DevHeads.net

See a double-bounce mail generated by my postfix

I would like to be able to see an example of a double-bounce message
generated by my postfix (3.3.0) server. Can I get my postfix to send me
(say to an unrelated external mailbox) a double-bounce message?
Alternatively is there a way I can save, on the server, the double-bounce
message as and when it sends it to a third party? (These messages are not
saved locally by setting always_bcc.)

A concern I have is that qmgr records the double bounce message as coming
from <> - which seems odd:

2018-08-08 08:04:41 vps344444 postfix/bounce[28259]: 059F147CEF: sender
non-delivery notification: 0C89547CF1
2018-08-08 08:04:41 vps344444 postfix/qmgr[20724]: 059F147CEF: removed
2018-08-08 08:04:41 vps344444 postfix/qmgr[20724]: 0C89547CF1: from=<>,
size=4973, nrcpt=1 (queue active)

Comments

Re: See a double-bounce mail generated by my postfix

By Dominic Raferd at 08/08/2018 - 03:03

Sorry I have now found an example of a bounce message so the original part
of my question is no longer relevant.

The bounce message sender is indeed '<>', and the From header is
'MAILER-DAEMON@[mydomain]'. My problem with this is that although the
message is DKIM-signed (by opendkim), it fails DMARC alignment because of
the mismatch between sender and 'From:' header. The only related
non-default settings I have are:

main.cf:
canonical_maps = hash:/etc/postfix/canonical inline:{$double_bounce_sender@
$myhostname=double-bounce@$mydomain}

canonical:
<> root
www-data root
postfix root
root@localhost root

Maybe the inline table rewriting is not working? I would expect both the
sender and the 'From:' header to be double_bounce@[mydomain]

Re: See a double-bounce mail generated by my postfix

By Wietse Venema at 08/08/2018 - 06:49

Dominic Raferd:
I don't know of any promise that canonical_maps will use <> as the
lookup key for the null address.

Wietse

Re: See a double-bounce mail generated by my postfix

By Dominic Raferd at 08/08/2018 - 09:01

I will remove that, I put it there a long time ago when I knew (even) less
about postfix. But I doubt it is the cause of my problem here?

Re: See a double-bounce mail generated by my postfix

By Wietse Venema at 08/08/2018 - 09:53

Dominic Raferd:
If you're referring to envelope.from versus header.from alignment
of bounce messages, then you may want to read RFC 7489 section
3.1.2. which in turn refers to RFC 7208 Section 2.4 which, says:

[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
[RFC5321]). In this case, there is no explicit sender mailbox, and
such a message can be assumed to be a notification message from the
mail system itself. WHEN THE REVERSE-PATH IS NULL, THIS DOCUMENT
DEFINES THE "MAIL FROM" IDENTITY TO BE THE MAILBOX COMPOSED OF THE
LOCAL-PART "POSTMASTER" AND THE "HELO" IDENTITY (WHICH MIGHT OR MIGHT
NOT HAVE BEEN CHECKED SEPARATELY BEFORE).

(emphasis added by myself).

Thus, if you are concerned that your bounces are failing alignment
checks, then do not change the null address, instead, adjust your
HELO domain name such that it is aligned with the header.from.

Never have I expected that I would have to explain how to use SPF.

Wietse

Re: See a double-bounce mail generated by my postfix

By Dominic Raferd at 08/08/2018 - 13:59

Thanks. This is interesting information, however already on myh server
$smtp_helo_name = $mydomain = $myhostname = $myorigin = domain name as
shown in the header.from.

Never have I expected that I would have to explain how to use SPF.
Thank you for the explanation, but my issue is not SPF alignment, it is
DKIM alignment. So the relevant part of RFC7489 (thank you for the pointer)
is 3.1.1 and DKIM alignment is about a match between the header.from
(RFC5322.From)
and the 'd=' field in the DKIM signature. (A missing DKIM signature is also
reported as failed DKIM alignment - at least by my reporter.)

A very few emails from this server, although passing SPF (and hence DMARC),
fail DKIM aligment (I am not told which ones, only the weekly count). This
will not prevent their delivery (unless the recipient server relays them to
another server which does a DMARC check) but is unexpected and untidy. The
null sender double bounce emails had seemed plausible culprits but I now
realise they already meet (SPF and) DKIM alignment requirements, so I am
thinking again; I have found 3 / 6 in the last week occurred during a
server upgrade when opendkim was down. At any rate it does not seem to be a
postfix-related issue so I will pipe down.