Open
Description
While debugging #649, I ran into the following:
(Note: email addresses have been scrambled, but the intent should be clear.)
- Send an email from
sender@gmail.comtotest-list@nixos.org - nixos.org is configured to forward
test-list@tofinal@jfly.example.com, wherejfly.example.comis managed byfinal-mailserver.example.com, which I control. I intentionally configured that mailserver to bounce emails fromnixos.org - nixos.org's mailserver sees the bounce from the final mailserver, and then tries to send a bounce to
jfly@gmail. That bounce is rejected by gmail.
Here's what we see on umbriel:
Apr 21 20:40:10 umbriel postfix/smtp[259316]: 5A720658C: to=<final@jfly.example.com>, orig_to=<test-list@nixos.org>, relay=final-mailserver.example.com[MAILSERVER_IP]:25, delay=3.3, delays=0.47/0/2.5/0.36, dsn=5.7.1, status=bounced (host final-mailserver.example.com[MAILSERVER_IP] said: 554 5.7.1 <SRS0=VhP0=XH=gmail.com=sender@nixos.org>: Sender address rejected: Access denied (in reply to RCPT TO command))
Apr 21 20:40:10 umbriel postfix/cleanup[259328]: B6942658D: message-id=<20250421204010.B6942658D@umbriel.nixos.org>
Apr 21 20:40:10 umbriel postfix/bounce[259332]: 5A720658C: sender non-delivery notification: B6942658D
Apr 21 20:40:10 umbriel postfix/qmgr[258926]: B6942658D: from=<>, size=6759, nrcpt=1 (queue active)
Apr 21 20:40:10 umbriel postfix/qmgr[258926]: 5A720658C: removed
Apr 21 20:40:10 umbriel postfix/smtp[259316]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
Apr 21 20:40:11 umbriel postfix/smtp[259316]: B6942658D: to=<sender@gmail.com>, orig_to=<SRS0=VhP0=XH=gmail.com=sender@nixos.org>, relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25, delay=0.46, delays=0/0/0.19/0.27, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [] with ip: [2a01:4f9:c011:8fb5::1] = did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication 38308e7fff4ca-31090755b70si32094831fa.41 - gsmtp (in reply to end of DATA command))
Apr 21 20:40:11 umbriel postfix/qmgr[258926]: B6942658D: removed
We see the bounce when umbriel tries to forward to final@jfly.example.com:
Apr 21 20:40:10 umbriel postfix/smtp[259316]: 5A720658C: to=<final@jfly.example.com>, orig_to=<test-list@nixos.org>, relay=final-mailserver.example.com[MAILSERVER_IP]:25, delay=3.3, delays=0.47/0/2.5/0.36, dsn=5.7.1, status=bounced (host final-mailserver.example.com[MAILSERVER_IP] said: 554 5.7.1 <SRS0=VhP0=XH=gmail.com=sender@nixos.org>: Sender address rejected: Access denied (in reply to RCPT TO command))
And then we see another bounce when umbriel tries to notify the sender (sender@gmail.com) of the bounce:
Apr 21 20:40:11 umbriel postfix/smtp[259316]: B6942658D: to=<sender@gmail.com>, orig_to=<SRS0=VhP0=XH=gmail.com=sender@nixos.org>, relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25, delay=0.46, delays=0/0/0.19/0.27, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [] with ip: [2a01:4f9:c011:8fb5::1] = did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication 38308e7fff4ca-31090755b70si32094831fa.41 - gsmtp (in reply to end of DATA command))
Metadata
Metadata
Assignees
Labels
No labels