Always accept postmaster email for virtual domains

[rimas-kudelis]

I wonder what currently happens if we accept an e-mail to postmaster for a virtual domain which doesn't have a postmaster mailbox/forward. When I fix #218, we'll probably start rejecting such e-mails instead. Since RFC's require us to have such address, I'm thinking what options we have.

1. We could create the postmaster address automatically, and not allow deleting it. This would however make it impossible to turn it into a forward using conventional means.
2. We could redirect all our postmaster email to the main postmaster address on localhost, or at least fall back to that.
3. We could test if the postmaster address exists when domain admin logs in, and if it doesn't, display a big fat red warning on top of the page. This would act as a reminder, but wouldn't be strictly enforcing. Although we could also disallow creation of any other mailboxes/aliases until postmaster is created.
4. Combine 3 and 2 ?

[Udera]

Is there a problem keeping a postmaster account? You can even forward mails to other addresses if you want. This way we would not need to check anything in exim or forward mails to an admin account in case no postmaster is defined.

A fallback to the localhost is not so good either because some people only use virtual domains and may not check localhost-mails.

On 2016-09-15 15:55, Rimas Kudelis wrote:

I wonder what currently happens if we accept an e-mail to postmaster for a virtual domain which doesn't have a postmaster mailbox/forward. When I fix #218 [1], we'll probably start rejecting such e-mails instead. Since RFC's require us to have such address, I'm thinking what options we have.

• We could create the postmaster address automatically, and not allow deleting it. This would however make it impossible to turn it into a forward using conventional means.
• We could redirect all our postmaster email to the main postmaster address on localhost, or at least fall back to that.
• We could test if the postmaster address exists when domain admin logs in, and if it doesn't, display a big fat red warning on top of the page. This would act as a reminder, but wouldn't be strictly enforcing. Although we could also disallow creation of any other mailboxes/aliases until postmaster is created.
• Combine 3 and 2 ?

You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub [2], or mute the thread [3].

*

Links:

[1] https://github.com/vexim/vexim2/issues/218 [2] https://github.com/vexim/vexim2/issues/228 [3] https://github.com/notifications/unsubscribe-auth/AGCFFKor-S86_yHDEoChSZFIKoqJPIDAks5qqU41gaJpZM4J95cJ

[rimas-kudelis]

The problem is that the postmaster account can be deleted and not re-created.

[Udera]

I understand the initial issue and we need to do something about it. I was only thinking if there might be a legitimate reason to delete the account and use a simple forwarder instead (you can forward mail from an account as well).

On 2016-09-15 17:25, Rimas Kudelis wrote:

On 2016 m. rugsėjis 15 d. 18:16:42 EEST, Udera notifications@github.com wrote:

Is there a problem keeping a postmaster account? You can even forward

mails to other addresses if you want. This way we would not need to check anything in exim or forward mails to an admin account in case no postmaster is defined.

A fallback to the localhost is not so good either because some people

only use virtual domains and may not check localhost-mails.

On 2016-09-15 15:55, Rimas Kudelis wrote:

I wonder what currently happens if we accept an e-mail to postmaster for a virtual domain which doesn't have a postmaster mailbox/forward. When I fix #218 [1], we'll probably start rejecting such e-mails instead. Since RFC's require us to have such address, I'm thinking what options we have.

• We could create the postmaster address automatically, and not allow deleting it. This would however make it impossible to turn it into a forward using conventional means.
• We could redirect all our postmaster email to the main postmaster address on localhost, or at least fall back to that.
• We could test if the postmaster address exists when domain admin logs in, and if it doesn't, display a big fat red warning on top of the page. This would act as a reminder, but wouldn't be strictly enforcing. Although we could also disallow creation of any other mailboxes/aliases until postmaster is created.
• Combine 3 and 2 ?

You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub [2], or mute the thread [3].

*

Links:

[1] https://github.com/vexim/vexim2/issues/218 [2] https://github.com/vexim/vexim2/issues/228 [3]

https://github.com/notifications/unsubscribe-auth/AGCFFKor-S86_yHDEoChSZFIKoqJPIDAks5qqU41gaJpZM4J95cJ

You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/vexim/vexim2/issues/228#issuecomment-247358374

The problem is that the postmaster account can be deleted and not

re-created.

Rimas Sent from a mobile phone, please excuse potential typos in this message

You are receiving this because you commented. Reply to this email directly, view it on GitHub [1], or mute the thread [2].

*

Links:

[1] https://github.com/vexim/vexim2/issues/228#issuecomment-247360956 [2] https://github.com/notifications/unsubscribe-auth/AGCFFOCgvBThY1W4LF0pPfBLZhj71wWiks5qqWNygaJpZM4J95cJ

[rimas-kudelis]

Of course, wanting to re-create the account as an alias is a valid reason. That's why I don't want to just block deleting it. :-)

[Udera]

Why is it a valid reason. What can the redirect do what a real account cannot? You can forward mails to different addresses without keeping a local copy.

On 2016-09-15 18:10, Rimas Kudelis wrote:

On 2016 m. rugsėjis 15 d. 18:55:33 EEST, Udera notifications@github.com wrote:

I understand the initial issue and we need to do something about it. I was only thinking if there might be a legitimate reason to delete the

account and use a simple forwarder instead (you can forward mail from an account as well).

On 2016-09-15 17:25, Rimas Kudelis wrote:

On 2016 m. rugsėjis 15 d. 18:16:42 EEST, Udera notifications@github.com wrote:

Is there a problem keeping a postmaster account? You can even forward

mails to other addresses if you want. This way we would not need to check anything in exim or forward mails to an admin account in case no postmaster is defined.

A fallback to the localhost is not so good either because some people

only use virtual domains and may not check localhost-mails.

On 2016-09-15 15:55, Rimas Kudelis wrote:

I wonder what currently happens if we accept an e-mail to postmaster for a virtual domain which doesn't have a postmaster mailbox/forward. When I fix #218 [1], we'll probably start rejecting such e-mails instead. Since RFC's require us to have such address, I'm thinking what options we have.

• We could create the postmaster address automatically, and not allow deleting it. This would however make it impossible to turn it into a forward using conventional means.
• We could redirect all our postmaster email to the main postmaster address on localhost, or at least fall back to that.
• We could test if the postmaster address exists when domain admin logs in, and if it doesn't, display a big fat red warning on top of the page. This would act as a reminder, but wouldn't be strictly enforcing. Although we could also disallow creation of any other mailboxes/aliases until postmaster is created.
• Combine 3 and 2 ?

You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub [2], or mute the thread [3].

*

Links:

[1] https://github.com/vexim/vexim2/issues/218 [2] https://github.com/vexim/vexim2/issues/228 [3]

https://github.com/notifications/unsubscribe-auth/AGCFFKor-S86_yHDEoChSZFIKoqJPIDAks5qqU41gaJpZM4J95cJ

You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/vexim/vexim2/issues/228#issuecomment-247358374

The problem is that the postmaster account can be deleted and not

re-created.

Rimas Sent from a mobile phone, please excuse potential typos in this message

You are receiving this because you commented. Reply to this email directly, view it on GitHub [1], or mute the thread [2].

*

Links:

[1] https://github.com/vexim/vexim2/issues/228#issuecomment-247360956 [2]

https://github.com/notifications/unsubscribe-auth/AGCFFOCgvBThY1W4LF0pPfBLZhj71wWiks5qqWNygaJpZM4J95cJ

You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/vexim/vexim2/issues/228#issuecomment-247369950

Of course, wanting to re-create the account as an alias is a valid

reason. That's why I don't want to just block deleting it. :-)

Rimas Sent from a mobile phone, please excuse potential typos in this message

You are receiving this because you commented. Reply to this email directly, view it on GitHub [1], or mute the thread [2].

*

Links:

[1] https://github.com/vexim/vexim2/issues/228#issuecomment-247374179 [2] https://github.com/notifications/unsubscribe-auth/AGCFFHejPMlR4dkUpOcc6-NOc_c2iLeOks5qqW31gaJpZM4J95cJ

[rimas-kudelis]

OK, I misunderstood your comments. I didn't think about this. Indeed, even a conventional account can act as a forward. Should we block deleting postmasters then?

[Udera]

Should we block deleting postmasters then?

Yes, it's probably the easiest. How do we handle migrated setups that already deleted the postmaster account? Just create it, or enforce it in some way?

[rimas-kudelis]

This is almost the same question as what I asked initially. :) If we choose to just nag the admins, then there's no reason not to allow deleting that account and creating it anew. Creating the account automatically is an interesting idea. When and how would you do that?

[Udera]

I would do a postmaster-check after the login of a domain-admin. It checks if there is either

• postmaster-account
• postmaster-redirect
• catchall-account

If there isn't, it either

• redirects you to the adminuseradd to create a postmaster@yourdomain
• directly creates the account with a random password (just use the sql-insert from adminuseraddsubmit)

I tend to use the second option because it doesn't disturb the admin so much (if you only want to reset a password for a user, you don't want to deal with such stuff). However, we risk that the new postmaster-account will not be noticed.

[rimas-kudelis]

We could also create postmaster as an alias to this current admin account.

But I'm not sure if any of that is the best approach, because you never know when the admin is about to log in, and this doesn't ensure that postmaster will be available when necessary.

Maybe a yet another option would be to create a new router which would deliver postmaster e-mails to all admins of the affected domain? It will only be reached when explicit postmaster account doesn't exist, so seems like quite an elegant solution to me. This way we would also not have to block deletion and creation of postmaster account in the UI.

Of course it's possible for a domain to have no admins at all, but highly unlikely.

[Udera]

Maybe a yet another option would be to create a new router which would deliver postmaster e-mails to all admins of the affected domain? It will only be reached when explicit postmaster account doesn't exist, so seems like quite an elegant solution to me. This way we would also not have to block deletion and creation of postmaster account in the UI.

That would be we just put a router in the end of the router list in exim, which selects all admin from the specific domain? Perhaps better than force a creation or doing such stuff. However, for new setups I would prefer the postmaster to be undeletable. So people see that there is something special about this address and that they can't remove it, was done on purpose. If you delete the postmaster-address and you still receive mails, could take some time to figure out what's happening and why.

[rimas-kudelis]

We could say that postmaster emails will now be forwarded to all admin accounts upon postmaster deletion.

[runout-at]

i think blocking deletion of the postmaster account is a good idea, as this account is a minimum requirement by rfc5321: https://tools.ietf.org/html/rfc5321#section-4.5.1 https://tools.ietf.org/html/rfc5321#section-3.1

If somebody doesn't like to have a postmaster account, he/she should think about running a mail server at all...

[Udera]

I have prepared a fix for this issue: https://github.com/vexim/vexim2/pull/248

[rimas-kudelis]

I think postmaster deletion should be allowed after all. The RFC requires that the email to postmaster must be accepted, it doesn't say anything about the specific implementation. Thus, I think the fallback router is a safeguard good enough.

If neither a specific postmaster account, nor a catchall address exists, we could also inform logged in admins that all email to postmaster is being automatically forwarded to all domain admins.

Now, about that patch: does the new router actually end up being used? If so, is it being used only for postmaster account?

[Udera]

I think postmaster deletion should be allowed after all. The RFC requires that the email to postmaster must be accepted, it doesn't say anything about the specific implementation. Thus, I think the fallback router is a safeguard good enough.

It would be much easier on the web-interface because we don't need to check for the existence of such an account (mailbox or forward or catchall). And to handle all cases could be complicated.

Now, about that patch: does the new router actually end up being used? If so, is it being used only for postmaster account?

Oh, I didn't check the username to be postmaster. I wanted to do that but forgot it in the end and certainly didn't test it properly :fearful: