nginx mailing-list and sender filtering (vs BATV)
nginx+phil at spodhuis.org
Fri Mar 1 20:59:59 UTC 2013
On 2013-03-01 at 17:12 +0400, Maxim Dounin wrote:
> On Fri, Mar 01, 2013 at 03:22:51AM -0500, Phil Pennock wrote:
> > PS: nginx mail-server configuration is broken; it's checking SMTP Envelope
> > Sender against the subscription list, not the RFC5322.From: header, so
> > breaks on things such as PRVS. Posting via manual injection to your
> > mail-server. :(
> Unfortunately, there is no way to properly reject messages at SMTP
> level (i.e. to avoid sending bounces) and doing checks based on
> message headers at the same time.
> If you use different envelope from and message from addresses and
> have problems with posting - just subscribe your envelope from
> address to the mailing list with mail delivery disabled.
I understand the problem you're fighting here, and why you're doing this
at SMTP RCPT time, since Mailman doesn't have content scanning hooks to
check if the message should be allowed based on the message headers.
You can do these checks safely enough, but it requires more caution.
When violating normal SMTP expectations by making a RCPT appear to only
exist for certain MAIL FROM senders, it's important to understand
variations in senders at SMTP time: the checks you're doing are not the
same as the membership tests done by Mailman itself, which looks at the
I did the same thing as you, for expediency and to avoid forking yet
more extra processes for scanning, but I made sure that the form of the
address being checked for membership has had VERP and BATV variations
stripped out first, to check a _normalized_ address against the Mailman
BATV changes the SMTP Envelope Sender, with a crypto-hash embedded in
the address, and a secret and a daily timestamp going into the hash
inputs, so that if all messages _from_ a domain are sent with BATV, then
bounces inherently *must* be to BATV targets if they're legitimate.
This is the only tool that prevents joe-job backscatter from flooding
So that's a non-standard address-existence test breaking when exposed to
an address variation that does have an Internic draft, albeit expired.
I've sucked it up and configured up an exception mechanism, adding this
mailing-list to that, accepting that any time I enable the backscatter
filter, I'll lose bounce messages from this list to me, with rejections
dropping into a blackhole. That's got a lower risk of being triggered
than a joe-job (unfortunately) (and this varies depending on your
involvement with email infrastructure and how much spammers dislike
Next time you're touching your mailserver setup, could you please take a
look at adding a canonicalisation step to the addresses being checked
against list membership?
More information about the nginx