inform that the message is a spam 
> or content viruses.
> 
> The problem is that the sender of the spam as something like 
> voicemail at ourdomain.fr ( the user voicemail doesn't exist in our
database )
> 
> And sometimes dovecot create the directory and store the reply 's
mail...
> 
> 
<snip/>

> 
> I don't understand why I don't have the same behavior that when I
send a
> mail to a non existant address ( <tottttt at ourdomain.fr>: Recipient
> address rejected: User unknown in virtual mailbox table )
> 
> How can I fix it?
> 
> Thanks a lot!
> 
> Samuel
Please provide doveconf -n output. 

Aki

On Tue, Aug 23, 2016 at 05:57:37PM +0200, Sam wrote:
> Hello,
> 
> Sometime when we receive a spam or virus that is detected as it, mailer
> daemon send a reply to the sender to inform that the message is a spam or
> content viruses.
You probably shouldn't do this. The vast majority of spam / virus emails
are sent from compromised machines / botnets, use fake return paths, and
either don't monitor replies, or just use replies to verify that the
email address is valid and send more spam to it. Or worse, it can turn
your server into a spamming machine if the return addresses are set to
other people's email addresses.

There are several valid ways of handling spam, depending on how your
mail architecture works. One is to reject incoming spam messages at the
receiving mailserver. The downside is that this leaks information to the
spammers about what spam methods actually get through or not.

Another method is to accept all incoming messages, then sort /
quarantine / blackhole any spam. The downside is that this makes your
server seem more accepting, which may attract more spam.

I personally take the second approach, though which is better will
definitely depend on how your specific system works.

If you're really dead set on having some sort of auto reply, at the very
least make it only reply to senders that have historically sent good
messages (e.g. some sort of whitelist).

--Sean

Hey Sam, 

My view on this is that your Postfix actually send this reply to your system
because the bounce is inbound traffic and when you send it from outside is is
outbound traffic therefore the virtual file is checked and successfuly blocked
this kind of request.

Greetings 
dominik 

Am 23. August 2016 17:57:37 MESZ, schrieb Sam <sr42354 at
gmail.com>:
>Hello,
>
>Sometime when we receive a spam or virus that is detected as it, mailer
>
>daemon send a reply to the sender to inform that the message is a spam 
>or content viruses.
>
>The problem is that the sender of the spam as something like 
>voicemail at ourdomain.fr ( the user voicemail doesn't exist in our
>database )
>
>And sometimes dovecot create the directory and store the reply 's
>mail...
>
>
>Aug 23 16:07:31 mail3 postfix/cleanup[15687]: C7EEB406FFFD: 
>message-id=<20160823140731.C7EEB406FFFD at mail3.ourdomain.fr>
>Aug 23 16:07:31 mail3 postfix/qmgr[12987]: C7EEB406FFFD: from=<>, 
>size=14280, nrcpt=1 (queue active)
>Aug 23 16:07:31 mail3 postfix/bounce[15800]: 824D7406FFFC: sender 
>non-delivery notification: C7EEB406FFFD
>Aug 23 16:07:31 mail3 postfix/qmgr[12987]: 824D7406FFFC: removed
>Aug 23 16:07:31 mail3 dovecot: auth: Debug: master in: 
>USER#0111#011voicemail#011service=lda
>Aug 23 16:07:31 mail3 dovecot: auth: Debug: userdb out: 
>USER#0111#011voicemail#011uid=1001#011gid=1001#011home=/home/vmail/voicemail
>Aug 23 16:07:31 mail3 dovecot: lda(voicemail): 
>msgid=<20160823140731.C7EEB406FFFD at mail3.ourdomain.fr>: saved mail
to
>INBOX
>Aug 23 16:07:31 mail3 postfix/pipe[15791]: C7EEB406FFFD: 
>to=<voicemail at ourdomain.fr>, relay=dovecot, delay=0.02, 
>delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot
>service)
>Aug 23 16:07:31 mail3 postfix/qmgr[12987]: C7EEB406FFFD: removed
>
>here is the stored mail :
>
>Return-Path: <MAILER-DAEMON>
>Delivered-To: voicemail at ourdomain.fr
>Received: by mail3.ourdomain.fr (Postfix)
>         id C7EEB406FFFD; Tue, 23 Aug 2016 16:07:31 +0200 (CEST)
>Date: Tue, 23 Aug 2016 16:07:31 +0200 (CEST)
>From: MAILER-DAEMON at ourdomain.fr (Mail Delivery System)
>Subject: Undelivered Mail Returned to Sender
>To: voicemail at ourdomain.fr
>Auto-Submitted: auto-replied
>MIME-Version: 1.0
>Content-Type: multipart/report; report-type=delivery-status;
>         boundary="824D7406FFFC.1471961251/mail3.ourdomain.fr"
>Message-Id: <20160823140731.C7EEB406FFFD at mail3.ourdomain.fr>
>
>This is a MIME-encapsulated message.
>
>--824D7406FFFC.1471961251/mail3.ourdomain.fr
>Content-Description: Notification
>Content-Type: text/plain; charset=us-ascii
>
>This is the mail system at host mail3.ourdomain.fr.
>
>I'm sorry to have to inform you that your message could not
>be delivered to one or more recipients. It's attached below.
>
>For further assistance, please send mail to postmaster.
>
>If you do so, please include this problem report. You can
>delete your own text from the attached returned message.
>
>                    The mail system
>
><existing.user at ourdomain.com> (expanded from
>     <existing.user at ourdomain.fr>): host
>     mails.collaboration-sfr.com[86.64.240.34] said: 552 5.2.0
>     <ae7X1t00115ZlG601e7Xvw> reject for policy reason : spam detected
>in your
>     mail (in reply to end of DATA command)
>
>--824D7406FFFC.1471961251/mail3.ourdomain.fr
>Content-Description: Delivery report
>Content-Type: message/delivery-status
>
>Reporting-MTA: dns; mail3.ourdomain.fr
>X-Postfix-Queue-ID: 824D7406FFFC
>X-Postfix-Sender: rfc822; voicemail at ourdomain.fr
>Arrival-Date: Tue, 23 Aug 2016 16:07:29 +0200 (CEST)
>
>Final-Recipient: rfc822; existing.user at ourdomain.com
>Original-Recipient: rfc822;existing.user at ourdomain.fr
>Action: failed
>Status: 5.2.0
>Remote-MTA: dns; mails.collaboration-sfr.com
>Diagnostic-Code: smtp; 552 5.2.0 <ae7X1t00115ZlG601e7Xvw> reject for
>policy
>     reason : spam detected in your mail
>
>--824D7406FFFC.1471961251/mail3.ourdomain.fr
>Content-Description: Undelivered Message
>Content-Type: message/rfc822
>
>Return-Path: <voicemail at ourdomain.fr>
>Received: from 177.222.108.254.dynamic.on.com.br (unknown
>[177.222.108.254])
>         by mail3.ourdomain.fr (Postfix) with ESMTP id 824D7406FFFC
>         for <existing.user at ourdomain.fr>; Tue, 23 Aug 2016
16:07:29
>+0200 (CEST)
>From:voicemail at ourdomain.fr
>To:existing.user at ourdomain.fr
>Subject: [Vigor2820 Series] New voice mail message from 01425939048 on 
>2016/08/23 11:07:28
>MIME-Version: 1.0
>Content-Type: multipart/mixed; boundary="5A1b791c537d41f1"
>
>
>--5A1b791c537d41f1
>Content-Type: text/plain; charset=utf-8
>Content-Disposition: inline
>
>Dear existing.user :
>         There is a message for you from 01425939048, on 2016/08/23 
>11:07:28 .
>         You might want to check it when you get a chance.Thanks!
>
>
>
>--5A1b791c537d41f1
>Content-Type: audio/x-wav; name="Message_from_01425939048.wav.zip"
>Content-Transfer-Encoding: BASE64
>Content-Description: Voicemail sound attachment.
>Content-Disposition: attachment;
>filename="Message_from_01425939048.wav.zip"
>
>UEsDBBQAAAAIAGZiF0n9ycl98x4AAE54AAAQAAAAODU5MjE2MjE1MDA4LndzZuxbW2/jWHJ+
>dgP9H9hCMJbaHrWuljW2e2FJlCz1iLJk3T39QJG0SIkXNS/WpcdAZgYJctmXBNgE+7jAArkB
>uTzkKUD+jLFJ9l+kDnl4Ubd4KM/0dIBgG6ZskfVV1amqU6fqHPb5L1aK/IvXz5+dL1huzk4F
>9OdMm1ASf3HYuCq9YZqHr891SzUlBT17/ozC/855weB0aWFKmvo6cPvV9n3nyfkrl8W585CS
>WXVqgTyQcmPfATEvbsuVy+7lLULdmLqkTpMLXTM1c70QkhPBMDVZ40SVFQW9X+85P6ZpavCP
>...
>
>I don't understand why I don't have the same behavior that when I
send
>a 
>mail to a non existant address ( <tottttt at ourdomain.fr>: Recipient 
>address rejected: User unknown in virtual mailbox table )
>
>How can I fix it?
>
>Thanks a lot!
>
>Samuel
-- 
Diese Nachricht wurde von meinem Android-Ger?t mit K-9 Mail gesendet.

Hello Aki,
here is the output:

# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-327.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 
(Core)
auth_debug = yes
auth_master_user_separator = *
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
mbox_write_locks = fcntl
namespace inbox {
   inbox = yes
   location    mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix }
passdb {
   driver = pam
}
passdb {
   args = /etc/dovecot/sieve.creds
   driver = passwd-file
   master = yes
}
plugin {
   quota = maildir
   quota_grace = 10%%
   quota_rule2 = Trash:storage=+100M
   sieve = ~/.dovecot.sieve
   sieve_dir = ~/sieve
}
protocols = imap pop3 lmtp sieve
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0660
  user = postfix
   }
}
service managesieve-login {
   inet_listener sieve {
     port = 4190
   }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail3.albertville.fr/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail3.albertville.fr/privkey.pem
userdb {
   args = uid=1001 gid=1001 home=/home/vmail/%Lu allow_all_users=yes
   driver = static
}
protocol lmtp {
   mail_plugins = " sieve"
}
protocol lda {
   mail_plugins = " quota sieve"
   postmaster_address = postmaster@%d
}
protocol imap {
   mail_plugins = " quota imap_quota"
}


Le 23/08/2016 ? 18:08, Aki Tuomi a ?crit :
> doveconf -n output

Hello Sean,

You're right, I going to switch off the return message too.

Thanks!

Samuel

Le 23/08/2016 ? 20:07, Sean Greenslade a ?crit :
> On Tue, Aug 23, 2016 at 05:57:37PM +0200, Sam wrote:
>> Hello,
>>
>> Sometime when we receive a spam or virus that is detected as it, mailer
>> daemon send a reply to the sender to inform that the message is a spam
or
>> content viruses.
> You probably shouldn't do this. The vast majority of spam / virus
emails
> are sent from compromised machines / botnets, use fake return paths, and
> either don't monitor replies, or just use replies to verify that the
> email address is valid and send more spam to it. Or worse, it can turn
> your server into a spamming machine if the return addresses are set to
> other people's email addresses.
>
> There are several valid ways of handling spam, depending on how your
> mail architecture works. One is to reject incoming spam messages at the
> receiving mailserver. The downside is that this leaks information to the
> spammers about what spam methods actually get through or not.
>
> Another method is to accept all incoming messages, then sort /
> quarantine / blackhole any spam. The downside is that this makes your
> server seem more accepting, which may attract more spam.
>
> I personally take the second approach, though which is better will
> definitely depend on how your specific system works.
>
> If you're really dead set on having some sort of auto reply, at the
very
> least make it only reply to senders that have historically sent good
> messages (e.g. some sort of whitelist).
>
> --Sean
>

On 8/23/2016 11:57 AM, Sam <sr42354 at gmail.com>
wrote:
> The problem is that the sender of the spam as something like 
> voicemail at ourdomain.fr ( the user voicemail doesn't exist in our
database )
> 
> And sometimes dovecot create the directory and store the reply 's
mail...
1. Don't accept mail for non-existent (invalid) users

2. Don't accept mail from domains that you control that don't originate
from your smtp server(s)

Problem solved.

On 8/24/2016 8:08 AM, Tanstaafl <tanstaafl at libertytrek.org>
wrote:
> 2. Don't accept mail from domains that you control that don't
originate
> from your smtp server(s)
> 
> Problem solved.
Oops, that should of course read:

2. Don't accept mail that is both TO & FROM a (the same) domain that you
control that doesn't originate from your SMTP server(s)