See a double-bounce mail generated by my postfix

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

See a double-bounce mail generated by my postfix

Dominic Raferd
I would like to be able to see an example of a double-bounce message generated by my postfix (3.3.0) server. Can I get my postfix to send me (say to an unrelated external mailbox) a double-bounce message? Alternatively is there a way I can save, on the server, the double-bounce message as and when it sends it to a third party? (These messages are not saved locally by setting always_bcc.)

A concern I have is that qmgr records the double bounce message as coming from <> - which seems odd:

2018-08-08 08:04:41 vps344444 postfix/bounce[28259]: 059F147CEF: sender non-delivery notification: 0C89547CF1
2018-08-08 08:04:41 vps344444 postfix/qmgr[20724]: 059F147CEF: removed
2018-08-08 08:04:41 vps344444 postfix/qmgr[20724]: 0C89547CF1: from=<>, size=4973, nrcpt=1 (queue active)

Reply | Threaded
Open this post in threaded view
|

Re: See a double-bounce mail generated by my postfix

Dominic Raferd


On Wed, 8 Aug 2018 at 07:39, Dominic Raferd <[hidden email]> wrote:
I would like to be able to see an example of a double-bounce message generated by my postfix (3.3.0) server. Can I get my postfix to send me (say to an unrelated external mailbox) a double-bounce message? Alternatively is there a way I can save, on the server, the double-bounce message as and when it sends it to a third party? (These messages are not saved locally by setting always_bcc.)

A concern I have is that qmgr records the double bounce message as coming from <> - which seems odd:

2018-08-08 08:04:41 vps344444 postfix/bounce[28259]: 059F147CEF: sender non-delivery notification: 0C89547CF1
2018-08-08 08:04:41 vps344444 postfix/qmgr[20724]: 059F147CEF: removed
2018-08-08 08:04:41 vps344444 postfix/qmgr[20724]: 0C89547CF1: from=<>, size=4973, nrcpt=1 (queue active)

Sorry I have now found an example of a bounce message so the original part of my question is no longer relevant.

The bounce message sender is indeed '<>', and the From header is 'MAILER-DAEMON@[mydomain]'. My problem with this is that although the message is DKIM-signed (by opendkim), it fails DMARC alignment because of the mismatch between sender and 'From:' header. The only related non-default settings I have are:

canonical_maps = hash:/etc/postfix/canonical inline:{$double_bounce_sender@$myhostname=double-bounce@$mydomain}

canonical:
<> root
www-data root
postfix root
root@localhost root

Maybe the inline table rewriting is not working? I would expect both the sender and the 'From:' header to be double_bounce@[mydomain]

Reply | Threaded
Open this post in threaded view
|

Re: See a double-bounce mail generated by my postfix

Wietse Venema
Dominic Raferd:
> canonical:
> <> root

I don't know of any promise that canonical_maps will use <> as the
lookup key for the null address.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: See a double-bounce mail generated by my postfix

Dominic Raferd


On Wed, 8 Aug 2018 at 11:50, Wietse Venema <[hidden email]> wrote:
Dominic Raferd:
> canonical:
> <> root

I don't know of any promise that canonical_maps will use <> as the
lookup key for the null address.

I will remove that, I put it there a long time ago when I knew (even) less about postfix. But I doubt it is the cause of my problem here?
Reply | Threaded
Open this post in threaded view
|

Re: See a double-bounce mail generated by my postfix

Wietse Venema
Dominic Raferd:

> On Wed, 8 Aug 2018 at 11:50, Wietse Venema <[hidden email]> wrote:
>
> > Dominic Raferd:
> > > canonical:
> > > <> root
> >
> > I don't know of any promise that canonical_maps will use <> as the
> > lookup key for the null address.
> >
>
> I will remove that, I put it there a long time ago when I knew (even) less
> about postfix. But I doubt it is the cause of my problem here?

If you're referring to envelope.from versus header.from alignment
of bounce messages, then you may want to read RFC 7489 section
3.1.2. which in turn refers to RFC 7208 Section 2.4 which, says:

   [RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
   [RFC5321]).  In this case, there is no explicit sender mailbox, and
   such a message can be assumed to be a notification message from the
   mail system itself.  WHEN THE REVERSE-PATH IS NULL, THIS DOCUMENT
   DEFINES THE "MAIL FROM" IDENTITY TO BE THE MAILBOX COMPOSED OF THE
   LOCAL-PART "POSTMASTER" AND THE "HELO" IDENTITY (WHICH MIGHT OR MIGHT
   NOT HAVE BEEN CHECKED SEPARATELY BEFORE).

(emphasis added by myself).

Thus, if you are concerned that your bounces are failing alignment
checks, then do not change the null address, instead, adjust your
HELO domain name such that it is aligned with the header.from.

Never have I expected that I would have to explain how to use SPF.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: See a double-bounce mail generated by my postfix

Dominic Raferd


On Wed, 8 Aug 2018 at 14:54, Wietse Venema <[hidden email]> wrote:
Dominic Raferd:
> On Wed, 8 Aug 2018 at 11:50, Wietse Venema <[hidden email]> wrote:
>
> > Dominic Raferd:
> > > canonical:
> > > <> root
> >
> > I don't know of any promise that canonical_maps will use <> as the
> > lookup key for the null address.
> >
>
> I will remove that, I put it there a long time ago when I knew (even) less
> about postfix. But I doubt it is the cause of my problem here?

If you're referring to envelope.from versus header.from alignment
of bounce messages, then you may want to read RFC 7489 section
3.1.2. which in turn refers to RFC 7208 Section 2.4 which, says:

   [RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
   [RFC5321]).  In this case, there is no explicit sender mailbox, and
   such a message can be assumed to be a notification message from the
   mail system itself.  WHEN THE REVERSE-PATH IS NULL, THIS DOCUMENT
   DEFINES THE "MAIL FROM" IDENTITY TO BE THE MAILBOX COMPOSED OF THE
   LOCAL-PART "POSTMASTER" AND THE "HELO" IDENTITY (WHICH MIGHT OR MIGHT
   NOT HAVE BEEN CHECKED SEPARATELY BEFORE).

(emphasis added by myself).

Thus, if you are concerned that your bounces are failing alignment
checks, then do not change the null address, instead, adjust your
HELO domain name such that it is aligned with the header.from.

Thanks. This is interesting information, however already on myh server $smtp_helo_name = $mydomain = $myhostname = $myorigin = domain name as shown in the header.from.

Never have I expected that I would have to explain how to use SPF.

Thank you for the explanation, but my issue is not SPF alignment, it is DKIM alignment. So the relevant part of RFC7489 (thank you for the pointer) is 3.1.1 and DKIM alignment is about a match between the header.from (RFC5322.From) and the 'd=' field in the DKIM signature. (A missing DKIM signature is also reported as failed DKIM alignment - at least by my reporter.) 

A very few emails from this server, although passing SPF (and hence DMARC), fail DKIM aligment (I am not told which ones, only the weekly count). This will not prevent their delivery (unless the recipient server relays them to another server which does a DMARC check) but is unexpected and untidy. The null sender double bounce emails had seemed plausible culprits but I now realise they already meet (SPF and) DKIM alignment requirements, so I am thinking again; I have found 3 / 6 in the last week occurred during a server upgrade when opendkim was down. At any rate it does not seem to be a postfix-related issue so I will pipe down.