Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Mail server logs: "mailFrom" empty/null in logs on occasion, unclear why and how to fix

    Support
    mail bounces
    2
    7
    230
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • d19dotca
      d19dotca last edited by girish

      I have recently been digging into the mail server logs for various reasons, and have seen several instances of the example below (seemingly all spam, the rcptTo is always a spammy-looking email address and on a country TLD that we never deal with too. I'm wondering what conditions apply to have the mailFrom address be null? It really makes it difficult to know what app (or which mailbox) is generating the email which makes it difficult to track down where the spam is coming from.

      Failed to deliver mail to sephday71@i-brno.cz. Tried all MXs. Will retry in 32768s.

      {
        "ts": 1615422409244,
        "type": "deferred",
        "direction": "outbound",
        "uuid": "BF92A429-0383-4A27-A161-4D1480C3ECA7.1",
        "mailFrom": "<>",
        "rcptTo": [
          "<sephday71@i-brno.cz>"
        ],
        "details": {
          "message": "Tried all MXs",
          "delay": 32768
        }
      }
      

      (side note: It'd be awesome if we could kill off queued messages like these in the Cloudron UI, another feature request for mail improvements I'll file soon 😉 )

      And a different message but same thing of missing the mailFrom address (and pretty sure this is another spam one too):

      Sent bounce to <> for mail sent to info@woodencrates.org. Some recipients failed: <info@woodencrates.org>

        "ts": 1615391821067,
        "type": "bounce",
        "direction": "outbound",
        "uuid": "AC24AEEB-6828-497B-9AEE-6414616B377E.1",
        "mailFrom": "<>",
        "rcptTo": [
          "<info@woodencrates.org>"
        ],
        "details": {
          "message": "Some recipients failed: <info@woodencrates.org>",
          "mx": {
            "exchange": "woodencrates.org",
            "priority": 0,
            "family": "A",
            "bind_helo": "mail.<domain.tld>"
          },
          "bounced_rcpt": [
            {
              "original": "info@woodencrates.org",
              "user": "info",
              "original_host": "woodencrates.org",
              "host": "woodencrates.org",
              "reason": "550 No Such User Here\"",
              "dsn_action": "failed",
              "dsn_smtp_code": "550",
              "dsn_smtp_response": "No Such User Here\"",
              "dsn_remote_mta": "woodencrates.org"
            }
          ]
        }
      }
      

      I can't really try to fix the spam issue if I can't figure out where it's being generated from. 😞 Hoping for some help there. Is it a defect that it's null, or is that expected behaviour in certain circumstances?

      --
      Dustin Dauncey
      www.d19.ca

      girish 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @d19dotca last edited by

        @d19dotca mailFrom is <> for bounce emails. It seems Cloudron is trying to send a bounce but the destination email server is gone. In general, this is fine, since it will eventually stop retrying. If it bothers you, you can docker exec -ti mail /bin/bash and delete the queue entries in /run/haraka/queue. I agree it will be nice to have some UI to view and clear this queue.

        d19dotca 1 Reply Last reply Reply Quote 0
        • d19dotca
          d19dotca @girish last edited by d19dotca

          @girish said in Mail server logs: "mailFrom" empty/null in logs on occasion, unclear why and how to fix:

          It seems Cloudron is trying to send a bounce but the destination email server is gone

          I'm not sure if I understand that part. In order to send a bounce, doesn't there need to be an email the bounce is came from? It almost looks like it's trying to send a bounce to an email address (for whatever reason it may be) but sending without any "from" address, and that's is the part that confuses me.

          If we take the woodencrates,org example from above, if I'm understanding it correctly, the workflow was this (putting this together from other logs):

          1. Email sent from info@woodencreates.org to an alias hosted on my mail server which forwards to an icloud.com account.
          2. Apple rejects the message from info@woodencrates.org to a user's icloud.com address as it deems it to be spam (which I agree that it is), sending a bounce back to info@woodencrates.org via my mail server
          3. Bounce sent back to info@woodencrates.org but their mail server reports that info@woodencrates.org does not exist (thus presumably was forced / masqueraded at the source)

          It's basically between step 2 and 3 that I see the issue where there's no "from" address. I guess this is because then it's an alias so there's no actual mailbox on my server that's sending the bounce back to info@woodencrates.org since the bounce actually came from an icloud.com account, is that right? But in that case, shouldn't the mailFrom field be filled in with the icloud.com address that initiated the bounce, or is that not technically accurate / RFC-compliant or something? It just seems weird that mailFrom is not filled in, missing that seems like an issue.

          Just trying to make sure I understand. 🙂

          --
          Dustin Dauncey
          www.d19.ca

          girish 1 Reply Last reply Reply Quote 0
          • girish
            girish Staff @d19dotca last edited by girish

            @d19dotca Yes, bounce message/NDR are special. They don't have the mail from filled out. See https://en.wikipedia.org/wiki/Bounce_message#Terminology . This is done so that you don't bounce a bounce message.

            edit: found https://serverfault.com/questions/151955/why-an-empty-mail-from-address-can-sent-out-email with more info

            d19dotca 2 Replies Last reply Reply Quote 1
            • d19dotca
              d19dotca @girish last edited by

              @girish Ah that helps explain it. So I guess I just didn't understand the tech-spec then. I tried a quick search last night but didn't find much, I think it's because I was using mailFrom in quotes. haha. Thanks Girish!

              --
              Dustin Dauncey
              www.d19.ca

              1 Reply Last reply Reply Quote 0
              • d19dotca
                d19dotca @girish last edited by

                @girish Side question actually... how do I see from the logs which alias the email is going to? Because in my case, I see the end email, not the alias email. For example: Email sent from info@woodencrates.com > some alias on my server > icloud.com account the alias forwarded to. In my case though, I have two domains that go to the same end icloud.com account. So I'm trying to figure out which one of them (if only one) is getting the bulk of the spam to it. Any way to figure that part out?

                --
                Dustin Dauncey
                www.d19.ca

                1 Reply Last reply Reply Quote 0
                • girish
                  girish Staff last edited by

                  @d19dotca since the email is forwarded , this info is probably lost. One idea is to look into the bounce mail headers. Maybe there is some message I'd or something we can match.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Powered by NodeBB