IamCraig.com Rotating Header Image

May, 2012:

Block outbound email to a specific domain with qmail

With Sendmail, I can block all email from (a sending domain to the server in question) and to a (foreign) domain using the /etc/mail/access file. However, apparently, it’s not so simple with qmail. Further complicating my need to prevent all users on one of my systems (which uses qmail) from sending email to certain domains is the fact that the system also uses Plesk, so I didn’t really want to start messing around with patching qmail and risk breaking something to do with Plesk.

After a fair bit of research I settled on a workaround using /var/qmail/control/smtproutes to artificially direct email sent to those domains from my qmail system to another mail server under my control, where the emails are rejected during the SMTP dialogue (because they’re not configured on that mail server, of course), thereby being bounced immediately to the sender.

If /var/qmail/control/smtproutes doesn’t exist on your server (it shouldn’t by default) you can create it with the following contents, or add the following contents to an existing file:

bad-domain.com:mx.your-other-domain.com

The file should be owned by the same user and group as most of the other configuration files in the “control” directory.

In this example you want to stop users from sending email to bad-domain.com email addresses, and you control an external mail server at mx.your-other-domain.com. When a user tries to send email to a bad-domain.com address, the sending mail server will not look up the MX record for bad-domain.com, instead routing the email to mx.your-other-domain.com. Because mx.your-other-domain.com is not configured to accept or relay email for bad-domain.com, it will reject it.

Caution: DO NOT route email to a mail server that is not yours. This will likely be considered spam by that mail server’s administrator, and the IP address of your mail server will then likely be blocked and perhaps added to more widely-distributed blacklists. If you don’t control another mail server you could route the forbidden email to a non-existent domain, such as no-such.domain or dev.null or bogus.invalid. To make the bounce message a little more helpful to the receiver (i.e., the original sender), perhaps make up a bogus domain like “Sending-to-that-domain-is.prohibited” which, on some systems, will return a bounce message that might include text like this:

Sorry, I couldn’t find any host named Sending-to-that-domain-is.prohibited.

Do not use a non-existent domain on a real top-level domain (e.g., v539bq59vb45.com, or some other string of randomly-typed characters followed by a real TLD), because there is no guarantee that domain won’t be registered and used in the future. Avoid using even your own real domain that you’re not using (unless you set up some unique but descriptive sub-domain such as “this-is-a-bogus-mx-vb49w4.example.com”), as you may use it in the future and forget that you’re directing email to it. That could result in mail loops if you end up hosting the domain on the same mail server, or being blacklisted if you host it with a third party or allow it to expire and it’s registered and used by someone else.

Anyway, having another mail server to use, I’m sticking with using that to cause the messages to bounce back.

Some assistance in coming up with this idea came from this thread at boardreader.com.

Have a comment or a better idea? Let me know in the comments.

Oh, the irony

So there I was, surfing the Web looking for information related to ambulances in British Columbia, when I came across the BC Ambulance Service’s page on treatment guidelines. Being the curious type, I downloaded a PDF copy of said treatment guidelines to have a quick look.

But instead of a document about treatment guidelines, this is all that the 2.2 MB file displayed to me in my current PDF reader of choice:

For the best experience, open this PDF portfolio in Acrobat 9 or Adobe Reader 9, or later.

For the best experience, open this PDF portfolio in Acrobat 9 or Adobe Reader 9, or later.

Now, given the size of the file and the fact that the size matches what is stated on the BCAS website, the content of the PDF is obviously there on my computer, but the BCAS (presumably) have (in their infinite wisdom) deemed that I can only “best experience” (excuse me while I throw up) their document in Acrobat Reader! This is indeed ironic, given that “PDF” stands for “portable document format” and, according to page 33 of Adobe’s own specification, “PDF is a file format for representing documents in a manner independent of the application software, hardware, and operating system used to create them and of the output device on which they are to be displayed or printed.” (It also reads, on page 25, “The goal of these products [Adobe Acrobat] is to enable users to exchange and view electronic documents easily and reliably, independently of the environment in which they were created.”)

So, apparently, the portable document format isn’t actually very portable.

I refuse to install Adobe Acrobat Reader on my primary machine. It is the poster child for “bloatware“; when all you want to do is have a quick look at a PDF document, or all you want to do is open a one-page document (like the invoices I prepare in my business), you have to load this behemoth of a program, wait and wait and wait some more while your hard disk grinds on forever, only to use one per cent of the program’s features (when it finally opens) and take less time to look at the document than it took to open it. And let’s not forget about the constant updates to the ninety-nine per cent of the application you don’t use, and Adobe’s habit of getting their sticky fingers into the very heart of your operating system. No thanks.

If Adobe produced a “light” version of Acrobat Reader (which is itself a light version of Acrobat, a program used to create PDFs) I’d consider using it. Until then I should at least acknowledge Adobe for making the portable document format an open standard, allowing me the choice to use other software to view PDFs.

And you, BC Ambulance Service? How about making your portable-document-format document portable? I don’t want to “experience” your document singing and dancing; I just want to read it. At least let me have a second class “experience” in my chosen PDF reader. Thank-you.


Update, 3 May 2012: Wouldn’t you know it. The day after I wrote this, Foxit Reader prompted me to install a security update. After the update I thought I’d see what happens when I open the same file. Lo and behold! Turns out that it appears that a “PDF portfolio” is (as the name might suggest) a portfolio or collection of PDF documents in one container (file), and one needs to view the “attachments” to see and open the individual PDF documents. The original display (see above) certainly didn’t suggest that, and the inclusion of the Adobe logo made me believe that here I had a document created in Adobe Acrobat that refused to be displayed in non-Adobe PDF readers.

Turns out I was wrong. Not sure if I should blame Foxit Reader for not being more helpful, or if I should blame Adobe because a document created using their software (the document’s properties show that it was created by Adobe Acrobat) led me to the conclusions I made. I lean towards the former — if only because of the different behaviour of Foxit Reader after the update and the fact that the update appears to address this very issue — but I do presume that the wording displayed previously (the so-called “best experience”) comes from Adobe and their software, and so could be worded to be more helpful and less biased. Clearly though, Foxit Reader is now identifying the nature of the file and displaying its own message, something it should have done before.

Below are screen captures showing what I see now on opening the file, on viewing the attachment list, and on opening the attachments.