Strange rewrite

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange rewrite

John M. Dlugosz-4
My log file shows:

Jun 21 19:41:35 LAMP4 postfix/smtpd[24985]: connect from
sneakemail.com[38.113.6.61] Jun 21 19:41:35 LAMP4 postfix/smtpd[24985]:
EF847C8056: client=sneakemail.com[38.113.6.61] Jun 21 19:41:36 LAMP4
postfix/cleanup[25146]: EF847C8056:
message-id=<[hidden email]> Jun 21
19:41:36 LAMP4 postfix/qmgr[24976]: EF847C8056:
from=<[hidden email]>, size=715, nrcpt=1 (queue
active) Jun 21 19:41:36 LAMP4 postfix/local[25147]: EF847C8056:
to=<[hidden email]>, relay=local, delay=0.31,
delays=0.25/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)
Jun 21 19:41:36 LAMP4 postfix/qmgr[24976]: EF847C8056: removed Jun 21
19:41:36 LAMP4 postfix/smtpd[24985]: disconnect from
sneakemail.com[38.113.6.61]

In particular, it shows "from=<[hidden email]>"
which I then see in the Return-Path header.  The problem is, the sender
insists that the "www" does not belong, that the ReturnPath and the From
have both been munged by prepending a 'www' by "my crazy postfix".

Since this string shows up in the log at this point, can that tell you
how early it got munged and thus where it might be being done?

Possible relevent stuff from my main.cf file:

biff = no
append_dot_mydomain = no
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8
mailbox_command =
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all

Reply | Threaded
Open this post in threaded view
|

Re: Strange rewrite

Victor Duchovni
On Sat, Jun 21, 2008 at 11:45:47PM -0500, John M. Dlugosz wrote:

> Jun 21 19:41:35 LAMP4 postfix/smtpd[24985]: connect from sneakemail.com[38.113.6.61]
> Jun 21 19:41:35 LAMP4 postfix/smtpd[24985]: EF847C8056: client=sneakemail.com[38.113.6.61]
> Jun 21 19:41:36 LAMP4 postfix/cleanup[25146]: EF847C8056: message-id=<[hidden email]>
> Jun 21 19:41:36 LAMP4 postfix/qmgr[24976]: EF847C8056: from=<[hidden email]>, size=715, nrcpt=1 (queue active)
> Jun 21 19:41:36 LAMP4 postfix/local[25147]: EF847C8056: to=<[hidden email]>, relay=local, delay=0.31, delays=0.25/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)
Jun 21 19:41:36 LAMP4 postfix/qmgr[24976]: EF847C8056: removed
> Jun 21 19:41:36 LAMP4 postfix/smtpd[24985]: disconnect from sneakemail.com[38.113.6.61]
>
> In particular, it shows "from=<[hidden email]>"
> which I then see in the Return-Path header.  The problem is, the sender
> insists that the "www" does not belong, that the ReturnPath and the From
> have both been munged by prepending a 'www' by "my crazy postfix".

Some senders are clueless bozos. To prove this one wrong, capture the
original email delivery with tcpdump (full packets not just TCP headers).

> Since this string shows up in the log at this point, can that tell you
> how early it got munged and thus where it might be being done?

No such munging took place.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Strange rewrite

John M. Dlugosz-4
re: tcpdump:  I'm afraid that's over my head as yet.

Can you or someone say with authority that the line in the log file is
produced before any kind of rewriting takes place, so it's got to be
what was in the SMTP conversation?  Is there a verbose mode that can log
the SMTP conversation for review?

I'm not prepared to call him a clueless bozo just yet, to wit: this
problem (munged return address in a generated "verification" email that
I should just be able to hit reply to continue the process) has never
appeared before and it has been in use for years; he did send one to
himself and the message source looked fine in Thunderbird.

--John

Victor Duchovni wrote:

> On Sat, Jun 21, 2008 at 11:45:47PM -0500, John M. Dlugosz wrote:
>
>  
>> Jun 21 19:41:35 LAMP4 postfix/smtpd[24985]: connect from sneakemail.com[38.113.6.61]
>> Jun 21 19:41:35 LAMP4 postfix/smtpd[24985]: EF847C8056: client=sneakemail.com[38.113.6.61]
>> Jun 21 19:41:36 LAMP4 postfix/cleanup[25146]: EF847C8056: message-id=<[hidden email]>
>> Jun 21 19:41:36 LAMP4 postfix/qmgr[24976]: EF847C8056: from=<[hidden email]>, size=715, nrcpt=1 (queue active)
>> Jun 21 19:41:36 LAMP4 postfix/local[25147]: EF847C8056: to=<[hidden email]>, relay=local, delay=0.31, delays=0.25/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)
>>    
> Jun 21 19:41:36 LAMP4 postfix/qmgr[24976]: EF847C8056: removed
>  
>> Jun 21 19:41:36 LAMP4 postfix/smtpd[24985]: disconnect from sneakemail.com[38.113.6.61]
>>
>> In particular, it shows "from=<[hidden email]>"
>> which I then see in the Return-Path header.  The problem is, the sender
>> insists that the "www" does not belong, that the ReturnPath and the From
>> have both been munged by prepending a 'www' by "my crazy postfix".
>>    
>
> Some senders are clueless bozos. To prove this one wrong, capture the
> original email delivery with tcpdump (full packets not just TCP headers).
>
>  
>> Since this string shows up in the log at this point, can that tell you
>> how early it got munged and thus where it might be being done?
>>    
>
> No such munging took place.
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Strange rewrite

Victor Duchovni
On Sun, Jun 22, 2008 at 02:25:32AM -0500, John M. Dlugosz wrote:

> re: tcpdump:  I'm afraid that's over my head as yet.
>
> Can you or someone say with authority that the line in the log file is
> produced before any kind of rewriting takes place, so it's got to be
> what was in the SMTP conversation?  Is there a verbose mode that can log
> the SMTP conversation for review?

The sender address is logged after rewriting (canonical_maps and
masquerading), but you don't have that and prepending "www." is a most
unlikely rewrite for a remote address.

You could try "debug_peer_list = 38.113.6.61", and look for

        ": < \[38\.113\.6\.61\]: "

in the logs, this reports verbatim input from the remote SMTP client.

> I'm not prepared to call him a clueless bozo just yet, to wit: this
> problem (munged return address in a generated "verification" email that
> I should just be able to hit reply to continue the process) has never
> appeared before and it has been in use for years; he did send one to
> himself and the message source looked fine in Thunderbird.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Strange rewrite

Jorey Bump
In reply to this post by John M. Dlugosz-4
John M. Dlugosz wrote, at 06/22/2008 03:25 AM:

> I'm not prepared to call him a clueless bozo just yet, to wit: this
> problem (munged return address in a generated "verification" email that
> I should just be able to hit reply to continue the process) has never
> appeared before and it has been in use for years; he did send one to
> himself and the message source looked fine in Thunderbird.

There's a very good chance that all of those emails are coming from a
web server with a default hostname of www.sneakemail.com (in fact, most
of the relevant hosts resolve to the same IP address). Locally generated
mail probably gets this domain appended automatically, if needed. The
sender may want to address this (at least to remove ambiguity).

However, you mention "hit reply", which has very little to do with the
final Return-Path header or the "from=" lines in the Postfix log. If
you're talking about hitting the reply button in your MUA, you should
only be concerned with the From:, Reply-To:, and possibly Sender:
headers. These are controlled by the sender (or the sender's mailing
list software) and may be set correctly. To find out, use the "Reply
All" feature of your MUA and see if the bad address shows up.

If that doesn't help, perhaps you should give an example of the problem
you are trying to solve. It looks as though a little misunderstanding
may have caused a miscommunication with the sender. It's important that
you both use the same vocabulary to find a solution.

Reply | Threaded
Open this post in threaded view
|

Re: Strange rewrite

John M. Dlugosz-4
Looking at the Message Source in Firefox, I see the "www" added to the
From: and Return-Path: headers.

Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from sneak1.sneakemail.com (sneakemail.com [38.113.6.61])
        by LAMP4.lavapath.net (Postfix) with SMTP id 9DFEEC8056
        for <[hidden email]>; Sun, 22 Jun 2008 02:19:58 -0500 (CDT)
Received: (qmail 6530 invoked by uid 48); 22 Jun 2008 07:19:52 -0000
Date: 22 Jun 2008 07:19:52 -0000
Message-ID: <[hidden email]>
From: [hidden email]
Subject: Verification request for [hidden email]
To: [hidden email]

The only thing that "Reply" can work from must be the From: header.  Are
you saying that this is =never= altered by Postfix?

--John


Jorey Bump wrote:

> John M. Dlugosz wrote, at 06/22/2008 03:25 AM:
>
>> I'm not prepared to call him a clueless bozo just yet, to wit: this
>> problem (munged return address in a generated "verification" email
>> that I should just be able to hit reply to continue the process) has
>> never appeared before and it has been in use for years; he did send
>> one to himself and the message source looked fine in Thunderbird.
>
> There's a very good chance that all of those emails are coming from a
> web server with a default hostname of www.sneakemail.com (in fact, most
> of the relevant hosts resolve to the same IP address). Locally generated
> mail probably gets this domain appended automatically, if needed. The
> sender may want to address this (at least to remove ambiguity).
>
> However, you mention "hit reply", which has very little to do with the
> final Return-Path header or the "from=" lines in the Postfix log. If
> you're talking about hitting the reply button in your MUA, you should
> only be concerned with the From:, Reply-To:, and possibly Sender:
> headers. These are controlled by the sender (or the sender's mailing
> list software) and may be set correctly. To find out, use the "Reply
> All" feature of your MUA and see if the bad address shows up.
>
> If that doesn't help, perhaps you should give an example of the problem
> you are trying to solve. It looks as though a little misunderstanding
> may have caused a miscommunication with the sender. It's important that
> you both use the same vocabulary to find a solution.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Strange rewrite

mouss-2
John M. Dlugosz wrote:

> Looking at the Message Source in Firefox, I see the "www" added to the
> From: and Return-Path: headers.
>
> Return-Path: <[hidden email]>
> X-Original-To: [hidden email]
> Delivered-To: [hidden email]
> Received: from sneak1.sneakemail.com (sneakemail.com [38.113.6.61])
>     by LAMP4.lavapath.net (Postfix) with SMTP id 9DFEEC8056
>     for <[hidden email]>; Sun, 22 Jun 2008 02:19:58 -0500 (CDT)
> Received: (qmail 6530 invoked by uid 48); 22 Jun 2008 07:19:52 -0000
> Date: 22 Jun 2008 07:19:52 -0000
> Message-ID: <[hidden email]>
> From: [hidden email]
> Subject: Verification request for [hidden email]
> To: [hidden email]
>
> The only thing that "Reply" can work from must be the From: header.  
> Are you saying that this is =never= altered by Postfix?

this may be altered by canonical or generic maps. this may also be
altered by any intermediray application you run (proxy, MDA, ...).  but
as said before, your logs show that the address was already "altered"
before postfix could do anything.

do what Viktor told you to do and post the result here for help.
Reply | Threaded
Open this post in threaded view
|

Re: Strange rewrite

Victor Duchovni
On Sun, Jun 22, 2008 at 08:37:15PM +0200, mouss wrote:

> this may be altered by canonical or generic maps. this may also be
> altered by any intermediray application you run (proxy, MDA, ...).  but
> as said before, your logs show that the address was already "altered"
> before postfix could do anything.

The queue manager logs sender addresses after rewriting, only smtpd(8)
logs the original address, if a restriction generates a log message.
Using "warn_if_reject reject" can be used to capture the original
envelope.

> do what Viktor told you to do and post the result here for help.

Yes, but the odds of the OP's configuration prepending "www." to the
domain-part of just one remote domain's sender addresses are negligible
(unless that remote domain was singled out for such treatment in configs
not posted here).

So this is mostly a waste of time. The problem is on the sender end.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.