infra
infra copied to clipboard
NixOS
gmail is bouncing our bounce reports
While debugging https://github.com/NixOS/infra/issues/649, I ran into the following:
(Note: email addresses have been scrambled, but the intent should be clear.)
- Send an email from
[email protected]to[email protected] - nixos.org is configured to forward
test-list@to[email protected], wherejfly.example.comis managed byfinal-mailserver.example.com, which I control. I intentionally configured that mailserver to bounce emails fromnixos.org - nixos.org's mailserver sees the bounce from the final mailserver, and then tries to send a bounce to
jfly@gmail. That bounce is rejected by gmail.
Here's what we see on umbriel:
Apr 21 20:40:10 umbriel postfix/smtp[259316]: 5A720658C: to=<[email protected]>, orig_to=<[email protected]>, relay=final-mailserver.example.com[MAILSERVER_IP]:25, delay=3.3, delays=0.47/0/2.5/0.36, dsn=5.7.1, status=bounced (host final-mailserver.example.com[MAILSERVER_IP] said: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied (in reply to RCPT TO command))
Apr 21 20:40:10 umbriel postfix/cleanup[259328]: B6942658D: message-id=<[email protected]>
Apr 21 20:40:10 umbriel postfix/bounce[259332]: 5A720658C: sender non-delivery notification: B6942658D
Apr 21 20:40:10 umbriel postfix/qmgr[258926]: B6942658D: from=<>, size=6759, nrcpt=1 (queue active)
Apr 21 20:40:10 umbriel postfix/qmgr[258926]: 5A720658C: removed
Apr 21 20:40:10 umbriel postfix/smtp[259316]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
Apr 21 20:40:11 umbriel postfix/smtp[259316]: B6942658D: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25, delay=0.46, delays=0/0/0.19/0.27, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [] with ip: [2a01:4f9:c011:8fb5::1] = did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication 38308e7fff4ca-31090755b70si32094831fa.41 - gsmtp (in reply to end of DATA command))
Apr 21 20:40:11 umbriel postfix/qmgr[258926]: B6942658D: removed
We see the bounce when umbriel tries to forward to [email protected]:
Apr 21 20:40:10 umbriel postfix/smtp[259316]: 5A720658C: to=<[email protected]>, orig_to=<[email protected]>, relay=final-mailserver.example.com[MAILSERVER_IP]:25, delay=3.3, delays=0.47/0/2.5/0.36, dsn=5.7.1, status=bounced (host final-mailserver.example.com[MAILSERVER_IP] said: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied (in reply to RCPT TO command))
And then we see another bounce when umbriel tries to notify the sender ([email protected]) of the bounce:
Apr 21 20:40:11 umbriel postfix/smtp[259316]: B6942658D: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25, delay=0.46, delays=0/0/0.19/0.27, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [] with ip: [2a01:4f9:c011:8fb5::1] = did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication 38308e7fff4ca-31090755b70si32094831fa.41 - gsmtp (in reply to end of DATA command))
We discussed this briefly at today's infra team meeting. @mweinelt is interested in creating a email and testing this out.