Indirect Postfix bounces create new user directories
- by hheimbuerger
I'm running Postfix on my personal server in a data centre. I am not a professional mail hoster and not a Postfix expert, it is just used for a few domains served from that server.
IIRC, I mostly followed this howto when setting up Postfix. Mails addressed to one of the domains the server manages are delivered locally (/srv/mail) to be fetched with Dovecot. Mails to other domains require usage of SMTPS. The mailbox configuration is stored in MySQL.
The problem I have is that I suddenly found new mailboxes being created on the disk. Let's say I have the domain 'example.com'. Then I would have lots of new directories, e.g.
/srv/mail/example.com/abenaackart
/srv/mail/example.com/abenaacton
etc.
There are no entries for these addresses in my database, neither as a mailbox nor as an alias.
It's clearly spam from auto-generated names. Most of them start with 'a', a few with 'b' and a couple of random ones with other letters. At first I was afraid of an attack, but all security restrictions seem to work. If I try to send mail to these addresses, I get an "Recipient address rejected: User unknown in virtual mailbox table" during the 'RCPT TO' stage.
So I looked into the mails stored in these mailboxes. Turns out that all of them are bounces. It seems like all of them were sent from a randomly generated name to an alias that really exists on my system, but pointed to an invalid destination address on another host. So Postfix accepted it, then tried to redirect it to another mail server, which rejected it. This bounced back to my Postfix server, which now took the bounce and stored it locally -- because it seemed to be originating from one of the addresses it manages.
Example:
My Postfix server handles the example.com domain.
[email protected] is configured to redirect to [email protected].
[email protected] has since been deleted from the Hotmail servers.
Spammer sends mail with FROM:[email protected] and TO:[email protected].
My Postfix server accepts the mail and tries to hand it off to hotmail.com.
hotmail.com sends a bounce back.
My Postfix server accepts the bounce and delivers it to /srv/mail/example.com/bob.
The last step is what I don't want. I'm not quite sure what it should do instead, but creating hundreds of new mailboxes on my disk is not what I want...
Any ideas how to get rid of this behaviour? I'll happily post parts of my configuration, but I'm not really sure where to start debugging the problem at this point.