Avoid mail loop

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Avoid mail loop

egobrc@gmail.com
Hello everybody, I am using a Postfix mail relay to modify sender
addresses of emails coming from my company Office 365 cloud-hosted
domain: I configured a connector on Office 365 to route all emails to
Postfix.
Everything works perfectly, except for some recipient domains that are
also hosted on outlook.com domains. Every mail sent is bounced with
this error:

host xxx-xxx.mail.protection.outlook.com[X.X.X.X] said: 554 5.4.14 Hop
count exceeded - possible mail loop ATTR1
[xxx-xxx.prod.protection.outlook.com] (in reply to end of DATA
command)

This error does not appear for every email we send to other
*.outlook.com recipients, only for emails sent to domains that have
the same *.outlook.com server that we have: searching in Postfix logs,
i found that our emails are going out from 3 outlook.com servers, with
3 different IP addresses; I found the same and only 3 IP addresses in
error logs related to the bounce error. Here is an example:

mycompany-com.outlook.com [104.1.2.3] -> Postfix relay [54.1.2.3] ->
recipient_first-com.outlook.com [104.1.2.3] = Bounce error

mycompany-com.outlook.com [104.1.2.3] -> Postfix relay [54.1.2.3] ->
recipient_second-com.outlook.com [104.4.5.6] = mail sent correctly

I suppose that outlook.com considers email coming from the same IP
addres as a loop, and then blocks them. Is there a way in Postfix to
"mask" (?) source IP and avoid this loop? Do you have better ideas?
Reply | Threaded
Open this post in threaded view
|

Re: Avoid mail loop

Dusan Obradovic-2

> On Mar 18, 2020, at 11:45 AM, [hidden email] wrote:
>
> host xxx-xxx.mail.protection.outlook.com[X.X.X.X] said: 554 5.4.14 Hop
> count exceeded - possible mail loop ATTR1
> [xxx-xxx.prod.protection.outlook.com] (in reply to end of DATA
> command)
>

I suspect this is based on received headers.

> Is there a way in Postfix to
> "mask" (?) source IP and avoid this loop? Do you have better ideas?

Alternatively, You could remove some of the existing Received: headers with Postfix.
See http://www.postfix.org/header_checks.5.html

Reply | Threaded
Open this post in threaded view
|

Re: Avoid mail loop

Wietse Venema
Dusan Obradovic:

>
> > On Mar 18, 2020, at 11:45 AM, [hidden email] wrote:
> >
> > host xxx-xxx.mail.protection.outlook.com[X.X.X.X] said: 554 5.4.14 Hop
> > count exceeded - possible mail loop ATTR1
> > [xxx-xxx.prod.protection.outlook.com] (in reply to end of DATA
> > command)
> >
>
> I suspect this is based on received headers.
>
> > Is there a way in Postfix to
> > "mask" (?) source IP and avoid this loop? Do you have better ideas?
>
> Alternatively, You could remove some of the existing Received: headers with Postfix.
> See http://www.postfix.org/header_checks.5.html

That is a dangerous solution as it could cause mail to loop forever.

To find out if there actually is a hopcount problem, look for the
message ID of a looping message.  

Exmnple:

Mar 18 00:56:32 spike postfix/cleanup[71391]: 48hyS02vZDzJrNs: message-id=<[hidden email]>

The message ID is "[hidden email]".

If mail is really looping then you should see that message ID
going through your mail system repeatedly.

If mail is not really looping, then Microsoft may be reporting
a hopcount error for other reasons, and using a different
source IP address may help.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Avoid mail loop

egobrc@gmail.com
Thanks Dusan and Wietse, I searched in postfix log files and I can
confirm that looping emails have the same ID. "Normal" emails ID
appear in the log files a few times (depending on the number of
recipients I suppose), but looping emails appear many times:

14 times [hidden email]
14 times [hidden email]
14 times [hidden email]
16 times [hidden email]
17 times [hidden email]
18 times [hidden email]
20 times [hidden email]
20 times [hidden email]
22 times [hidden email]
32 times [hidden email]
34 times [hidden email]

I think I'll try with Dusan advice and let you know. Feel free to
suggest something else if comes to your mind.


Il giorno mer 18 mar 2020 alle ore 16:40 Wietse Venema
<[hidden email]> ha scritto:

>
> Dusan Obradovic:
> >
> > > On Mar 18, 2020, at 11:45 AM, [hidden email] wrote:
> > >
> > > host xxx-xxx.mail.protection.outlook.com[X.X.X.X] said: 554 5.4.14 Hop
> > > count exceeded - possible mail loop ATTR1
> > > [xxx-xxx.prod.protection.outlook.com] (in reply to end of DATA
> > > command)
> > >
> >
> > I suspect this is based on received headers.
> >
> > > Is there a way in Postfix to
> > > "mask" (?) source IP and avoid this loop? Do you have better ideas?
> >
> > Alternatively, You could remove some of the existing Received: headers with Postfix.
> > See http://www.postfix.org/header_checks.5.html
>
> That is a dangerous solution as it could cause mail to loop forever.
>
> To find out if there actually is a hopcount problem, look for the
> message ID of a looping message.
>
> Exmnple:
>
> Mar 18 00:56:32 spike postfix/cleanup[71391]: 48hyS02vZDzJrNs: message-id=<[hidden email]>
>
> The message ID is "[hidden email]".
>
> If mail is really looping then you should see that message ID
> going through your mail system repeatedly.
>
> If mail is not really looping, then Microsoft may be reporting
> a hopcount error for other reasons, and using a different
> source IP address may help.
>
>         Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Avoid mail loop

Wietse Venema
[hidden email]:
> Thanks Dusan and Wietse, I searched in postfix log files and I can
> confirm that looping emails have the same ID. "Normal" emails ID
> appear in the log files a few times (depending on the number of
> recipients I suppose), but looping emails appear many times:
>
> 14 times [hidden email]
> 14 times [hidden email]
> 14 times [hidden email]

That proves that email is really going back and forth between
your site and Microsoft.

> I think I'll try with Dusan advice and let you know. Feel free to
> suggest something else if comes to your mind.

DO NOT STRIP Received: headers. THAT WOULD BE A HUGE MISTAKE.

Tweaking your IP address won't fix the forwarding loop.

You have to fix the forwarding at your end or at Microsoft's end.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Avoid mail loop

egobrc@gmail.com
Got it, Wietse.
What do you mean with "fix the forwarding at your end"? Can I tweak
something different in Postfix?
Have a nice day.

Il giorno mer 18 mar 2020 alle ore 18:13 Wietse Venema
<[hidden email]> ha scritto:

>
> [hidden email]:
> > Thanks Dusan and Wietse, I searched in postfix log files and I can
> > confirm that looping emails have the same ID. "Normal" emails ID
> > appear in the log files a few times (depending on the number of
> > recipients I suppose), but looping emails appear many times:
> >
> > 14 times [hidden email]
> > 14 times [hidden email]
> > 14 times [hidden email]
>
> That proves that email is really going back and forth between
> your site and Microsoft.
>
> > I think I'll try with Dusan advice and let you know. Feel free to
> > suggest something else if comes to your mind.
>
> DO NOT STRIP Received: headers. THAT WOULD BE A HUGE MISTAKE.
>
> Tweaking your IP address won't fix the forwarding loop.
>
> You have to fix the forwarding at your end or at Microsoft's end.
>
>         Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Avoid mail loop

Wietse Venema
In reply to this post by Wietse Venema
> > 14 times [hidden email]
> > 14 times [hidden email]
> > 14 times [hidden email]
>
> That proves that email is really going back and forth between
> your site and Microsoft.
>
> > I think I'll try with Dusan advice and let you know. Feel free to
> > suggest something else if comes to your mind.
>
> DO NOT STRIP Received: headers. THAT WOULD BE A HUGE MISTAKE.

Where should the above email be delivered? MICROSOFT or POSTFIX?

- If this email should be delivered at MICROSOFT, configure MICROSOFT
  so that it does not forward this email to POSTFIX

- If this email should be delivered at POSTFIX, configure POSTFIX
  so that it does not forward this email to MICROSOFT.