Mail Proxy: interaction option "verify receivers" and "greylisting"

Its only the huge workaround with this additional Transport on exchange Server side. All exchange Server before Version 2013, works fine out if the box. But why not implementIng Verification on SMTP Level with given LDAP user Base in PMG side? SO THIS WOULD WORK AND ALWAYS NDEPENDENTLY OF THE INTERNALLY USED MAILSYSTEM? Meaning not wasting system Ressources with not performing user lookup in uneeded smtp connection to internal mailsystem, when PMG directly could do the job? Other commercial Anti-Spam Systems just do it this way. As Anti-Spam appliance means directly reject on the System itself and not hand this Job over to other Systems.
Don't unterstand it. And also how before the queue would help on it? Receiver verification on smtp level?

Thanks for your help.
 
SO THIS WOULD WORK AND ALWAYS NDEPENDENTLY OF THE INTERNALLY USED MAILSYSTEM?

Not all mailsystems do have their user database in a ldap?!

All exchange Server before Version 2013, works fine out if the box.
This is something where only Microsoft's support could help you.

Other commercial Anti-Spam Systems just do it this way.
which and how?

As Anti-Spam appliance means directly reject on the System itself and not hand this Job over to other Systems.
As I've tried to explain a few times - recipient verification in postfix works that way - and works fine in most setups - it asks the downstream server once and caches the response for a configured time.

And also how before the queue would help on it?
with before queue filtering (and disabled sending of NDRs on block) you could create a rule blocks mails not listed in an LDAP group - the block would be translated to a 5xx (if the mail is addressed only to non-existing users - else it is accepted for the existing users and discarded for the non-existing one)
 
Barracuda mail products, vamsoft or nospam for instance does it and use ldap or active directory for gaining the required valid user addresses. So the the appliance itself can directly reject itself on smtp level as its knows all valid addresses...

Just for my understanding and check out if your Suggestion is possible attempt for my issue:
before the queue is nice, but introduce to much false postives, when SA spam score 3 is reached as defined spam score level - by an legitime e-mail, this sender cannot send you any e-Mail anymore, because its getting reject before the queue and will get the NDR?
 
Barracuda mail products, vamsoft or nospam for instance does it and use ldap or active directory for gaining the required valid user addresses. So the the appliance itself can directly reject itself on smtp level as its knows all valid addresses...

The majority of email servers around do not store the email addresses in LDAP databases, so this will not work in a lot of places. Our approach is more generic and much easier and probably faster (no LDAP queries, fast local cache)
 
Not all mailsystems do have their user database in a ldap?!


This is something where only Microsoft's support could help you.


which and how?


As I've tried to explain a few times - recipient verification in postfix works that way - and works fine in most setups - it asks the downstream server once and caches the response for a configured time.


with before queue filtering (and disabled sending of NDRs on block) you could create a rule blocks mails not listed in an LDAP group - the block would be translated to a 5xx (if the mail is addressed only to non-existing users - else it is accepted for the existing users and discarded for the non-existing one)
@Stoiko Ivanov Thanks for reply. @tom yes, i can also follow your side of view.

MS triggering to change anything, the effort you can save...

@Stoiko Ivanov: Regarding the before the queue filtering method thing you proposed:
Just for my understanding and check out if your suggestion is an possible attempt for my block on smtp-level issue:

Before the queue is nice, but wouldn't it introduce to much false postives? I mean when configured SA spam score 3 is reached as defined spam score level by an legitime E-Mail: can this sender send you any E-Mail anymore, because it's getting rejected before the queue and will therefore just receive the NDR?

Thanks for your good work.
 
Before the queue is nice, but wouldn't it introduce to much false postives? I
No - or at least not more than after-queue filtering?! (the same checks run - in one case postfix accepts the mail and it get's dropped/accepted afterwards, in the other (before-queue) the pmg-smtp-filter responds with 2XX / 5XX respectively) - the finer points are if a mail is to multiple recipients (and one accepts it and another one rejects it) - here pmg-smtp-filter responds with 2XX and drops the mail to the rejecting recipient.

Bounce generation is configured via the 'Send NDR on Blocked Email' Option of the Mail Proxy.

I would suggest that you just quickly configure a test-setup and try your use-case - this helps tremendously to understand what happens how.
 
No - or at least not more than after-queue filtering?! (the same checks run - in one case postfix accepts the mail and it get's dropped/accepted afterwards, in the other (before-queue) the pmg-smtp-filter responds with 2XX / 5XX respectively) - the finer points are if a mail is to multiple recipients (and one accepts it and another one rejects it) - here pmg-smtp-filter responds with 2XX and drops the mail to the rejecting recipient.

Bounce generation is configured via the 'Send NDR on Blocked Email' Option of the Mail Proxy.

I would suggest that you just quickly configure a test-setup and try your use-case - this helps tremendously to understand what happens how.
Thanks again.

But just for my notes: When having before the queue activated: AND when configured SA spam score 3 level is 3. And this score is of 3 reached as defined spam score level by an legitime E-Mail, will the E-Mail getting delivered to the receipient or not? If not, will the sender receive the 5xx Code in such a case? This would mean that False-Postives classified E-Mails (legitime) having SA score 3 or more, are also getting rejected on SMTP-Level-Communication?
 
recipient verification in postfix works that way - and works fine in most setups - it asks the downstream server once and caches the response for a configured time.

@Stoiko Ivanov: you know the caching lifetime value used in PMG? As i have some strange behaviour. When i wipe UNSED E-Mail-Addresses (which existsts before and where as VRFY recipient verification was successful!) SMTP VRFY won't work as expected anymore, because of Postfix cache system thinks that the address is still valid, but it isn't anymore (already deleted on the destination SMTP VRFY enabled E-Mail-Server, which ALWAYS correctly REJECTS IT WITH SMTP Code 550 - in any case...).

If it's really 31 days due to address_verify_positive_expire_time, it seems to long for above scenario, where you wiped existing E-Mail Addresses on the destination Mailserver. because you have to wait 31 days, before an now invalid E-Mailaddress is wiped from the cache and the NDR Generation (performed by source - sender e-mail-system) is working correctly to avoid backscatter problems. If the E-Mail Address is still marked as valid one in the PMG postfix cache, PMG seems to generates the NDR itself - leading to possible backscatter issues..

http://www.postfix.org/verify.8.html
 
it is, but you can always clear the cache in the GUI->Administration->Postfix Queues->'Discard address verification database'

I hope this helps!
Thanks, yes, its one attempt to work around the "issue". will it cleanup the cache on the fly, with no manually service requests?
Seems that i have overlooked it before ;(
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!