dovecot - Jan 2012 - Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation

Hello to all members.

I am using Dovecot for 5 years, but this is my first post here.
I am aware of the various autoresponder scripts for vacation autoreplies (I am
using Virtual Vacation 3.1 by Mischa Peters).
I have an issue with auto-replies - it is vulnerable to spamming with forged
email address.
Forging can be prevented with several Postfix settings, which I did in the past
- but was forced to remove, because
our company occasionaly has clients with improper configurations and those
settings prevent us to receive their legitimate mail
(and this of course is not good for the business).
So I have though about another idea. Since I use Dovecot-auth to verify mailbox
existence - I just wonder is it
possible to somehow indicate specific error code (and hopefully descriptive text
also) to Postfix (e.g. 450 or some other
temporary failure) when the owner of the mailbox is currently on vacation ?

Best wishes,
IVO GELOV

On 2012-01-13 12:11 PM, IVO GELOV (CRM) <ivo at crm.walltopia.com>
wrote:
> I am aware of the various autoresponder scripts for vacation autoreplies
> (I am using Virtual Vacation 3.1 by Mischa Peters).
> I have an issue with auto-replies - it is vulnerable to spamming with
> forged email address.
I think you are using an extremely old/outdated version...

The latest version would not suffer this problem, because it has a lot 
of message types that it will *not* respond to, including messages 
appearing to be from yourself...

Get the latest version fro the postfixadmin package.

However, I don't know how to use it without also using postfixadmin (it 
creates databases for storing the vacation message, etc)...

-- 

Best regards,

Charles

On Sun, 15 Jan 2012 14:33:24 +0200, Charles Marcus <CMarcus at
media-brokers.com> wrote:
> On 2012-01-14 12:23 PM, IVO GELOV (CRM) <ivo at crm.walltopia.com>
wrote:
>> I have downloaded the latest version 4.0 - but it seems there is no
>> way to prevent spammers to use forged email addresses. I decided to
>> remove the vacation feature from our corporate mail server, because
>> it actually opens a backdoor (even though only when someone decides
>> to activate his vacation auto-reply) for spammers and puts a risk on
>> the company (our server can be blacklisted).
>
> Sorry, I misread your message...
>
> However, (I *think*) there *is* a simple solution to your problem, if I
> now understand it correctly...
>
> Simply disallow anyone sending from an email address in your domain from
> sending without SASL_AUTHing...
>
> The way I do this is:
>
> in main.cf (I put all of my restrictions in
> smtpd_recipient_restrictions) add:
>
> check_sender_access ${hash}/nospoof,
>
> somewhere after reject_unauth_destination *but before any RBL checks)
>
> where nospoof contains:
>
> # Prevent spoofing from domains that we own
> allowed_address1 at example.com OK
> allowed_address2 at example.com OK
> example.com  REJECT You must use sasl_auth to send from one of our
> example.com email addresses...
>
> and of course be sure to postmap the nospoof database after making any
> changes...
>
These are the restrictions I apply (or had been applying for some time). Anyway,
for now I simply disabled the vacation plugin.

smtpd_client_restrictions = permit_mynetworks, check_client_access
mysql:/etc/postfix/sender_ip, permit_sasl_authenticated, reject_unknown_client
#reject_rhsbl_client blackhole.securitysage.com, reject_rbl_client
opm.blitzed.org,
#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_client_access mysql:/etc/postfix/client_sql, reject_rbl_client
sbl.spamhaus.org, reject_rbl_client list.dsbl.org,reject_rbl_client
cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client
dnsbl.ahbl.org, permit
#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_client_access mysql:/etc/postfix/client_ok, reject_rbl_client
sbl.spamhaus.org, reject_rbl_client list.dsbl.org,reject_rbl_client
cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client
dnsbl.ahbl.org, reject_unknown_client
###, check_policy_service inet:127.0.0.1:10040, reject_rbl_client
sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
dul.dnsbl.sorbs.net, reject_rbl_client dnsbl.ahbl.org
#,reject_rbl_client opm.blitzed.org,  reject_rbl_client relays.ordb.org,
reject_rbl_client dun.dnsrbl.net

#REJECT_NON_FQDN_HOSTNAME - proverka dali HELO e pylno Domain ime (sus suffix)
#smtpd_helo_restrictions =  check_helo_access hash:/etc/postfix/helo_access,
reject_invalid_hostname, reject_non_fqdn_hostname
smtpd_helo_restrictions =  reject_invalid_hostname

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_rhsbl_sender rhsbl.ahbl.org, reject_rhsbl_sender rhsbl.sorbs.net,
reject_rhsbl_sender multi.surbl.org
#reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_sender
opm.blitzed.org,
#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_sender_access mysql:/etc/postfix/sender_sql, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_rhsbl_sender rhsbl.ahbl.org,
reject_rhsbl_sender block.rhs.mailpolice.com, reject_rhsbl_sender
rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender
dsn.rfc-ignorant.org, permit
#, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender
relays.ordb.org, reject_rhsbl_sender dun.dnsrbl.net

#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_unauth_pipelining, check_recipient_access
regexp:/etc/postfix/dspam_incoming
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_unauth_pipelining
smtpd_data_restrictions =  reject_unauth_pipelining