Correo electrónico - Tareas #5788 - Software Libre › issues › 5788.pdf · Correo electrónico - Tareas #5788 Fallos de reenvíos de correos desde el dominio litoralnorte a unorte

Correo electrónico - Tareas #5788

Fallos de reenvíos de correos desde el dominio litoralnorte a unorte

09/04/2017 03:40 PM - Andrés Pías

Status: Resuelta Start date: 09/04/2017

Priority: Alta Due date:

Assignee: Miguel Pertusatti % Done: 80%

Category: Estimated time: 0.00 hour

Target version: Spent time: 5.50 hours

Description

Anoto solicitud de Miguel:

Hola Andrés:

Te reenvío este correo que es el rebote que recibe "Guillermo Reisch" <[email protected]> cuando en vía un correo a "Mpertusatti" <

[email protected]>; el correo lo recibo en <[email protected]> pero no es reenviado a <

[email protected]>. Son casos que solo ocurren con remitentes de algunos servidores de correo.

Saludos

Miguel

----- Mensaje reenviado -----

De: "Guillermo Reisch" <[email protected]>

Para: "Mpertusatti" [email protected]>

Enviados: Lunes, 4 de Septiembre 2017 13:21:31

Asunto: Fwd: Undelivered Mail Returned to Sender

-------- Original Message --------

Subject: Undelivered Mail Returned to Sender

Date: Mon, 4 Sep 2017 13:18:17 0300 (UYT)

From: [email protected] (Mail Delivery System)

To: [email protected]

This is the mail system at host godel.csic.edu.uy.

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

The mail system

[email protected]>: host dayman.unorte.edu.uy[164.73.212.3] said:

550 Your

rcpt is not permitted (SPF - read spf.pobox.com) (in reply to RCPT

TO

command)

07/23/2020 1/8

mailto:[email protected]








History

#1 - 09/04/2017 03:42 PM - Andrés Pías

- Description updated

#2 - 09/04/2017 03:57 PM - Andrés Pías

- Status changed from Nueva to En curso

Estoy viendo que en Litoral Norte tenemos al menos 2 problemas que intento descifrar que se puende ver acá:

https://intodns.com/litoralnorte.udelar.edu.uy

Missing nameservers reported by parent

FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see

RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems!

ns2.litoralnorte.udelar.edu.uy

ns1.litoralnorte.udelar.edu.uy

Missing nameservers reported by your nameservers

ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:

arapey.unorte.edu.uy

This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and

the NS records point to your own domain, for example).

Parece que unorte no tiene ningún problema grave: https://intodns.com/unorte.edu.uy

#3 - 09/05/2017 01:17 PM - Andrés Pías

- % Done changed from 0 to 20

Estábamos viendo que si bien Arapey (principal) devuelve bien los registros NS de unorte.udelar.edu.uy y litoralnorte.udelar.edu.uy

dig @arapey.unorte.edu.uy -t NS unorte.edu.uy

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @arapey.unorte.edu.uy -t NS unorte.edu.uy

; (2 servers found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31901

;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;unorte.edu.uy. IN NS

;; ANSWER SECTION:

unorte.edu.uy. 86400 IN NS dayman.unorte.edu.uy.

unorte.edu.uy. 86400 IN NS seciu.edu.uy.

unorte.edu.uy. 86400 IN NS arapey.unorte.edu.uy.

07/23/2020 2/8


https://intodns.com/unorte.edu.uy

;; ADDITIONAL SECTION:

arapey.unorte.edu.uy. 86400 IN A 164.73.212.2

dayman.unorte.edu.uy. 86400 IN A 164.73.212.3

;; Query time: 45 msec

;; SERVER: 164.73.212.2#53(164.73.212.2)

;; WHEN: Tue Sep 05 13:11:14 UYT 2017

;; MSG SIZE rcvd: 136

dig @arapey.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @arapey.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy

; (2 servers found)


;; Got answer:







;litoralnorte.udelar.edu.uy. IN NS

;; ANSWER SECTION:

litoralnorte.udelar.edu.uy. 86400 IN NS seciu.edu.uy.

litoralnorte.udelar.edu.uy. 86400 IN NS ns1.litoralnorte.udelar.edu.uy.



ns1.litoralnorte.udelar.edu.uy. 86400 IN A 164.73.212.2



;; SERVER: 164.73.212.2#53(164.73.212.2)

;; WHEN: Tue Sep 05 13:12:38 UYT 2017


El DNS secundario Dayman no está respondiendo bien el NS de litoralnorte.udelar.edu.uy:

dig @dayman.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @dayman.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy

; (1 server found)


;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35596

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1




07/23/2020 3/8




;; SERVER: 164.73.212.3#53(164.73.212.3)

;; WHEN: Tue Sep 05 13:16:29 UYT 2017


dig @dayman.unorte.edu.uy -t NS unorte.edu.uy

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @dayman.unorte.edu.uy -t NS unorte.edu.uy

; (2 servers found)


;; Got answer:







;unorte.edu.uy. IN NS

;; ANSWER SECTION:

unorte.edu.uy. 86400 IN NS dayman.unorte.edu.uy.

unorte.edu.uy. 86400 IN NS seciu.edu.uy.

unorte.edu.uy. 86400 IN NS arapey.unorte.edu.uy.


arapey.unorte.edu.uy. 86400 IN A 164.73.212.2

dayman.unorte.edu.uy. 86400 IN A 164.73.212.3


;; SERVER: 164.73.212.3#53(164.73.212.3)

;; WHEN: Tue Sep 05 13:16:42 UYT 2017


#4 - 09/11/2017 12:26 PM - Andrés Pías

Miguel estuvo ajustando la config DNS:

La directiva "allow-query" es de la configuración de BIND, ya agregué a godel.csic.edu.uy en esa configuración, voy a ver si logro que me envíen un

correo para probar.

...

Encontré que faltaba definir la zona litoralnorte en el DNS secundario, está corregido. Estoy esperando que me envíen un correo de prueba desde

uno de los servidores que evidenciaban el problema.

Dayman está respondiendo bien a las consultas:

07/23/2020 4/8

root@batareload:/home/apias# dig @dayman.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @dayman.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy

; (1 server found)


;; Got answer:








;; ANSWER SECTION:


litoralnorte.udelar.edu.uy. 86400 IN NS seciu.edu.uy.






;; SERVER: 164.73.212.3#53(164.73.212.3)

;; WHEN: Mon Sep 11 12:17:40 UYT 2017


Los mensajes de error en https://intodns.com/litoralnorte.udelar.edu.uy han desaparecido.

Pero en una nueva prueba de envío de mail desde cuenta de Facultad de Veterinaria al correo de Miguel de LitoralNorte, los mensajes no son reenviados

a su mail en Unorte:

Delivered-To: [email protected]

Received: from localhost (unknown [127.0.0.1]) by mail2.fenf.edu.uy (Postfix) with ESMTP id 88DA2C7C3A9 for <[email protected]>; Sat, 9

Sep 2017 16:37:25 -0300 (UYT)

X-Virus-Scanned: Debian amavisd-new at mail.fenf.edu.uy.fenf.edu.uy

Received: from mail2.fenf.edu.uy ([127.0.0.1]) by localhost (mail.fenf.edu.uy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJrjTCtCKeXT

for <[email protected]>; Sat, 9 Sep 2017 16:37:24 -0300 (UYT)

X-Original-Helo: godel.csic.edu.uy (iRedMail: http://www.iredmail.org/)

Received: from godel.csic.edu.uy (godel.csic.edu.uy [164.73.68.19]) by mail2.fenf.edu.uy (Postfix) with ESMTPS id D5B20C7C1EF for

<[email protected]>; Sat, 9 Sep 2017 16:37:24 -0300 (UYT)

Received: by godel.csic.edu.uy (Postfix) id 594D39005DC; Sat, 9 Sep 2017 16:37:17 -0300 (UYT)

Date: Sat, 09 Sep 2017 16:37:17 -0300

From: Mail Delivery System <[email protected]>

Subject: Undelivered Mail Returned to Sender

To: [email protected]

Auto-Submitted: auto-replied

MIME-Version: 1.0

Content-Type: multipart/report; boundary="A20B390086C.1504985837/godel.csic.edu.uy"; report-type="delivery-status"

Content-Transfer-Encoding: 7bit

Message-ID: <[email protected]>

07/23/2020 5/8


This is a MIME-encapsulated message.

--A20B390086C.1504985837/godel.csic.edu.uy

Content-Description: Notification

Content-Type: text/plain; charset="us-ascii"

This is the mail system at host godel.csic.edu.uy.

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

The mail system

<[email protected]>: host dayman.unorte.edu.uy[164.73.212.3] said: 550 Your

rcpt is not permitted (SPF - read spf.pobox.com) (in reply to RCPT TO

command)

--A20B390086C.1504985837/godel.csic.edu.uy

Content-Description: Delivery report

Content-Type: message/delivery-status

Reporting-MTA: dns; godel.csic.edu.uy

X-Postfix-Queue-ID: A20B390086C

X-Postfix-Sender: rfc822; [email protected]

Arrival-Date: Sat, 9 Sep 2017 16:37:15 -0300 (UYT)

Final-Recipient: rfc822; [email protected]

Original-Recipient: rfc822;[email protected]

Action: failed

Status: 5.0.0

Remote-MTA: dns; dayman.unorte.edu.uy

Diagnostic-Code: smtp; 550 Your rcpt is not permitted (SPF - read

spf.pobox.com)

#5 - 09/11/2017 01:52 PM - Andrés Pías

Para entender como funciona el SPF hay que mirar bien estos ejemplos: http://www.openspf.org/FAQ/Examples, acá hay otros mas.

Mirando esos ejemplos y viendo la información que da esta página

https://mxtoolbox.com/SuperTool.aspx?action=spf%3aunorte.edu.uy&run=toolpage#, entiendo que lo que pasó fue que como la IP del Servidor MTA

Emisor (godel.csic.edu.uy) no coincide con ninguna de las IP del registro SPF de Unorte, se debe estar generado un SoftFail.

Este es el registro SPF de unorte actual:

v=spf1 a mx ip4:164.73.212.0/23 ip4:164.73.214.0/24 ip4:164.73.210.0/24 ip4:164.73.250.64/29 ip4:164.73.222.0/24 ~all

07/23/2020 6/8

http://www.openspf.org/FAQ/Examples

https://soporte.itlinux.cl/hc/es/articles/200120998-Interpretaci%C3%B3n-de-rebotes-de-correo

https://mxtoolbox.com/SuperTool.aspx?action=spf%3aunorte.edu.uy&run=toolpage

Estos son los logs de Godel que se generaron al momento del envío del mail a Miguel:

Sep 9 16:37:10 godel postfix/smtpd[325]: connect from mail2.fenf.edu.uy[164.73.124.106]

Sep 9 16:37:10 godel postfix/smtpd[325]: NOQUEUE: filter: RCPT from mail2.fenf.edu.uy[164.73.124.106]: <[email protected]>: Sender

address triggers FILTER smtp

-amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail2.fenf.edu.uy>

Sep 9 16:37:10 godel postfix/smtpd[325]: NOQUEUE: filter: RCPT from mail2.fenf.edu.uy[164.73.124.106]: <[email protected]>: Sender

address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]>

proto=ESMTP helo=<mail2.fenf.edu.uy>

Sep 9 16:37:13 godel postfix/smtpd[325]: 3121790024E: client=mail2.fenf.edu.uy[164.73.124.106]

Sep 9 16:37:13 godel postfix/cleanup[5140]: 3121790024E: message-id=<2481244.fD8AWp9jQb@goku>

Sep 9 16:37:13 godel postfix/qmgr[5157]: 3121790024E: from=<[email protected]>, size=2497, nrcpt=2 (queue active)

Sep 9 16:37:13 godel postfix/smtpd[325]: disconnect from mail2.fenf.edu.uy[164.73.124.106]

Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: connect from localhost[127.0.0.1]

Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: 53D709005DC: client=localhost[127.0.0.1]

Sep 9 16:37:15 godel postfix/cleanup[5140]: 53D709005DC: message-id=<2481244.fD8AWp9jQb@goku>

Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: disconnect from localhost[127.0.0.1]

Sep 9 16:37:15 godel postfix/qmgr[5157]: 53D709005DC: from=<[email protected]>, size=3341, nrcpt=1 (queue active)

Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: connect from localhost[127.0.0.1]

Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: A20B390086C: client=localhost[127.0.0.1]

Sep 9 16:37:15 godel postfix/cleanup[5140]: A20B390086C: message-id=<2481244.fD8AWp9jQb@goku>

Sep 9 16:37:16 godel postfix/amavisd/smtpd[5145]: disconnect from localhost[127.0.0.1]

Sep 9 16:37:16 godel postfix/qmgr[5157]: A20B390086C: from=<[email protected]>, size=2915, nrcpt=1 (queue active)

Sep 9 16:37:16 godel postfix/smtp[5141]: 3121790024E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024,

delay=5, delays=2.4/0.01/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 53D709005DC)

Sep 9 16:37:16 godel postfix/smtp[5141]: 3121790024E: to=<[email protected]>, orig_to=<[email protected]>,

relay=127.0.0.1[127.0.0.1]:10024, delay=5, delays=2.4/0.01/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250

2.0.0 Ok: queued as 53D709005DC)

Sep 9 16:37:16 godel postfix/qmgr[5157]: 3121790024E: removed

Sep 9 16:37:16 godel postfix/lmtp[5146]: 53D709005DC: to=<[email protected]>,

relay=godel.csic.edu.uy[164.73.68.19]:7025, delay=0.85, delays=0.31/0.01/0.11/0.41, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)

Sep 9 16:37:16 godel postfix/qmgr[5157]: 53D709005DC: removed

Sep 9 16:37:17 godel postfix/smtp[5147]: A20B390086C: to=<[email protected]>, relay=dayman.unorte.edu.uy[164.73.212.3]:25,

delay=1.7, delays=0.37/0.01/0.17/1.1, dsn=5.0.0, status=bounced (host dayman.unorte.edu.uy[164.73.212.3] said: 550 Your rcpt is not permitted

(SPF - read spf.pobox.com) (in reply to RCPT TO command))

Sep 9 16:37:17 godel postfix/cleanup[5140]: 594D39005DC: message-id=<[email protected]>

Sep 9 16:37:17 godel postfix/bounce[5148]: A20B390086C: sender non-delivery notification: 594D39005DC

Sep 9 16:37:17 godel postfix/qmgr[5157]: 594D39005DC: from=<>, size=4987, nrcpt=1 (queue active)

Sep 9 16:37:17 godel postfix/qmgr[5157]: A20B390086C: removed

Sep 9 16:37:18 godel postfix/smtp[5147]: 594D39005DC: to=<[email protected]>, relay=mail.fenf.edu.uy[164.73.124.105]:25, delay=0.64,

delays=0.45/0/0.06/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D5B20C7C1EF)

Sep 9 16:37:18 godel postfix/qmgr[5157]: 594D39005DC: removed

#6 - 09/11/2017 04:46 PM - Andrés Pías

Esto que escribí está mal. Unorte no estaría implicado de acuerdo a estos ejemplos.

Andrés Pías escribió:

Para entender como funciona el SPF hay que mirar bien estos ejemplos: http://www.openspf.org/FAQ/Examples, acá hay otros mas.

Mirando esos ejemplos y viendo la información que da esta página

07/23/2020 7/8

http://www.openspf.org/FAQ/Examples

https://soporte.itlinux.cl/hc/es/articles/200120998-Interpretaci%C3%B3n-de-rebotes-de-correo

https://mxtoolbox.com/SuperTool.aspx?action=spf%3aunorte.edu.uy&run=toolpage#, entiendo que lo que pasó fue que como la IP del Servidor

MTA Emisor (godel.csic.edu.uy) no coincide con ninguna de las IP del registro SPF de Unorte, se debe estar generado un SoftFail.

Hay que mirar la información DNS del servidor que envía a Unorte, en este caso será el de Enfermeria o Godel?

Por lo que veo el que es más restrictivo es Enfermeria:

dig -t TXT fenf.edu.uy

fenf.edu.uy. 89 IN TXT "v=spf1 mx a:mail2.fenf.edu.uy a:mail3.fenf.edu.uy -all"

dig -t TXT litoralnorte.udelar.edu.uy

litoralnorte.udelar.edu.uy. 86400 IN TXT "v=spf1 mx a:russell.csic.edu.uy a:godel.csic.edu.uy a:dirac.csic.edu.uy ?all"

La config de Enrfemería será la que nos complica?

Quizá que por eso no se permite el reenvío de un mail dede cuenta @fenf.edu.uy sobre el server godel.csic.eduy que dado el SPF no está autorizado.

#7 - 09/13/2017 04:32 PM - Andrés Pías

Leyendo en las buenas prácticas de Forwarding de SPF vemos lo siguiente, que indica que el que termina por rechazar un correo es el MTA receptor:

Forwarding is only a problem for mail recipients who check SPF and do not make provisions for any forwarders they have set up.

...

Forwarders are generally set up by the mail recipient – and thus are the responsibility of the mail recipient.

Y en caso de que durante el forward del correo no se haga un sender-rewriting (re escritura del MAIL FROM:), el MTA receptor no debe rechazar el correo

basándose en el SPF:

When configuring a forwarder, all you need to know is whether the forwarder performs sender rewriting, e.g. SRS.

For non-sender-rewriting forwarders, accept all mail without checking SPF (any SPF results are meaningless). Hopefully, you (or your user) have

chosen a forwarder that checks SPF before forwarding. If your implementation allows it, also check SPF for a "pretend" MAIL FROM that your

forwarder could use (the original recipient RCPT at the forwarder before the email was forwarded). This verifies that the forwarded mail really came

from your trusted forwarder.

For sender-rewriting forwarders, do check SPF.

#8 - 10/30/2017 05:28 PM - Andrés Pías

- Status changed from En curso to Resuelta

- Assignee changed from Andrés Pías to Miguel Pertusatti

- % Done changed from 20 to 80

Luego de poner en la whilist de Dayman a Godel parece ser que no hubieron nuevos problemas.

Paso para revisar y/o cerrar.

07/23/2020 8/8

https://mxtoolbox.com/SuperTool.aspx?action=spf%3aunorte.edu.uy&run=toolpage

http://www.openspf.org/Best_Practices/Forwarding

http://www.openspf.org/SRS

Documents

Correo electrónico - Tareas #5788 - Software Libre › issues › 5788.pdf · Correo electrónico - Tareas #5788 Fallos de reenvíos de correos desde el dominio litoralnorte a unorte