From 45743fcc30ad310da0ef306d6319face3604ac4d Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 15 May 2017 23:31:13 +0200
Subject: Use blackhole subdomain for sender addresses of verify probes.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These addresses need to be accepted on the MX:es, as recipients
sometimes phone back during the SMTP session to check whether the sender
exists.

Since a time-dependent suffix is added to the local part (cf.
http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's
not enough to drop incoming mails to ‘double-bounce@fripost.org’, and
it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
---
 roles/MSA/templates/etc/postfix/main.cf.j2             | 2 +-
 roles/MX/files/etc/postfix/virtual/reserved_alias.pcre | 3 +--
 roles/out/templates/etc/postfix/main.cf.j2             | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

(limited to 'roles')

diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index cbd5264..f5f0834 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -80,7 +80,7 @@ strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
-address_verify_sender            = $double_bounce_sender@$mydomain
+address_verify_sender            = $double_bounce_sender@noreply.$mydomain
 address_verify_sender_ttl        = 24h
 unverified_recipient_defer_code  = 250
 unverified_recipient_reject_code = 550
diff --git a/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre b/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
index 9fe60c8..eb17d65 100644
--- a/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
+++ b/roles/MX/files/etc/postfix/virtual/reserved_alias.pcre
@@ -2,5 +2,4 @@
 # For other domains, RFC 822 section 6.3 and RFC 2142 section 4
 # mandatory aliases are forwarded to OUR admin team and to the domain
 # owner or postmaster, if there are any.
-/^(postmaster|abuse)(?:\+.*)?@(.*)/             $2/$1@reserved.fripost.org
-/^(double-bounce)(?:\+.*)?@(.*)/                $2/$1@discard.fripost.org
+/^(postmaster|abuse)(?:\+.*)?@(.*)/     $2/$1@reserved.fripost.org
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index 235b866..2ba0a34 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -57,7 +57,7 @@ strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
-address_verify_sender            = $double_bounce_sender@$mydomain
+address_verify_sender            = $double_bounce_sender@noreply.$mydomain
 address_verify_sender_ttl        = 24h
 unverified_recipient_defer_code  = 250
 unverified_recipient_reject_code = 550
-- 
cgit v1.2.3