Mail server logs: "mailFrom" empty/null in logs on occasion, unclear why and how to fix
-
I have recently been digging into the mail server logs for various reasons, and have seen several instances of the example below (seemingly all spam, the
rcptTois always a spammy-looking email address and on a country TLD that we never deal with too. I'm wondering what conditions apply to have themailFromaddress be null? It really makes it difficult to know what app (or which mailbox) is generating the email which makes it difficult to track down where the spam is coming from.Failed to deliver mail to sephday71@i-brno.cz. Tried all MXs. Will retry in 32768s.{ "ts": 1615422409244, "type": "deferred", "direction": "outbound", "uuid": "BF92A429-0383-4A27-A161-4D1480C3ECA7.1", "mailFrom": "<>", "rcptTo": [ "<sephday71@i-brno.cz>" ], "details": { "message": "Tried all MXs", "delay": 32768 } }(side note: It'd be awesome if we could kill off queued messages like these in the Cloudron UI, another feature request for mail improvements I'll file soon
)And a different message but same thing of missing the
mailFromaddress (and pretty sure this is another spam one too):Sent bounce to <> for mail sent to info@woodencrates.org. Some recipients failed: <info@woodencrates.org>"ts": 1615391821067, "type": "bounce", "direction": "outbound", "uuid": "AC24AEEB-6828-497B-9AEE-6414616B377E.1", "mailFrom": "<>", "rcptTo": [ "<info@woodencrates.org>" ], "details": { "message": "Some recipients failed: <info@woodencrates.org>", "mx": { "exchange": "woodencrates.org", "priority": 0, "family": "A", "bind_helo": "mail.<domain.tld>" }, "bounced_rcpt": [ { "original": "info@woodencrates.org", "user": "info", "original_host": "woodencrates.org", "host": "woodencrates.org", "reason": "550 No Such User Here\"", "dsn_action": "failed", "dsn_smtp_code": "550", "dsn_smtp_response": "No Such User Here\"", "dsn_remote_mta": "woodencrates.org" } ] } }I can't really try to fix the spam issue if I can't figure out where it's being generated from.
Hoping for some help there. Is it a defect that it's null, or is that expected behaviour in certain circumstances?--
Dustin Dauncey
www.d19.ca -
I have recently been digging into the mail server logs for various reasons, and have seen several instances of the example below (seemingly all spam, the
rcptTois always a spammy-looking email address and on a country TLD that we never deal with too. I'm wondering what conditions apply to have themailFromaddress be null? It really makes it difficult to know what app (or which mailbox) is generating the email which makes it difficult to track down where the spam is coming from.Failed to deliver mail to sephday71@i-brno.cz. Tried all MXs. Will retry in 32768s.{ "ts": 1615422409244, "type": "deferred", "direction": "outbound", "uuid": "BF92A429-0383-4A27-A161-4D1480C3ECA7.1", "mailFrom": "<>", "rcptTo": [ "<sephday71@i-brno.cz>" ], "details": { "message": "Tried all MXs", "delay": 32768 } }(side note: It'd be awesome if we could kill off queued messages like these in the Cloudron UI, another feature request for mail improvements I'll file soon
)And a different message but same thing of missing the
mailFromaddress (and pretty sure this is another spam one too):Sent bounce to <> for mail sent to info@woodencrates.org. Some recipients failed: <info@woodencrates.org>"ts": 1615391821067, "type": "bounce", "direction": "outbound", "uuid": "AC24AEEB-6828-497B-9AEE-6414616B377E.1", "mailFrom": "<>", "rcptTo": [ "<info@woodencrates.org>" ], "details": { "message": "Some recipients failed: <info@woodencrates.org>", "mx": { "exchange": "woodencrates.org", "priority": 0, "family": "A", "bind_helo": "mail.<domain.tld>" }, "bounced_rcpt": [ { "original": "info@woodencrates.org", "user": "info", "original_host": "woodencrates.org", "host": "woodencrates.org", "reason": "550 No Such User Here\"", "dsn_action": "failed", "dsn_smtp_code": "550", "dsn_smtp_response": "No Such User Here\"", "dsn_remote_mta": "woodencrates.org" } ] } }I can't really try to fix the spam issue if I can't figure out where it's being generated from.
Hoping for some help there. Is it a defect that it's null, or is that expected behaviour in certain circumstances?@d19dotca
mailFromis <> for bounce emails. It seems Cloudron is trying to send a bounce but the destination email server is gone. In general, this is fine, since it will eventually stop retrying. If it bothers you, you candocker exec -ti mail /bin/bashand delete the queue entries in/run/haraka/queue. I agree it will be nice to have some UI to view and clear this queue. -
@d19dotca
mailFromis <> for bounce emails. It seems Cloudron is trying to send a bounce but the destination email server is gone. In general, this is fine, since it will eventually stop retrying. If it bothers you, you candocker exec -ti mail /bin/bashand delete the queue entries in/run/haraka/queue. I agree it will be nice to have some UI to view and clear this queue.@girish said in Mail server logs: "mailFrom" empty/null in logs on occasion, unclear why and how to fix:
It seems Cloudron is trying to send a bounce but the destination email server is gone
I'm not sure if I understand that part. In order to send a bounce, doesn't there need to be an email the bounce is came from? It almost looks like it's trying to send a bounce to an email address (for whatever reason it may be) but sending without any "from" address, and that's is the part that confuses me.
If we take the woodencrates,org example from above, if I'm understanding it correctly, the workflow was this (putting this together from other logs):
- Email sent from
info@woodencreates.orgto an alias hosted on my mail server which forwards to anicloud.comaccount. - Apple rejects the message from
info@woodencrates.orgto a user'sicloud.comaddress as it deems it to be spam (which I agree that it is), sending a bounce back toinfo@woodencrates.orgvia my mail server - Bounce sent back to
info@woodencrates.orgbut their mail server reports thatinfo@woodencrates.orgdoes not exist (thus presumably was forced / masqueraded at the source)
It's basically between step 2 and 3 that I see the issue where there's no "from" address. I guess this is because then it's an alias so there's no actual mailbox on my server that's sending the bounce back to
info@woodencrates.orgsince the bounce actually came from anicloud.comaccount, is that right? But in that case, shouldn't themailFromfield be filled in with theicloud.comaddress that initiated the bounce, or is that not technically accurate / RFC-compliant or something? It just seems weird thatmailFromis not filled in, missing that seems like an issue.Just trying to make sure I understand.
--
Dustin Dauncey
www.d19.ca - Email sent from
-
@girish said in Mail server logs: "mailFrom" empty/null in logs on occasion, unclear why and how to fix:
It seems Cloudron is trying to send a bounce but the destination email server is gone
I'm not sure if I understand that part. In order to send a bounce, doesn't there need to be an email the bounce is came from? It almost looks like it's trying to send a bounce to an email address (for whatever reason it may be) but sending without any "from" address, and that's is the part that confuses me.
If we take the woodencrates,org example from above, if I'm understanding it correctly, the workflow was this (putting this together from other logs):
- Email sent from
info@woodencreates.orgto an alias hosted on my mail server which forwards to anicloud.comaccount. - Apple rejects the message from
info@woodencrates.orgto a user'sicloud.comaddress as it deems it to be spam (which I agree that it is), sending a bounce back toinfo@woodencrates.orgvia my mail server - Bounce sent back to
info@woodencrates.orgbut their mail server reports thatinfo@woodencrates.orgdoes not exist (thus presumably was forced / masqueraded at the source)
It's basically between step 2 and 3 that I see the issue where there's no "from" address. I guess this is because then it's an alias so there's no actual mailbox on my server that's sending the bounce back to
info@woodencrates.orgsince the bounce actually came from anicloud.comaccount, is that right? But in that case, shouldn't themailFromfield be filled in with theicloud.comaddress that initiated the bounce, or is that not technically accurate / RFC-compliant or something? It just seems weird thatmailFromis not filled in, missing that seems like an issue.Just trying to make sure I understand.
@d19dotca Yes, bounce message/NDR are special. They don't have the mail from filled out. See https://en.wikipedia.org/wiki/Bounce_message#Terminology . This is done so that you don't bounce a bounce message.
edit: found https://serverfault.com/questions/151955/why-an-empty-mail-from-address-can-sent-out-email with more info
- Email sent from
-
@d19dotca Yes, bounce message/NDR are special. They don't have the mail from filled out. See https://en.wikipedia.org/wiki/Bounce_message#Terminology . This is done so that you don't bounce a bounce message.
edit: found https://serverfault.com/questions/151955/why-an-empty-mail-from-address-can-sent-out-email with more info
-
@d19dotca Yes, bounce message/NDR are special. They don't have the mail from filled out. See https://en.wikipedia.org/wiki/Bounce_message#Terminology . This is done so that you don't bounce a bounce message.
edit: found https://serverfault.com/questions/151955/why-an-empty-mail-from-address-can-sent-out-email with more info
@girish Side question actually... how do I see from the logs which alias the email is going to? Because in my case, I see the end email, not the alias email. For example: Email sent from
info@woodencrates.com> some alias on my server >icloud.comaccount the alias forwarded to. In my case though, I have two domains that go to the same endicloud.comaccount. So I'm trying to figure out which one of them (if only one) is getting the bulk of the spam to it. Any way to figure that part out?
