Messaging Gateway

 View Only

  • 1.  BG 8 Invalid Recipient Handling

    Posted Mar 18, 2009 12:30 PM

    I have a Brightmail Gateway 8 configuration that is set up to do LDAP sync and Invalid Recipient Handling set up for "Reject invalid recipients".  This configuration seems to abort invalid recipient emails, not product an NDR to the sender.  Is this the behavior that is expected?  I would have thought that "Drop invalid recipients" would have done this and reject would have producted an NDR.

     

    Let me know.  Thanks!



  • 2.  RE: BG 8 Invalid Recipient Handling

    Posted Mar 18, 2009 02:07 PM

    This happens during the rcpt to: in the SMTP conversation. The destination relay returns a 550 error to the sending relay and ends the conversation before the data part. This does not generate a seperate NDR email to be delivered. The sending MTA shoud report back to its user that there was an error.

     

    It may look something like this error from GMails relays when sending to my relays with an invalid address:

    This is an automatically generated Delivery Status Notification

    Delivery to the following recipient failed permanently:

        3rre@mydomain.com

    Technical details of permanent failure:
    Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 Recipient address rejected: User unknown (state 14).

     

    Make sure you also have recipient validation turned on in the local domain in protocols



  • 3.  RE: BG 8 Invalid Recipient Handling

    Posted Mar 18, 2009 02:08 PM

    Hi Matt,

    LDAP Synchronization only supports the option to drop invalid recipients, with LDAP Sync set up and drop invalid recipients enabled, when a message is sent to the Brightmail Gateway with invalid recipients, the message is accepted, scanned and then silenlty deleted without ever sending any kind of response back to the sending server.

     

    The other option you have, and better option in my opinion is to create a Recipient Validation LDAP source and then enable the ability to reject messages to invalid recipients. With reject messages to invalid recipients enabled, when the sending SMTP server connects, when it tries to send messages to invalid recipients it will be sent 'user does not exist' error.  In this case we never need to accept or scan the message and therefore save lots of resources, and the sending SMTP server is aware of the problem.

     

    The one issue with using reject is that it opens your address space up to directory harvest attackers as they'll know when they've sent to a valid sender as they won't receive an error.  To combat this you should enable the Directory Harvest Attack functionality.

     

    Kevin



  • 4.  RE: BG 8 Invalid Recipient Handling

    Posted Mar 18, 2009 03:14 PM

    Just to comment further here, what JustNetGuy says is spot on in that when rejecting mesages to invalid recipients, we send the rejection error back to the sending smtp server at connection time and the sending smtp would be responsible for bouncing the message to another SMTP server, or sending an NDR to the original sender.

     

    If you are uisng LDAP Sync and dropping messages to invalid recipients, which I suspect you may be doing, then the SBG will silently accept and then delete the message and the sending SMTP server wouldn't be aware of what happened and therefore couldn't send an NDR.

     

    Kevin