Odd behavior: "Invalid" list destinations result in mail routing loop w/ SMTP relay in line
We use a multi-hop SMTP system to go from the inside of our network out to the Internet at the domain test.lists.example.com.
The setup is this way for ingress:
{EXTERNAL} -> MS365 (relay/antispam) -> MS On-Prem (via 365 Connector) -> Mailman for delivery to listserv
Egress is this:
Mailman -> Postfix SMTP Relay (smtpproxy) -> INTERNET
--
When a message is sent an invalid list (we'll call it invalid@test.lists.example.com) we end up with a nasty side effect in the system. The "no such recipient" response gets sent to the smtpproxy machine and then *it gets redelivered back to Mailman* as a redelivery as if it isn't accepting a permanent-failure condition code.
This results in a nasty mail loop that results with a "too many hops" error that doesn't state "invalid recipient" and I have no idea why this is the case.
Can anyone provide any insight into how to prevent this type of routing loop caused by the egress of messages?
Thomas
On 12/5/23 10:08, Thomas Ward via Mailman-users wrote:
We use a multi-hop SMTP system to go from the inside of our network out to the Internet at the domain test.lists.example.com.
The setup is this way for ingress:
{EXTERNAL} -> MS365 (relay/antispam) -> MS On-Prem (via 365 Connector) -> Mailman for delivery to listserv
Egress is this:
Mailman -> Postfix SMTP Relay (smtpproxy) -> INTERNET
--
When a message is sent an invalid list (we'll call it invalid@test.lists.example.com) we end up with a nasty side effect in the system. The "no such recipient" response gets sent to the smtpproxy machine and then *it gets redelivered back to Mailman* as a redelivery as if it isn't accepting a permanent-failure condition code.
I don't understand why this is happening. Whatever MTA is seeing the "no such recipient" status and creating the response DSN should be sending it to the envelope sender of the original message so it should not be sent to the invalid mailman address. Is one of the MTAs in the delivery chain to Mailman rewriting the envelope sender?
What are the MTA log messages from all the MTAs whos logs you have access to?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
See, that's the oddness. There appears to be SOME weird mail loop here where $ORIGIN (MS365/Exchange) hands it once, then there's back-and-forth between SMTPPROXY and Mailman. IT's really odd how it behaves, and I have no explanation for it.
Right now I'm away from the office where this happens, but when I'm back there I'll grab logs from both sides.
Thomas
On 12/5/23 17:54, Mark Sapiro wrote:
On 12/5/23 10:08, Thomas Ward via Mailman-users wrote:
We use a multi-hop SMTP system to go from the inside of our network out to the Internet at the domain test.lists.example.com.
The setup is this way for ingress:
{EXTERNAL} -> MS365 (relay/antispam) -> MS On-Prem (via 365 Connector) -> Mailman for delivery to listserv
Egress is this:
Mailman -> Postfix SMTP Relay (smtpproxy) -> INTERNET
--
When a message is sent an invalid list (we'll call it invalid@test.lists.example.com) we end up with a nasty side effect in the system. The "no such recipient" response gets sent to the smtpproxy machine and then *it gets redelivered back to Mailman* as a redelivery as if it isn't accepting a permanent-failure condition code.
I don't understand why this is happening. Whatever MTA is seeing the "no such recipient" status and creating the response DSN should be sending it to the envelope sender of the original message so it should not be sent to the invalid mailman address. Is one of the MTAs in the delivery chain to Mailman rewriting the envelope sender?
What are the MTA log messages from all the MTAs whos logs you have access to?
On 12/6/23 11:11, Thomas Ward via Mailman-users wrote:
See, that's the oddness. There appears to be SOME weird mail loop here where $ORIGIN (MS365/Exchange) hands it once, then there's back-and-forth between SMTPPROXY and Mailman. IT's really odd how it behaves, and I have no explanation for it.
Right now I'm away from the office where this happens, but when I'm back there I'll grab logs from both sides.
Thomas
On 12/5/23 17:54, Mark Sapiro wrote:
On 12/5/23 10:08, Thomas Ward via Mailman-users wrote:
We use a multi-hop SMTP system to go from the inside of our network out to the Internet at the domain test.lists.example.com.
The setup is this way for ingress:
{EXTERNAL} -> MS365 (relay/antispam) -> MS On-Prem (via 365 Connector) -> Mailman for delivery to listserv
Presumably the EXTERNAL to MS365 SMTP transaction includes
MAIL FROM: <user@example.com> RCPT TO: <invalid@test.lists.example.com>
It seems that somewhere in the path to Mailman this is getting changed to
MAIL FROM: <invalid@test.lists.example.com>
so the outbound DSN is sent to invalid@test.lists.example.com instead of user@example.com. The question is which one of the MTAs in the path is doing this and why.
But even more mysterious is the fact that the DSN from Mailman should be sent with
MAIL FROM: <>
so when it's undeliverable, no further DSN is sent.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Yeah I'll set up some advanced debugging in Postfix on the relays to see whats' coming in and out. Will take time though 'cause we have a TON of messaging going through that smtpproxy out to the 'net so it'll take a bit for me to dissect the message logs.
Give me a bit since it's EOD for me now.
Thomas
On 12/6/23 15:44, Mark Sapiro wrote:
On 12/6/23 11:11, Thomas Ward via Mailman-users wrote:
See, that's the oddness. There appears to be SOME weird mail loop here where $ORIGIN (MS365/Exchange) hands it once, then there's back-and-forth between SMTPPROXY and Mailman. IT's really odd how it behaves, and I have no explanation for it.
Right now I'm away from the office where this happens, but when I'm back there I'll grab logs from both sides.
Thomas
On 12/5/23 17:54, Mark Sapiro wrote:
On 12/5/23 10:08, Thomas Ward via Mailman-users wrote:
We use a multi-hop SMTP system to go from the inside of our network out to the Internet at the domain test.lists.example.com.
The setup is this way for ingress:
{EXTERNAL} -> MS365 (relay/antispam) -> MS On-Prem (via 365 Connector) -> Mailman for delivery to listserv
Presumably the EXTERNAL to MS365 SMTP transaction includes
MAIL FROM: <user@example.com> RCPT TO: <invalid@test.lists.example.com>
It seems that somewhere in the path to Mailman this is getting changed to
MAIL FROM: <invalid@test.lists.example.com>
so the outbound DSN is sent to invalid@test.lists.example.com instead of user@example.com. The question is which one of the MTAs in the path is doing this and why.
But even more mysterious is the fact that the DSN from Mailman should be sent with
MAIL FROM: <>
so when it's undeliverable, no further DSN is sent.
participants (2)
-
Mark Sapiro -
Thomas Ward