Post on 03-Jul-2020
Correo electrónico - Tareas #5788
Fallos de reenvíos de correos desde el dominio litoralnorte a unorte
09/04/2017 03:40 PM - Andrés Pías
Status: Resuelta Start date: 09/04/2017
Priority: Alta Due date:
Assignee: Miguel Pertusatti % Done: 80%
Category: Estimated time: 0.00 hour
Target version: Spent time: 5.50 hours
Description
Anoto solicitud de Miguel:
Hola Andrés:
Te reenvío este correo que es el rebote que recibe "Guillermo Reisch" <----@fenf.edu.uy> cuando en vía un correo a "Mpertusatti" <
-----@litoralnorte.udelar.edu.uy>; el correo lo recibo en <-----@litoralnorte.udelar.edu.uy> pero no es reenviado a <
----@unorte.edu.uy>. Son casos que solo ocurren con remitentes de algunos servidores de correo.
Saludos
Miguel
----- Mensaje reenviado -----
De: "Guillermo Reisch" <-----@fenf.edu.uy>
Para: "Mpertusatti" ----@litoralnorte.udelar.edu.uy>
Enviados: Lunes, 4 de Septiembre 2017 13:21:31
Asunto: Fwd: Undelivered Mail Returned to Sender
-------- Original Message --------
Subject: Undelivered Mail Returned to Sender
Date: Mon, 4 Sep 2017 13:18:17 0300 (UYT)
From: MAILER-DAEMON@godel.csic.edu.uy (Mail Delivery System)
To: ---@fenf.edu.uy
This is the mail system at host godel.csic.edu.uy.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
---@unorte.edu.uy>: host dayman.unorte.edu.uy[164.73.212.3] said:
550 Your
rcpt is not permitted (SPF - read spf.pobox.com) (in reply to RCPT
TO
command)
07/23/2020 1/8
History
#1 - 09/04/2017 03:42 PM - Andrés Pías
- Description updated
#2 - 09/04/2017 03:57 PM - Andrés Pías
- Status changed from Nueva to En curso
Estoy viendo que en Litoral Norte tenemos al menos 2 problemas que intento descifrar que se puende ver acá:
https://intodns.com/litoralnorte.udelar.edu.uy
Missing nameservers reported by parent
FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see
RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems!
ns2.litoralnorte.udelar.edu.uy
ns1.litoralnorte.udelar.edu.uy
Missing nameservers reported by your nameservers
ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:
arapey.unorte.edu.uy
This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and
the NS records point to your own domain, for example).
Parece que unorte no tiene ningún problema grave: https://intodns.com/unorte.edu.uy
#3 - 09/05/2017 01:17 PM - Andrés Pías
- % Done changed from 0 to 20
Estábamos viendo que si bien Arapey (principal) devuelve bien los registros NS de unorte.udelar.edu.uy y litoralnorte.udelar.edu.uy
dig @arapey.unorte.edu.uy -t NS unorte.edu.uy
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @arapey.unorte.edu.uy -t NS unorte.edu.uy
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31901
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;unorte.edu.uy. IN NS
;; ANSWER SECTION:
unorte.edu.uy. 86400 IN NS dayman.unorte.edu.uy.
unorte.edu.uy. 86400 IN NS seciu.edu.uy.
unorte.edu.uy. 86400 IN NS arapey.unorte.edu.uy.
07/23/2020 2/8
;; ADDITIONAL SECTION:
arapey.unorte.edu.uy. 86400 IN A 164.73.212.2
dayman.unorte.edu.uy. 86400 IN A 164.73.212.3
;; Query time: 45 msec
;; SERVER: 164.73.212.2#53(164.73.212.2)
;; WHEN: Tue Sep 05 13:11:14 UYT 2017
;; MSG SIZE rcvd: 136
dig @arapey.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @arapey.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14582
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;litoralnorte.udelar.edu.uy. IN NS
;; ANSWER SECTION:
litoralnorte.udelar.edu.uy. 86400 IN NS seciu.edu.uy.
litoralnorte.udelar.edu.uy. 86400 IN NS ns1.litoralnorte.udelar.edu.uy.
litoralnorte.udelar.edu.uy. 86400 IN NS ns2.litoralnorte.udelar.edu.uy.
;; ADDITIONAL SECTION:
ns1.litoralnorte.udelar.edu.uy. 86400 IN A 164.73.212.2
ns2.litoralnorte.udelar.edu.uy. 86400 IN A 164.73.212.3
;; Query time: 20 msec
;; SERVER: 164.73.212.2#53(164.73.212.2)
;; WHEN: Tue Sep 05 13:12:38 UYT 2017
;; MSG SIZE rcvd: 143
El DNS secundario Dayman no está respondiendo bien el NS de litoralnorte.udelar.edu.uy:
dig @dayman.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @dayman.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35596
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
07/23/2020 3/8
;; QUESTION SECTION:
;litoralnorte.udelar.edu.uy. IN NS
;; Query time: 20 msec
;; SERVER: 164.73.212.3#53(164.73.212.3)
;; WHEN: Tue Sep 05 13:16:29 UYT 2017
;; MSG SIZE rcvd: 55
dig @dayman.unorte.edu.uy -t NS unorte.edu.uy
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @dayman.unorte.edu.uy -t NS unorte.edu.uy
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60715
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;unorte.edu.uy. IN NS
;; ANSWER SECTION:
unorte.edu.uy. 86400 IN NS dayman.unorte.edu.uy.
unorte.edu.uy. 86400 IN NS seciu.edu.uy.
unorte.edu.uy. 86400 IN NS arapey.unorte.edu.uy.
;; ADDITIONAL SECTION:
arapey.unorte.edu.uy. 86400 IN A 164.73.212.2
dayman.unorte.edu.uy. 86400 IN A 164.73.212.3
;; Query time: 22 msec
;; SERVER: 164.73.212.3#53(164.73.212.3)
;; WHEN: Tue Sep 05 13:16:42 UYT 2017
;; MSG SIZE rcvd: 136
#4 - 09/11/2017 12:26 PM - Andrés Pías
Miguel estuvo ajustando la config DNS:
La directiva "allow-query" es de la configuración de BIND, ya agregué a godel.csic.edu.uy en esa configuración, voy a ver si logro que me envíen un
correo para probar.
...
Encontré que faltaba definir la zona litoralnorte en el DNS secundario, está corregido. Estoy esperando que me envíen un correo de prueba desde
uno de los servidores que evidenciaban el problema.
Dayman está respondiendo bien a las consultas:
07/23/2020 4/8
root@batareload:/home/apias# dig @dayman.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @dayman.unorte.edu.uy -t NS litoralnorte.udelar.edu.uy
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9306
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;litoralnorte.udelar.edu.uy. IN NS
;; ANSWER SECTION:
litoralnorte.udelar.edu.uy. 86400 IN NS ns2.litoralnorte.udelar.edu.uy.
litoralnorte.udelar.edu.uy. 86400 IN NS seciu.edu.uy.
litoralnorte.udelar.edu.uy. 86400 IN NS ns1.litoralnorte.udelar.edu.uy.
;; ADDITIONAL SECTION:
ns1.litoralnorte.udelar.edu.uy. 86400 IN A 164.73.212.2
ns2.litoralnorte.udelar.edu.uy. 86400 IN A 164.73.212.3
;; Query time: 22 msec
;; SERVER: 164.73.212.3#53(164.73.212.3)
;; WHEN: Mon Sep 11 12:17:40 UYT 2017
;; MSG SIZE rcvd: 143
Los mensajes de error en https://intodns.com/litoralnorte.udelar.edu.uy han desaparecido.
Pero en una nueva prueba de envío de mail desde cuenta de Facultad de Veterinaria al correo de Miguel de LitoralNorte, los mensajes no son reenviados
a su mail en Unorte:
Delivered-To: greisch@fenf.edu.uy
Received: from localhost (unknown [127.0.0.1]) by mail2.fenf.edu.uy (Postfix) with ESMTP id 88DA2C7C3A9 for <greisch@fenf.edu.uy>; Sat, 9
Sep 2017 16:37:25 -0300 (UYT)
X-Virus-Scanned: Debian amavisd-new at mail.fenf.edu.uy.fenf.edu.uy
Received: from mail2.fenf.edu.uy ([127.0.0.1]) by localhost (mail.fenf.edu.uy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJrjTCtCKeXT
for <greisch@fenf.edu.uy>; Sat, 9 Sep 2017 16:37:24 -0300 (UYT)
X-Original-Helo: godel.csic.edu.uy (iRedMail: http://www.iredmail.org/)
Received: from godel.csic.edu.uy (godel.csic.edu.uy [164.73.68.19]) by mail2.fenf.edu.uy (Postfix) with ESMTPS id D5B20C7C1EF for
<greisch@fenf.edu.uy>; Sat, 9 Sep 2017 16:37:24 -0300 (UYT)
Received: by godel.csic.edu.uy (Postfix) id 594D39005DC; Sat, 9 Sep 2017 16:37:17 -0300 (UYT)
Date: Sat, 09 Sep 2017 16:37:17 -0300
From: Mail Delivery System <MAILER-DAEMON@godel.csic.edu.uy>
Subject: Undelivered Mail Returned to Sender
To: greisch@fenf.edu.uy
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; boundary="A20B390086C.1504985837/godel.csic.edu.uy"; report-type="delivery-status"
Content-Transfer-Encoding: 7bit
Message-ID: <20170909193717.594D39005DC@godel.csic.edu.uy>
07/23/2020 5/8
This is a MIME-encapsulated message.
--A20B390086C.1504985837/godel.csic.edu.uy
Content-Description: Notification
Content-Type: text/plain; charset="us-ascii"
This is the mail system at host godel.csic.edu.uy.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<miguel@unorte.edu.uy>: host dayman.unorte.edu.uy[164.73.212.3] said: 550 Your
rcpt is not permitted (SPF - read spf.pobox.com) (in reply to RCPT TO
command)
--A20B390086C.1504985837/godel.csic.edu.uy
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; godel.csic.edu.uy
X-Postfix-Queue-ID: A20B390086C
X-Postfix-Sender: rfc822; greisch@fenf.edu.uy
Arrival-Date: Sat, 9 Sep 2017 16:37:15 -0300 (UYT)
Final-Recipient: rfc822; miguel@unorte.edu.uy
Original-Recipient: rfc822;mpertusatti@litoralnorte.udelar.edu.uy
Action: failed
Status: 5.0.0
Remote-MTA: dns; dayman.unorte.edu.uy
Diagnostic-Code: smtp; 550 Your rcpt is not permitted (SPF - read
spf.pobox.com)
#5 - 09/11/2017 01:52 PM - Andrés Pías
Para entender como funciona el SPF hay que mirar bien estos ejemplos: http://www.openspf.org/FAQ/Examples, acá hay otros mas.
Mirando esos ejemplos y viendo la información que da esta página
https://mxtoolbox.com/SuperTool.aspx?action=spf%3aunorte.edu.uy&run=toolpage#, entiendo que lo que pasó fue que como la IP del Servidor MTA
Emisor (godel.csic.edu.uy) no coincide con ninguna de las IP del registro SPF de Unorte, se debe estar generado un SoftFail.
Este es el registro SPF de unorte actual:
v=spf1 a mx ip4:164.73.212.0/23 ip4:164.73.214.0/24 ip4:164.73.210.0/24 ip4:164.73.250.64/29 ip4:164.73.222.0/24 ~all
07/23/2020 6/8
Estos son los logs de Godel que se generaron al momento del envío del mail a Miguel:
Sep 9 16:37:10 godel postfix/smtpd[325]: connect from mail2.fenf.edu.uy[164.73.124.106]
Sep 9 16:37:10 godel postfix/smtpd[325]: NOQUEUE: filter: RCPT from mail2.fenf.edu.uy[164.73.124.106]: <greisch@fenf.edu.uy>: Sender
address triggers FILTER smtp
-amavis:[127.0.0.1]:10026; from=<greisch@fenf.edu.uy> to=<mpertusatti@litoralnorte.udelar.edu.uy> proto=ESMTP helo=<mail2.fenf.edu.uy>
Sep 9 16:37:10 godel postfix/smtpd[325]: NOQUEUE: filter: RCPT from mail2.fenf.edu.uy[164.73.124.106]: <greisch@fenf.edu.uy>: Sender
address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<greisch@fenf.edu.uy> to=<mpertusatti@litoralnorte.udelar.edu.uy>
proto=ESMTP helo=<mail2.fenf.edu.uy>
Sep 9 16:37:13 godel postfix/smtpd[325]: 3121790024E: client=mail2.fenf.edu.uy[164.73.124.106]
Sep 9 16:37:13 godel postfix/cleanup[5140]: 3121790024E: message-id=<2481244.fD8AWp9jQb@goku>
Sep 9 16:37:13 godel postfix/qmgr[5157]: 3121790024E: from=<greisch@fenf.edu.uy>, size=2497, nrcpt=2 (queue active)
Sep 9 16:37:13 godel postfix/smtpd[325]: disconnect from mail2.fenf.edu.uy[164.73.124.106]
Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: connect from localhost[127.0.0.1]
Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: 53D709005DC: client=localhost[127.0.0.1]
Sep 9 16:37:15 godel postfix/cleanup[5140]: 53D709005DC: message-id=<2481244.fD8AWp9jQb@goku>
Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: disconnect from localhost[127.0.0.1]
Sep 9 16:37:15 godel postfix/qmgr[5157]: 53D709005DC: from=<greisch@fenf.edu.uy>, size=3341, nrcpt=1 (queue active)
Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: connect from localhost[127.0.0.1]
Sep 9 16:37:15 godel postfix/amavisd/smtpd[5145]: A20B390086C: client=localhost[127.0.0.1]
Sep 9 16:37:15 godel postfix/cleanup[5140]: A20B390086C: message-id=<2481244.fD8AWp9jQb@goku>
Sep 9 16:37:16 godel postfix/amavisd/smtpd[5145]: disconnect from localhost[127.0.0.1]
Sep 9 16:37:16 godel postfix/qmgr[5157]: A20B390086C: from=<greisch@fenf.edu.uy>, size=2915, nrcpt=1 (queue active)
Sep 9 16:37:16 godel postfix/smtp[5141]: 3121790024E: to=<mpertusatti@litoralnorte.udelar.edu.uy>, relay=127.0.0.1[127.0.0.1]:10024,
delay=5, delays=2.4/0.01/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 53D709005DC)
Sep 9 16:37:16 godel postfix/smtp[5141]: 3121790024E: to=<miguel@unorte.edu.uy>, orig_to=<mpertusatti@litoralnorte.udelar.edu.uy>,
relay=127.0.0.1[127.0.0.1]:10024, delay=5, delays=2.4/0.01/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 53D709005DC)
Sep 9 16:37:16 godel postfix/qmgr[5157]: 3121790024E: removed
Sep 9 16:37:16 godel postfix/lmtp[5146]: 53D709005DC: to=<mpertusatti@litoralnorte.udelar.edu.uy>,
relay=godel.csic.edu.uy[164.73.68.19]:7025, delay=0.85, delays=0.31/0.01/0.11/0.41, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Sep 9 16:37:16 godel postfix/qmgr[5157]: 53D709005DC: removed
Sep 9 16:37:17 godel postfix/smtp[5147]: A20B390086C: to=<miguel@unorte.edu.uy>, relay=dayman.unorte.edu.uy[164.73.212.3]:25,
delay=1.7, delays=0.37/0.01/0.17/1.1, dsn=5.0.0, status=bounced (host dayman.unorte.edu.uy[164.73.212.3] said: 550 Your rcpt is not permitted
(SPF - read spf.pobox.com) (in reply to RCPT TO command))
Sep 9 16:37:17 godel postfix/cleanup[5140]: 594D39005DC: message-id=<20170909193717.594D39005DC@godel.csic.edu.uy>
Sep 9 16:37:17 godel postfix/bounce[5148]: A20B390086C: sender non-delivery notification: 594D39005DC
Sep 9 16:37:17 godel postfix/qmgr[5157]: 594D39005DC: from=<>, size=4987, nrcpt=1 (queue active)
Sep 9 16:37:17 godel postfix/qmgr[5157]: A20B390086C: removed
Sep 9 16:37:18 godel postfix/smtp[5147]: 594D39005DC: to=<greisch@fenf.edu.uy>, relay=mail.fenf.edu.uy[164.73.124.105]:25, delay=0.64,
delays=0.45/0/0.06/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D5B20C7C1EF)
Sep 9 16:37:18 godel postfix/qmgr[5157]: 594D39005DC: removed
#6 - 09/11/2017 04:46 PM - Andrés Pías
Esto que escribí está mal. Unorte no estaría implicado de acuerdo a estos ejemplos.
Andrés Pías escribió:
Para entender como funciona el SPF hay que mirar bien estos ejemplos: http://www.openspf.org/FAQ/Examples, acá hay otros mas.
Mirando esos ejemplos y viendo la información que da esta página
07/23/2020 7/8
https://mxtoolbox.com/SuperTool.aspx?action=spf%3aunorte.edu.uy&run=toolpage#, entiendo que lo que pasó fue que como la IP del Servidor
MTA Emisor (godel.csic.edu.uy) no coincide con ninguna de las IP del registro SPF de Unorte, se debe estar generado un SoftFail.
Hay que mirar la información DNS del servidor que envía a Unorte, en este caso será el de Enfermeria o Godel?
Por lo que veo el que es más restrictivo es Enfermeria:
dig -t TXT fenf.edu.uy
fenf.edu.uy. 89 IN TXT "v=spf1 mx a:mail2.fenf.edu.uy a:mail3.fenf.edu.uy -all"
dig -t TXT litoralnorte.udelar.edu.uy
litoralnorte.udelar.edu.uy. 86400 IN TXT "v=spf1 mx a:russell.csic.edu.uy a:godel.csic.edu.uy a:dirac.csic.edu.uy ?all"
La config de Enrfemería será la que nos complica?
Quizá que por eso no se permite el reenvío de un mail dede cuenta @fenf.edu.uy sobre el server godel.csic.eduy que dado el SPF no está autorizado.
#7 - 09/13/2017 04:32 PM - Andrés Pías
Leyendo en las buenas prácticas de Forwarding de SPF vemos lo siguiente, que indica que el que termina por rechazar un correo es el MTA receptor:
Forwarding is only a problem for mail recipients who check SPF and do not make provisions for any forwarders they have set up.
...
Forwarders are generally set up by the mail recipient – and thus are the responsibility of the mail recipient.
Y en caso de que durante el forward del correo no se haga un sender-rewriting (re escritura del MAIL FROM:), el MTA receptor no debe rechazar el correo
basándose en el SPF:
When configuring a forwarder, all you need to know is whether the forwarder performs sender rewriting, e.g. SRS.
For non-sender-rewriting forwarders, accept all mail without checking SPF (any SPF results are meaningless). Hopefully, you (or your user) have
chosen a forwarder that checks SPF before forwarding. If your implementation allows it, also check SPF for a "pretend" MAIL FROM that your
forwarder could use (the original recipient RCPT at the forwarder before the email was forwarded). This verifies that the forwarded mail really came
from your trusted forwarder.
For sender-rewriting forwarders, do check SPF.
#8 - 10/30/2017 05:28 PM - Andrés Pías
- Status changed from En curso to Resuelta
- Assignee changed from Andrés Pías to Miguel Pertusatti
- % Done changed from 20 to 80
Luego de poner en la whilist de Dayman a Godel parece ser que no hubieron nuevos problemas.
Paso para revisar y/o cerrar.
07/23/2020 8/8