summaryrefslogtreecommitdiffstats
path: root/README_FILES/DSN_README
blob: efd7f4c113893493a6e54832ea230bbb8015b21a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

PPoossttffiixx DDSSNN SSuuppppoorrtt

-------------------------------------------------------------------------------

IInnttrroodduuccttiioonn

Postfix version 2.3 introduces support for Delivery Status Notifications as
described in RFC 3464. This gives senders control over successful and failed
delivery notifications.

Specifically, DSN support gives an email sender the ability to specify:

  * What notifications are sent: success, failure, delay, or none. Normally,
    Postfix informs the sender only when mail delivery is delayed or when
    delivery fails.

  * What content is returned in case of failure: only the message headers, or
    the full message.

  * An envelope ID that is returned as part of delivery status notifications.
    This identifies the message submission transaction, and must not be
    confused with the message ID, which identifies the message content.

The implementation of DSN support involves extra parameters to the SMTP MAIL
FROM and RCPT TO commands, as well as two Postfix sendmail command line options
that provide a sub-set of the functions of the extra SMTP command parameters.

This document has information on the following topics:

  * Restricting the scope of "success" notifications
  * Postfix sendmail command-line interface
  * Postfix VERP support compatibility

RReessttrriiccttiinngg tthhee ssccooppee ooff ""ssuucccceessss"" nnoottiiffiiccaattiioonnss

Just like reports of undeliverable mail, DSN reports of successful delivery can
give away more information about the internal infrastructure than desirable.
Unfortunately, disallowing "success" notification requests requires disallowing
other DSN requests as well. The RFCs do not offer the option to negotiate
feature subsets.

This is not as bad as it sounds. When you turn off DSN for remote inbound mail,
remote senders with DSN support will still be informed that their mail reached
your Postfix gateway successfully; they just will not get successful delivery
notices from your internal systems. Remote senders lose very little: they can
no longer specify how Postfix should report delayed or failed delivery.

Use the smtpd_discard_ehlo_keyword_address_maps feature if you wish to allow
DSN requests from trusted clients but not from random strangers (see below for
how to turn this off for all clients):

    /etc/postfix/main.cf:
        smtpd_discard_ehlo_keyword_address_maps =
            cidr:/etc/postfix/esmtp_access

    /etc/postfix/esmtp_access:
        # Allow DSN requests from local subnet only
        192.168.0.0/28      silent-discard
        0.0.0.0/0           silent-discard, dsn
        ::/0                silent-discard, dsn

If you want to disallow all use of DSN requests from the network, use the
smtpd_discard_ehlo_keywords feature:

    /etc/postfix/main.cf:
        smtpd_discard_ehlo_keywords = silent-discard, dsn

PPoossttffiixx sseennddmmaaiill ccoommmmaanndd--lliinnee iinntteerrffaaccee

Postfix has two Sendmail-compatible command-line options for DSN support.

  * The first option specifies what notifications are sent for mail that is
    submitted via the Postfix sendmail(1) command line:

        $ sseennddmmaaiill --NN ssuucccceessss,,ddeellaayy,,ffaaiilluurree ...... (one or more of these)
        $ sseennddmmaaiill --NN nneevveerr ......                 (or just this by itself)

    The built-in default corresponds with "delay,failure".

  * The second option specifies an envelope ID which is reported in delivery
    status notifications for mail that is submitted via the Postfix sendmail(1)
    command line:

        $ sseennddmmaaiill --VV eennvveellooppee--iidd ......

    Note: this conflicts with VERP support in older Postfix versions, as
    discussed in the next section.

PPoossttffiixx VVEERRPP ssuuppppoorrtt ccoommppaattiibbiilliittyy

With Postfix versions before 2.3, the sendmail(1) command uses the -V command-
line option to request VERP-style delivery. In order to request VERP style
delivery with Postfix 2.3 and later, you must specify -XV instead of -V.

The Postfix 2.3 sendmail(1) command will recognize if you try to use -V for
VERP-style delivery. It will do the right thing and will remind you of the new
syntax.
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-04 07:24:44 +0000