Blocked email generates reply, despite "ndr_on_block 0"

T

_toby_

Member
Proxmox Subscriber
Mar 3, 2023
14
9
8
Hi

PMG 8.2.11

Our new rule to block certain messages is generating a reply to the sender like

The response from the remote server was:

554 5.7.1 Rejected for policy reasons (C68A16A269E9A022E9)

even though we have ndr_on_block 0 in the mail section of pmg.conf

syslog shows:
Code: 
2026-06-08T11:51:06.399785+01:00 purgatory pmg-smtp-filter[643523]: C68A16A269E9A022E9: notify <spamlog@abc.xyz> (rule: Stop mega spammers, 5693CA18EC)
2026-06-08T11:51:06.399878+01:00 purgatory pmg-smtp-filter[643523]: C68A16A269E9A022E9: block mail to <toby@abc.xyz> (rule: Stop mega spammers)
2026-06-08T11:51:06.402771+01:00 purgatory pmg-smtp-filter[643523]: C68A16A269E9A022E9: processing time: 0.391 seconds (0.272, 0.039, 0)
2026-06-08T11:51:06.402889+01:00 purgatory postfix/smtpd[642153]: proxy-reject: END-OF-MESSAGE: 554 5.7.1 Rejected for policy reasons (C68A16A269E9A022E9); from=<qwerty@gmail.com> to=<toby@abc.xyz> proto=ESMTP helo=<mail-qt1-f170.google.com>
2026-06-08T11:51:06.402934+01:00 purgatory pmg-smtp-filter[643523]: reject mail C68A16A269E9A022E9

Have I missed a config option?

Cheers
Toby
 
  • Like
Reactions: Jeffthomson890
_toby_ said:
2026-06-08T11:51:06.402889+01:00 purgatory postfix/smtpd[642153]: proxy-reject: END-OF-MESSAGE: 554 5.7.1 Rejected for policy reasons (C68A16A269E9A022E9); from=<qwerty@gmail.com> to=<toby@abc.xyz> proto=ESMTP helo=<mail-qt1-f170.google.com>
Click to expand...
this line says that postfix rejected the mail during the SMTP session (and that you have enabled before-queue filtering).

PMG does not generate a non-delivery report - it responds to the sending server with a permanent error-code (5xx) - the bounce you receive should come from that sending server (not from pmg itself)
 
  • Like
Reactions: Jeffthomson890
Hi Stoiko

Again, many thanks for your reply. Is my understanding correct, that dodgy people couldn't use this as a way to make our server send "blocked" responses to a victim? The reply goes back to the server where it came from, rather than a possibly faked ReplyTo or From? Or do I need after-queue filtering?

Cheers
Toby
 
  • Like
Reactions: Jeffthomson890
_toby_ said:
Again, many thanks for your reply. Is my understanding correct, that dodgy people couldn't use this as a way to make our server send "blocked" responses to a victim? The reply goes back to the server where it came from, rather than a possibly faked ReplyTo or From? Or do I need after-queue filtering?
Click to expand...
all of this has nothing to do with 'Reply-To' or 'From' headers you see in your e-mails - this all happens during the SMTP-dialogue - and all addresses here are the "bounce addresses" a.k.a. envelope-sender/recipient a.k.a. Return-path (for the sender).

Your PMG responds to the sending server 554 - rejected - the sending server should inform the sender that an e-mail could not be delivered (in the legitimate case) - and sends a NDR/Bounce message to the original sender.
If the server that tried to send the mail, which was rejected informs the user - this message will come from that server (and not your PMG).

I hope this explains it!
 
  • Like
Reactions: Jeffthomson890
You must log in or register to reply here.
Top Bottom
Back