Blocked email generates reply, despite "ndr_on_block 0"

T

_toby_

Member
Proxmox Subscriber
Mar 3, 2023
13
6
8
Hi

PMG 8.2.11

Our new rule to block certain messages is generating a reply to the sender like

The response from the remote server was:

554 5.7.1 Rejected for policy reasons (C68A16A269E9A022E9)

even though we have ndr_on_block 0 in the mail section of pmg.conf

syslog shows:
Code: 
2026-06-08T11:51:06.399785+01:00 purgatory pmg-smtp-filter[643523]: C68A16A269E9A022E9: notify <spamlog@abc.xyz> (rule: Stop mega spammers, 5693CA18EC)
2026-06-08T11:51:06.399878+01:00 purgatory pmg-smtp-filter[643523]: C68A16A269E9A022E9: block mail to <toby@abc.xyz> (rule: Stop mega spammers)
2026-06-08T11:51:06.402771+01:00 purgatory pmg-smtp-filter[643523]: C68A16A269E9A022E9: processing time: 0.391 seconds (0.272, 0.039, 0)
2026-06-08T11:51:06.402889+01:00 purgatory postfix/smtpd[642153]: proxy-reject: END-OF-MESSAGE: 554 5.7.1 Rejected for policy reasons (C68A16A269E9A022E9); from=<qwerty@gmail.com> to=<toby@abc.xyz> proto=ESMTP helo=<mail-qt1-f170.google.com>
2026-06-08T11:51:06.402934+01:00 purgatory pmg-smtp-filter[643523]: reject mail C68A16A269E9A022E9

Have I missed a config option?

Cheers
Toby
 
_toby_ said:
2026-06-08T11:51:06.402889+01:00 purgatory postfix/smtpd[642153]: proxy-reject: END-OF-MESSAGE: 554 5.7.1 Rejected for policy reasons (C68A16A269E9A022E9); from=<qwerty@gmail.com> to=<toby@abc.xyz> proto=ESMTP helo=<mail-qt1-f170.google.com>
Click to expand...
this line says that postfix rejected the mail during the SMTP session (and that you have enabled before-queue filtering).

PMG does not generate a non-delivery report - it responds to the sending server with a permanent error-code (5xx) - the bounce you receive should come from that sending server (not from pmg itself)
 
Hi Stoiko

Again, many thanks for your reply. Is my understanding correct, that dodgy people couldn't use this as a way to make our server send "blocked" responses to a victim? The reply goes back to the server where it came from, rather than a possibly faked ReplyTo or From? Or do I need after-queue filtering?

Cheers
Toby
 
_toby_ said:
Again, many thanks for your reply. Is my understanding correct, that dodgy people couldn't use this as a way to make our server send "blocked" responses to a victim? The reply goes back to the server where it came from, rather than a possibly faked ReplyTo or From? Or do I need after-queue filtering?
Click to expand...
all of this has nothing to do with 'Reply-To' or 'From' headers you see in your e-mails - this all happens during the SMTP-dialogue - and all addresses here are the "bounce addresses" a.k.a. envelope-sender/recipient a.k.a. Return-path (for the sender).

Your PMG responds to the sending server 554 - rejected - the sending server should inform the sender that an e-mail could not be delivered (in the legitimate case) - and sends a NDR/Bounce message to the original sender.
If the server that tried to send the mail, which was rejected informs the user - this message will come from that server (and not your PMG).

I hope this explains it!
 
You must log in or register to reply here.
Top Bottom
Back