Re: Debug 'Message is not RFC 2822 compliant'?
For the sake of completeness I'll just send a short update to this thread. We debugged the behaviour using Gilles debug instance and it looks like Apple Mail is generating a single-line References header that doesn't comply to RFC 2822, making it too large in some cases. It should not be 78 characters, if it is it should be split into multiple lines. OpenSMTPD will refuse after 998. In my example the line was 1078 characters. I've filed a bug report with Apple (developer portal), id 21813193 if anyone wants to reference it or something. As a workaround one can use forward instead of reply and copy the recipients from the original thread. Then Apple Mail will simply drop the References header. Thanks a lot to Gilles for the quick debug Eric On 2015-07-14, at 15:19, Eric Ripa e...@stickybit.se wrote: Hi, yes. Sorry for the late reply. I haven't tested another mail client. I guess it's #opensmtpd @ freenode right? Thanks, Eric On 2015-07-14, at 15:13, Gilles Chehade gil...@poolp.org wrote: Are you around ? Can we arrange for you to come on IRC at a time where I'm around so we can do a test on my own MX ? On Sat, Jul 11, 2015 at 10:26:17PM +0200, Eric Ripa wrote: Thanks for the response. I suspected that but given that the actual content in this case is confidential I was a bit hesitant. Heres the leading part of the [MSG] section. Can you see anything triggering this? [MSG] From: My Name m...@domain.com [MSG] Content-Type: multipart/signed; boundary=Apple-Mail=_72DA7FD1-7F93-4028-B624-1213C11481BD; protocol=application/pkcs7-signature; micalg=sha1 [MSG] Message-Id: a43d767b-9985-4990-8d65-e3b12f036...@domain.com [MSG] Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3067\)) [MSG] Subject: =?utf-8?Q?Re=3A_M=C3=B6tet_imorgon?= [MSG] Date: Sat, 11 Jul 2015 22:16:19 +0200 [MSG] References: CAA-Q+[REDACTED]z1=Zy=4zkkr_dykq4qzeenv--bz...@mail.gmail.com 1695ed38-f691-45c5-8aa3-336ce8de3...@domain.com CAA-Q+[REDACTED]XAkzv+LMt+DCcummP=oJQiqqWcj=f...@mail.gmail.com 8a0aba7a-241c-495c-8861-7b75283b1...@domain.com CAA-Q+[REDACTED]w3czctp88zqjxbqlnxbccuugdoy...@mail.gmail.com cba3895c-1edc-4028-bc2e-3d65a5e90...@domain.com CAA-Q+[REDACTED]--t_oebv05v69vtmotafqroopob...@mail.gmail.com 410ab57c-4565-4e8c-835a-a629a189c...@domain.com CAA-Q+[REDACTED]yYXYjmHE7Yn3Stbw8kqk3K=6+2=j...@mail.gmail.com c55bd6a6-d61c-4659-b1b8-aae9fbf97...@domain.com CAA-Q+[REDACTED]umyza6n27keqd_drgkydd8lzpwi...@mail.gmail.com 9b5786c8-9576-41f6-b624-801acb64e...@domain.com CAA-Q+[REDACTED]vaoq7xsa24ohad+o23fdwgde+8q...@mail.gmail.com 8d5a9215-4d04-4fe3-87d4-9791cb05f...@domain.com CAA-Q+[REDACTED]++qrr34y+hzptnvosz_b3xvpug+...@mail.gmail.com 54a2c287-83c5-44f8-a769-dc2f0f73f...@domain.com CAA-Q+[REDACTED]ka7ccdghgxw301bpq2u+kblcza1...@mail.gmail.com CAA-Q+[REDACTED]pzqjzzy-_q4gpohstrlqe2nt+hl...@mail.gmail.com [MSG] To: t...@example.com [MSG] In-Reply-To: CAA-Q+[REDACTED]qe2nt+hl...@mail.gmail.com [MSG] X-Mailer: Apple Mail (2.3067) [MSG] [MSG] [MSG] --Apple-Mail=_72DA7FD1-7F93-4028-B624-1213C11481BD [MSG] Content-Type: multipart/alternative; [MSG] boundary=Apple-Mail=_1D1CF9DB-435D-4B6D-B041-4150C3143099 [MSG] [MSG] [MSG] --Apple-Mail=_1D1CF9DB-435D-4B6D-B041-4150C3143099 [MSG] Content-Transfer-Encoding: quoted-printable [MSG] Content-Type: text/plain; [MSG] charset=utf-8 [MSG] . . actual content . [MSG] --Apple-Mail=_72DA7FD1-7F93-4028-B624-1213C11481BD-- [EOM] On 2015-07-11, at 14:34, Gilles Chehade gil...@poolp.org wrote: On Sat, Jul 11, 2015 at 01:28:29PM +0200, Eric Ripa wrote: Hi, I occasionally have an issue with outgoing mails not being accepted by OpenSMTPD due to Message is not RFC 2822 compliant. It's also a recurring problem of a client of mine were I've setup OpenSMTPD. Both systems are running 5.7.1, one on OpenBSD 5.6 and this one on OpenBSD 5.8-beta (snapshot from 2015-07-10). I believe this message in the log is a bit strange: received invalid command: DATA In this particular case the mail is a fairly long conversation with 10+ replies in HTML. In the past the only remedy has been to remove large parts of the email history. I've also seen this occur in a single reply-to instance. In all cases so far the MUA has been various versions of Apple Mail, ranging from default version in 10.9 to this example with latest 10.11 beta. Any way to debug this behaviour it further? Thanks Eric Ripa smtp: 0x147357517000: connected to listener 0x147414db5000 [hostname=mail.domain.com, port=587, tag=] smtp: 0x147357517000: STATE_NEW - STATE_CONNECTED smtp-in: session 8917f8161d62f58a: connection from host client.isp.com [1.2.3.4] established smtp: 0x147357517000: 220 mail.domain.com ESMTP OpenSMTPD smtp: 0x147357517000: EHLO [192.168.1.2] smtp: 0x147357517000: STATE_CONNECTED - STATE_HELO smtp: 0x147357517000: 250
Debug 'Message is not RFC 2822 compliant'?
Hi, I occasionally have an issue with outgoing mails not being accepted by OpenSMTPD due to Message is not RFC 2822 compliant. It's also a recurring problem of a client of mine were I've setup OpenSMTPD. Both systems are running 5.7.1, one on OpenBSD 5.6 and this one on OpenBSD 5.8-beta (snapshot from 2015-07-10). I believe this message in the log is a bit strange: received invalid command: DATA In this particular case the mail is a fairly long conversation with 10+ replies in HTML. In the past the only remedy has been to remove large parts of the email history. I've also seen this occur in a single reply-to instance. In all cases so far the MUA has been various versions of Apple Mail, ranging from default version in 10.9 to this example with latest 10.11 beta. Any way to debug this behaviour it further? Thanks Eric Ripa smtp: 0x147357517000: connected to listener 0x147414db5000 [hostname=mail.domain.com, port=587, tag=] smtp: 0x147357517000: STATE_NEW - STATE_CONNECTED smtp-in: session 8917f8161d62f58a: connection from host client.isp.com [1.2.3.4] established smtp: 0x147357517000: 220 mail.domain.com ESMTP OpenSMTPD smtp: 0x147357517000: EHLO [192.168.1.2] smtp: 0x147357517000: STATE_CONNECTED - STATE_HELO smtp: 0x147357517000: 250-mail.domain.com Hello [192.168.1.2] [1.2.3.4], pleased to meet you smtp: 0x147357517000: 250-8BITMIME smtp: 0x147357517000: 250-ENHANCEDSTATUSCODES smtp: 0x147357517000: 250-SIZE 36700160 smtp: 0x147357517000: 250-DSN smtp: 0x147357517000: 250-STARTTLS smtp: 0x147357517000: 250 HELP smtp: 0x147357517000: STARTTLS smtp: 0x147357517000: 220 2.0.0: Ready to start TLS smtp: 0x147357517000: STATE_HELO - STATE_TLS smtp-in: session 8917f8161d62f58a: TLS started version=TLSv1/SSLv3 (), cipher=ECDHE-RSA-AES256-SHA, bits=256 smtp: 0x147357517000: STATE_TLS - STATE_HELO smtp: 0x147357517000: EHLO [192.168.1.2] smtp: 0x147357517000: STATE_HELO - STATE_HELO smtp: 0x147357517000: 250-mail.domain.com Hello [192.168.1.2] [1.2.3.4], pleased to meet you smtp: 0x147357517000: 250-8BITMIME smtp: 0x147357517000: 250-ENHANCEDSTATUSCODES smtp: 0x147357517000: 250-SIZE 36700160 smtp: 0x147357517000: 250-DSN smtp: 0x147357517000: 250-AUTH PLAIN LOGIN smtp: 0x147357517000: 250 HELP smtp: 0x147357517000: AUTH PLAIN ZXJpY0dkfoskdofKOKFODSfkODKfoSDkfodskfOSDFZmVZcSxrLHBMeGE5OVFSeUFuSFVDWF1KQg== smtp: 0x147357517000: STATE_HELO - STATE_AUTH_INIT smtp-in: session 8917f8161d62f58a: authentication successful for user m...@domain.com smtp: 0x147357517000: 235 2.0.0: Authentication succeeded smtp: 0x147357517000: STATE_AUTH_INIT - STATE_HELO smtp: 0x147357517000: MAIL FROM:m...@domain.com smtp: 0x147357517000: 250 2.0.0: Ok smtp: 0x147357517000: RCPT TO:t...@example.com smtp: 0x147357517000: 250 2.1.5 Destination address valid: Recipient ok [1101/1838] smtp: 0x147357517000: RCPT TO:c...@example.com smtp: 0x147357517000: 250 2.1.5 Destination address valid: Recipient ok smtp: 0x147357517000: DATA smtp: 0x147357517000: STATE_HELO - STATE_BODY smtp: 0x147357517000: 354 Enter mail, end with . on a line by itself ...lots of [MSG]... smtp: 0x147357517000: 550 5.7.1 Delivery not authorized, message refused: Message is not RFC 2822 compliant smtp-in: session 8917f8161d62f58a: received invalid command: DATA smtp: 0x147357517000: STATE_BODY - STATE_HELO smtp: 0x147357517000: QUIT smtp: 0x147357517000: 221 2.0.0: Bye smtp: 0x147357517000: STATE_HELO - STATE_QUIT smtp-in: session 8917f8161d62f58a: connection from host client.isp.com [1.2.3.4] closed (client sent QUIT) -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Debug 'Message is not RFC 2822 compliant'?
Thanks for the response. I suspected that but given that the actual content in this case is confidential I was a bit hesitant. Heres the leading part of the [MSG] section. Can you see anything triggering this? [MSG] From: My Name m...@domain.com [MSG] Content-Type: multipart/signed; boundary=Apple-Mail=_72DA7FD1-7F93-4028-B624-1213C11481BD; protocol=application/pkcs7-signature; micalg=sha1 [MSG] Message-Id: a43d767b-9985-4990-8d65-e3b12f036...@domain.com [MSG] Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3067\)) [MSG] Subject: =?utf-8?Q?Re=3A_M=C3=B6tet_imorgon?= [MSG] Date: Sat, 11 Jul 2015 22:16:19 +0200 [MSG] References: CAA-Q+[REDACTED]z1=Zy=4zkkr_dykq4qzeenv--bz...@mail.gmail.com 1695ed38-f691-45c5-8aa3-336ce8de3...@domain.com CAA-Q+[REDACTED]XAkzv+LMt+DCcummP=oJQiqqWcj=f...@mail.gmail.com 8a0aba7a-241c-495c-8861-7b75283b1...@domain.com CAA-Q+[REDACTED]w3czctp88zqjxbqlnxbccuugdoy...@mail.gmail.com cba3895c-1edc-4028-bc2e-3d65a5e90...@domain.com CAA-Q+[REDACTED]--t_oebv05v69vtmotafqroopob...@mail.gmail.com 410ab57c-4565-4e8c-835a-a629a189c...@domain.com CAA-Q+[REDACTED]yYXYjmHE7Yn3Stbw8kqk3K=6+2=j...@mail.gmail.com c55bd6a6-d61c-4659-b1b8-aae9fbf97...@domain.com CAA-Q+[REDACTED]umyza6n27keqd_drgkydd8lzpwi...@mail.gmail.com 9b5786c8-9576-41f6-b624-801acb64e...@domain.com CAA-Q+[REDACTED]vaoq7xsa24ohad+o23fdwgde+8q...@mail.gmail.com 8d5a9215-4d04-4fe3-87d4-9791cb05f...@domain.com CAA-Q+[REDACTED]++qrr34y+hzptnvosz_b3xvpug+...@mail.gmail.com 54a2c287-83c5-44f8-a769-dc2f0f73f...@domain.com CAA-Q+[REDACTED]ka7ccdghgxw301bpq2u+kblcza1...@mail.gmail.com CAA-Q+[REDACTED]pzqjzzy-_q4gpohstrlqe2nt+hl...@mail.gmail.com [MSG] To: t...@example.com [MSG] In-Reply-To: CAA-Q+[REDACTED]qe2nt+hl...@mail.gmail.com [MSG] X-Mailer: Apple Mail (2.3067) [MSG] [MSG] [MSG] --Apple-Mail=_72DA7FD1-7F93-4028-B624-1213C11481BD [MSG] Content-Type: multipart/alternative; [MSG] boundary=Apple-Mail=_1D1CF9DB-435D-4B6D-B041-4150C3143099 [MSG] [MSG] [MSG] --Apple-Mail=_1D1CF9DB-435D-4B6D-B041-4150C3143099 [MSG] Content-Transfer-Encoding: quoted-printable [MSG] Content-Type: text/plain; [MSG] charset=utf-8 [MSG] . . actual content . [MSG] --Apple-Mail=_72DA7FD1-7F93-4028-B624-1213C11481BD-- [EOM] On 2015-07-11, at 14:34, Gilles Chehade gil...@poolp.org wrote: On Sat, Jul 11, 2015 at 01:28:29PM +0200, Eric Ripa wrote: Hi, I occasionally have an issue with outgoing mails not being accepted by OpenSMTPD due to Message is not RFC 2822 compliant. It's also a recurring problem of a client of mine were I've setup OpenSMTPD. Both systems are running 5.7.1, one on OpenBSD 5.6 and this one on OpenBSD 5.8-beta (snapshot from 2015-07-10). I believe this message in the log is a bit strange: received invalid command: DATA In this particular case the mail is a fairly long conversation with 10+ replies in HTML. In the past the only remedy has been to remove large parts of the email history. I've also seen this occur in a single reply-to instance. In all cases so far the MUA has been various versions of Apple Mail, ranging from default version in 10.9 to this example with latest 10.11 beta. Any way to debug this behaviour it further? Thanks Eric Ripa smtp: 0x147357517000: connected to listener 0x147414db5000 [hostname=mail.domain.com, port=587, tag=] smtp: 0x147357517000: STATE_NEW - STATE_CONNECTED smtp-in: session 8917f8161d62f58a: connection from host client.isp.com [1.2.3.4] established smtp: 0x147357517000: 220 mail.domain.com ESMTP OpenSMTPD smtp: 0x147357517000: EHLO [192.168.1.2] smtp: 0x147357517000: STATE_CONNECTED - STATE_HELO smtp: 0x147357517000: 250-mail.domain.com Hello [192.168.1.2] [1.2.3.4], pleased to meet you smtp: 0x147357517000: 250-8BITMIME smtp: 0x147357517000: 250-ENHANCEDSTATUSCODES smtp: 0x147357517000: 250-SIZE 36700160 smtp: 0x147357517000: 250-DSN smtp: 0x147357517000: 250-STARTTLS smtp: 0x147357517000: 250 HELP smtp: 0x147357517000: STARTTLS smtp: 0x147357517000: 220 2.0.0: Ready to start TLS smtp: 0x147357517000: STATE_HELO - STATE_TLS smtp-in: session 8917f8161d62f58a: TLS started version=TLSv1/SSLv3 (), cipher=ECDHE-RSA-AES256-SHA, bits=256 smtp: 0x147357517000: STATE_TLS - STATE_HELO smtp: 0x147357517000: EHLO [192.168.1.2] smtp: 0x147357517000: STATE_HELO - STATE_HELO smtp: 0x147357517000: 250-mail.domain.com Hello [192.168.1.2] [1.2.3.4], pleased to meet you smtp: 0x147357517000: 250-8BITMIME smtp: 0x147357517000: 250-ENHANCEDSTATUSCODES smtp: 0x147357517000: 250-SIZE 36700160 smtp: 0x147357517000: 250-DSN smtp: 0x147357517000: 250-AUTH PLAIN LOGIN smtp: 0x147357517000: 250 HELP smtp: 0x147357517000: AUTH PLAIN ZXJpY0dkfoskdofKOKFODSfkODKfoSDkfodskfOSDFZmVZcSxrLHBMeGE5OVFSeUFuSFVDWF1KQg== smtp: 0x147357517000: STATE_HELO - STATE_AUTH_INIT smtp-in: session 8917f8161d62f58a: authentication successful for user m...@domain.com smtp: 0x147357517000
Re: Version info
Hi, smtpd -h Will display the version at the top. Eric On 25 May 2015, at 14:18, michalzient...@gmail.com michalzient...@gmail.com wrote: Hello, I have probably a trivial question, but Is there any easy way to check version of installed smtpd daemon ? Something like smtpd -V or smtpctl show version? If not, it would be a helpful feature Regards -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: IO Error: tlsv1 alert decode error
Yeah. Sorry about the misinformation. But it's nice when problems are already solved. :) Thanks again, Eric On 16 May 2015, at 10:57, Gilles Chehade gil...@poolp.org wrote: On Fri, May 15, 2015 at 11:21:33PM +0200, Eric Ripa wrote: Hi Gilles, I don???t know how far you got with this. I have resolved the issue, cause unknown. First, I actually had 5.4.3 and not 5.4.4. I was certain that I had upgraded. Anyway??? so I simply shutdown smtpd, upgraded to 5.4.5 and booted it up again. Then rescheduling the emails worked fine much better with proper downgrade. Hopefully it was fixed by the version change (something in this area probably changed as the message formatting was a bit different). I was going to mail you this morning and ask if you were sure you didn't run 5.4.3 as the bug you experience was fixed by Stefan Sieg and his fix was committed over 5 months ago: https://github.com/OpenSMTPD/OpenSMTPD/commit/4d8347ff92351462418cad2f67d6787aa6f137cd So nope, the issue doesn't have an unknown cause ;-) -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: IO Error: tlsv1 alert decode error
Hi Gilles, I don’t know how far you got with this. I have resolved the issue, cause unknown. First, I actually had 5.4.3 and not 5.4.4. I was certain that I had upgraded. Anyway… so I simply shutdown smtpd, upgraded to 5.4.5 and booted it up again. Then rescheduling the emails worked fine much better with proper downgrade. Hopefully it was fixed by the version change (something in this area probably changed as the message formatting was a bit different). Heres a log excerpt: May 15 23:08:13 mail smtpd[5853]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mms.[REDACTED].com) on session c1bf6e17bee0f395... May 15 23:08:13 mail smtpd[5853]: smtp-out: Connected on session c1bf6e17bee0f395 May 15 23:08:17 mail smtpd[5853]: smtp-out: TLS Error on session c1bf6e17bee0f395: TLS failed, downgrading to plain May 15 23:08:17 mail smtpd[5853]: smtp-out: Connecting to smtp://[REDACTED]:25 (mms.[REDACTED].com) on session c1bf6e17bee0f395... May 15 23:08:17 mail smtpd[5853]: smtp-out: Connected on session c1bf6e17bee0f395 May 15 23:08:19 mail smtpd[5853]: relay: Ok for bc9c69f19a657426: session=c1bf6e17bee0f395, from=[REDACTED], to=[REDACTED], rcpt=-, source=192.168.132.233, relay=[REDACTED] (mms.[REDACTED].com), d elay=2d23m40s, stat=250 ok: Message 64860805 accepted May 15 23:08:29 mail smtpd[5853]: smtp-out: Closing session c1bf6e17bee0f395: 1 message sent. Thanks for any effort you put into this! Eric On 15 May 2015, at 09:46, Gilles Chehade gil...@poolp.org wrote: On Wed, May 13, 2015 at 01:27:44PM +0200, Eric Ripa wrote: Okay. So I've looked further into this, the destination MX record contains 6 addresses. The first 5 generates the below TLS IO Error, but the 6th doesn't seem to be up to respond on SMTP queries. So what I believe is happening is that OpenSMTPD retries all alternative MX records when TLS is failing on the first ones.. but then the last isn't up so it lingers with 'Network error on destination MXs' Any input on how to do a workaround? Is it possible to force non-tls on certain destinations or change the fallback algorithm? I'll have a look today -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: IO Error: tlsv1 alert decode error
Okay. So I've looked further into this, the destination MX record contains 6 addresses. The first 5 generates the below TLS IO Error, but the 6th doesn't seem to be up to respond on SMTP queries. So what I believe is happening is that OpenSMTPD retries all alternative MX records when TLS is failing on the first ones.. but then the last isn't up so it lingers with 'Network error on destination MXs' Any input on how to do a workaround? Is it possible to force non-tls on certain destinations or change the fallback algorithm? Eric Ripa On 2015-05-13, at 13:18, Eric Ripa e...@stickybit.se wrote: I forgot to mention some details. It's OpenSMTPD 5.4.4 on OpenBSD 5.6. I'm happy to provide the MX hostnames in private if someone needs them. Eric Ripa On 2015-05-13, at 09:22, Eric Ripa e...@stickybit.se wrote: Hi, I'm getting a weird IO error on when smtpd tries to deliver mail over smtp+tls. The MX record contains multiple servers and all are showing the same behavior. Could anyone shed some light on the potential issue? Enveloped end up in temporary failure with 'Network error on destination MXs' May 13 09:16:51 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mms.[REDACTED].com) on session 5a151ca2c611100d... May 13 09:16:51 mail smtpd[23296]: smtp-out: Connected on session 5a151ca2c611100d May 13 09:16:52 mail smtpd[23296]: smtp-out: Error on session 5a151ca2c611100d: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:52 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mms.[REDACTED].com) for 800s May 13 09:16:53 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mail-gw.[REDACTED].com) on session 5a151ca314e2c781... May 13 09:16:53 mail smtpd[23296]: smtp-out: Connected on session 5a151ca314e2c781 May 13 09:16:54 mail smtpd[23296]: smtp-out: Error on session 5a151ca314e2c781: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:54 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mail-gw.[REDACTED].com) for 800s May 13 09:16:55 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mail-gw6.[REDACTED].com) on session 5a151ca44b96ca01... May 13 09:16:56 mail smtpd[23296]: smtp-out: Connected on session 5a151ca44b96ca01 May 13 09:16:56 mail smtpd[23296]: smtp-out: Error on session 5a151ca44b96ca01: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:56 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mail-gw6.[REDACTED].com) for 800s Thanks, Eric Ripa -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: IO Error: tlsv1 alert decode error
I forgot to mention some details. It's OpenSMTPD 5.4.4 on OpenBSD 5.6. I'm happy to provide the MX hostnames in private if someone needs them. Eric Ripa On 2015-05-13, at 09:22, Eric Ripa e...@stickybit.se wrote: Hi, I'm getting a weird IO error on when smtpd tries to deliver mail over smtp+tls. The MX record contains multiple servers and all are showing the same behavior. Could anyone shed some light on the potential issue? Enveloped end up in temporary failure with 'Network error on destination MXs' May 13 09:16:51 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mms.[REDACTED].com) on session 5a151ca2c611100d... May 13 09:16:51 mail smtpd[23296]: smtp-out: Connected on session 5a151ca2c611100d May 13 09:16:52 mail smtpd[23296]: smtp-out: Error on session 5a151ca2c611100d: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:52 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mms.[REDACTED].com) for 800s May 13 09:16:53 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mail-gw.[REDACTED].com) on session 5a151ca314e2c781... May 13 09:16:53 mail smtpd[23296]: smtp-out: Connected on session 5a151ca314e2c781 May 13 09:16:54 mail smtpd[23296]: smtp-out: Error on session 5a151ca314e2c781: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:54 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mail-gw.[REDACTED].com) for 800s May 13 09:16:55 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mail-gw6.[REDACTED].com) on session 5a151ca44b96ca01... May 13 09:16:56 mail smtpd[23296]: smtp-out: Connected on session 5a151ca44b96ca01 May 13 09:16:56 mail smtpd[23296]: smtp-out: Error on session 5a151ca44b96ca01: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:56 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mail-gw6.[REDACTED].com) for 800s Thanks, Eric Ripa -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
IO Error: tlsv1 alert decode error
Hi, I'm getting a weird IO error on when smtpd tries to deliver mail over smtp+tls. The MX record contains multiple servers and all are showing the same behavior. Could anyone shed some light on the potential issue? Enveloped end up in temporary failure with 'Network error on destination MXs' May 13 09:16:51 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mms.[REDACTED].com) on session 5a151ca2c611100d... May 13 09:16:51 mail smtpd[23296]: smtp-out: Connected on session 5a151ca2c611100d May 13 09:16:52 mail smtpd[23296]: smtp-out: Error on session 5a151ca2c611100d: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:52 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mms.[REDACTED].com) for 800s May 13 09:16:53 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mail-gw.[REDACTED].com) on session 5a151ca314e2c781... May 13 09:16:53 mail smtpd[23296]: smtp-out: Connected on session 5a151ca314e2c781 May 13 09:16:54 mail smtpd[23296]: smtp-out: Error on session 5a151ca314e2c781: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:54 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mail-gw.[REDACTED].com) for 800s May 13 09:16:55 mail smtpd[23296]: smtp-out: Connecting to smtp+tls://[REDACTED]:25 (mail-gw6.[REDACTED].com) on session 5a151ca44b96ca01... May 13 09:16:56 mail smtpd[23296]: smtp-out: Connected on session 5a151ca44b96ca01 May 13 09:16:56 mail smtpd[23296]: smtp-out: Error on session 5a151ca44b96ca01: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 13 09:16:56 mail smtpd[23296]: smtp-out: Disabling route [] - [REDACTED] (mail-gw6.[REDACTED].com) for 800s Thanks, Eric Ripa -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to debug Bad response: line too short?
On 2015-03-17, at 03:34, Seth l...@sysfu.com wrote: On Mon, 16 Mar 2015 12:51:16 -0700, Eric Ripa e...@stickybit.se wrote: One of the failing envelopes are below (this one was sent using Apple mail but it doesn't seem to related as other clients are doing the same, seemingly random). Does the error occur frequently enough where you could perhaps grab some debug log output of it occurring? Hard to say because after a retry or two the mail goes through so I will have to monitor it more closely. What traces are suitable for more verbose output of smtp-out? Simply smtp? Have you made any attempts at reproducing it manually by feeding the same email through the system again? Not the exact same, no, but I've seen both (errors and working) on identically formatted mails, sender/receiver and MUA. Thanks Eric signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Mail not bouncing on missing system user (451 Temporary failure Instead of 550 Invalid user)
On 2015-03-13, at 09:15, Gilles Chehade gil...@poolp.org wrote: On Thu, Mar 12, 2015 at 10:41:05AM +0100, Eric Ripa wrote: An update on this thread in case anyone is interested or search for the same. I never found any resolution to let OpenSMTPD rely on getpwnam (and thus ypldap). I traced the rules and lookup further and my only suspicion is that it's ypldap causing the odd behavior with getpwnam. In the end I took another approach and created a virtual user table mapping to the system users (fetched by ypldap) + added all aliases in the same virtual user map. Now I get proper Invalid Recipient replies and nothing stuck in the queue. I build the virtual user table with a simple Python LDAP script. This solution actually is better in the end as it allows my client to have more fine-grained control over mail accounts, aliases and group-mail aliases. --- I do however have a question left: In my trials I briefly had the configuration as follows: accept tagged for domain domains alias aliases deliver to lmtp /var/dovecot/lmtp accept tagged for domain domains virtual vusers deliver to lmtp /var/dovecot/lmtp But everything ended up in the first rule, and even though the alias map didn't contain any of the recipients it never went to the virtual user rule and all mails stayed in Temporary lookup failure. I solved it by combining my alias and virtual user maps, but if I understand it correctly the above should have worked.. or? Maybe it's the ypldap ghost.. This is expected, and here's a short explanation why. Imagine the following ruleset: accept from local for domain poolp.org alias a deliver to mbox accept from local for any relay Now imagine that address gil...@poolp.org exists and not r...@poolp.org. When mailing gil...@poolp.org, we match the first rule since it is meant to handle domain poolp.org and we find the user, good. When mailing r...@poolp.org, we match the first rule for the same reason however this time we don't find the user. What would happen if we jumped to the next rule and tried to evaluate it ? accept from local for any relay We match it and the recipient we were supposed to reject is now relayed, causing a loop while at it. It's not possible to cascade, it can't work. It needs to be able to find an unambiguous rule that can return a reject and abort the ruleset evaluation. Aa, I see. Didn't think of that. Obvious :) With that in mind, let's see how you could achieve what you want ;-) The key is the unambiguous word I used above. Your problem is that once a rule is matched, it is that rule which will take the decision. In your case, you have two rules that match the same destination domains and since recipients are not taken into account, it means you never get a chance to match the second rule. The first one is going to reject recipients it doesn't know. What you need to do is prevent the first rule from being matched at all for addresses which are meant to match the second rule. You should have a look at recipient keyword: accept from local for domain a recipient r [...] accept from local for domain a [...] This would only match first rule when the recipient is part of the r table so that other recipients match the second rule. Okay, I actually had a hard time figuring out the difference between alias/virtual/recipient but this explains it more clearly. So basically recipient is the same as virtual with the exception that the rule wont match if the recipients isn't in the given table. Thanks for the explanation! Take care, Eric -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org signature.asc Description: Message signed with OpenPGP using GPGMail
How to debug Bad response: line too short?
Hi, I run my OpenSMTPD setup with ClamAV as the first relay, mails are scanned and tagged with CLAM_IN and then relayed back to OpenSMTPD. CLAM_IN mails will be relayed to SpamAssassin, tagged with SPAM_IN and then relayed back and finally delivered using LMPT to Dovecot. I have an intermittent issue with mails getting stuck between ClamAV and SpamAssassin (tagged CLAM_IN) with the errorline Bad response: line too short. I currently struggle to debug the issue as it works if I just re-schedule the mail (smtpctl schedule id)... so there doesn't really seem to be any issues with the envelope it self. My current suspect is SpamAssasin due to the mailing being stuck before SpamAssassin and smtp-out is reporting the error. One of the failing envelopes are below (this one was sent using Apple mail but it doesn't seem to related as other clients are doing the same, seemingly random). $ cat /var/log/maillog smtpd[28345]: smtp-in: Accepted authentication for user user1 on session 48564f41d712ab30 smtpd[28345]: smtp-in: Accepted message 0263357d on session 48564f41d712ab30: from=us...@example.com, to=us...@example.com, size=3949, ndest=1, proto=ESMTP smtpd[28345]: smtp-in: Accepted message 5ea15501 on session 48564f3f50fb464d: from=us...@example.com, to=us...@example.com, size=4265, ndest=1, proto=ESMTP clamsmtpd: 100788: from=us...@example.com, to=us...@example.com, status=CLEAN smtpd[28345]: relay: Ok for 0263357d268939e2: session=48564f3e1e72328f, from=us...@example.com, to=us...@example.com, rcpt=-, source=127.0.0.1, relay=127.0.0.1 (localhost), delay=1s, stat=250 2.0.0: 5ea15501 Message accepted for delivery smtpd[28345]: smtp-out: Connecting to smtp://127.0.0.1:10035 (localhost) on session 48564f4200bb91cf... smtpd[28345]: smtp-out: Connected on session 48564f4200bb91cf smtpd[28345]: smtp-out: Error on session 48564f4200bb91cf: Bad response: line too short smtpd[28345]: relay: TempFail for 5ea1550136f47d84: session=48564f4200bb91cf, from=us...@example.com, to=us...@example.com, rcpt=-, source=127.0.0.1, relay=127.0.0.1 (localhost), delay=2s, stat=Bad response: line too short $ smtpctl show envelope 5ea1550136f47d84 version: 2 tag: CLAM_IN type: mta smtpname: mail.example.com helo: mail.example.com hostname: localhost errorline: Bad response: line too short sockaddr: 127.0.0.1 sender: us...@example.com rcpt: us...@example.com dest: us...@example.com ctime: 1426518720 last-try: 0 last-bounce: 0 expire: 345600 retry: 1 dsn-notify: 0 esc-class: 4 esc-code: 0 mta-relay: smtp://127.0.0.1:10035 smtp://127.0.0.1:10035 $ smtpctl show message 5ea1550136f47d84 Received: from mail.example.com (localhost [127.0.0.1]); by mail.example.com (OpenSMTPD) with ESMTP id 5ea15501; for us...@example.com; Mon, 16 Mar 2015 16:12:00 +0100 (CET) Received: from par-olof.lan (90-229-230-87-no153.tbcn.telia.com [90.229.230.87]); by mail.example.com (OpenSMTPD) with ESMTPSA id 0263357d; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO; for us...@example.com; Mon, 16 Mar 2015 16:11:59 +0100 (CET) From: user1 us...@example.com Content-Type: multipart/alternative; boundary=Apple-Mail=_3E00CA8D-BF5A-448A-8085-3389D2B50BED Subject: test subject Message-Id: 0fc7bf64-c401-4d4b-a791-dff0e5642...@example.com Date: Mon, 16 Mar 2015 16:11:56 +0100 To: us...@example.com Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-Virus-Scanned: ClamAV using ClamSMTP --Apple-Mail=_3E00CA8D-BF5A-448A-8085-3389D2B50BED Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Thanks, Eric Ripa e...@stickybit.se
Re: Mail not bouncing on missing system user (451 Temporary failure Instead of 550 Invalid user)
An update on this thread in case anyone is interested or search for the same. I never found any resolution to let OpenSMTPD rely on getpwnam (and thus ypldap). I traced the rules and lookup further and my only suspicion is that it's ypldap causing the odd behavior with getpwnam. In the end I took another approach and created a virtual user table mapping to the system users (fetched by ypldap) + added all aliases in the same virtual user map. Now I get proper Invalid Recipient replies and nothing stuck in the queue. I build the virtual user table with a simple Python LDAP script. This solution actually is better in the end as it allows my client to have more fine-grained control over mail accounts, aliases and group-mail aliases. --- I do however have a question left: In my trials I briefly had the configuration as follows: accept tagged for domain domains alias aliases deliver to lmtp /var/dovecot/lmtp accept tagged for domain domains virtual vusers deliver to lmtp /var/dovecot/lmtp But everything ended up in the first rule, and even though the alias map didn't contain any of the recipients it never went to the virtual user rule and all mails stayed in Temporary lookup failure. I solved it by combining my alias and virtual user maps, but if I understand it correctly the above should have worked.. or? Maybe it's the ypldap ghost.. Thanks, Eric Ripa On 2015-03-06, at 08:22, Eric Ripa e...@stickybit.se wrote: Hi, I originally posted this as an issue on Github but then I realized that the mail list probably would be a better match. So I'm reposting here and have closed the Github issue. I've setup OpenBSD 5.6 with OpenSMTPD 5.4.4 for use with system user (LDAP, using ypldap) on one primary domain. The setup is based on the guide available here: http://technoquarter.blogspot.se http://technoquarter.blogspot.se/ This is the two rules that (in my mind) should affect this. table domains db:/etc/mail/domains.db accept for domain domains deliver to lmtp /var/dovecot/lmtp And my domains file: example.com http://example.com/ accept If I send to a user that does exist on the system I get correct behavior and the mail delivers, but when I send to a non-existing user the mail goes into limbo with '451 Temporary Failure' Using smtpd -d -T lookup I can see the following behaviors, first an existing user: lookup: lookup eric.ripa as USERINFO in table getpwnam:getpwnam - eric.ripa:1101:1025:/home/eric.ripa delivery: Ok for f23a96c23e2500b8: from=t...@example.com mailto:t...@example.com, to=eric.r...@example.com mailto:eric.r...@example.com, user=eric.ripa, method=lmtp, delay=1s, stat=Delivered Then the non-existing user: lookup: lookup foo as USERINFO in table getpwnam:getpwnam - -1 smtp-in: Failed command on session a6ee64eda205f046: RCPT TO:f...@example.com mailto:f...@example.com = 451 Temporary failure relay: TempFail for c534b8c7f5ad4a41: session=a6ee64ec089bf84f, from=t...@example.com mailto:t...@example.com, to=f...@example.com mailto:f...@example.com, rcpt=-, source=127.0.0.1, relay=127.0.0.1 (localhost), delay=6m41s, stat=451 Temporary failure Shouldn't this mail bounce with a 550 or something similar? Currently the mail stays in the queue until the envelope expires. Any ideas? Is it possible to force a reject if user doesn't exist on the system? Thanks, Eric Ripa signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Building dkimproxy on headless OpenBSD server with no X install sets
I did the following on my X-less installation of OpenBSD 5.6 - downloaded the two sets xetc56.tgz and xbase56.tgz - added the sets according to the FAQ http://www.openbsd.org/faq/faq4.html#AddFileSet http://www.openbsd.org/faq/faq4.html#AddFileSet - created the symlink as follows: /usr/local/lib/X11/app-defaults - /etc/X11/app-defaults after doing so dkimproxy compiled and installed fine. I have not tried to remove the sets after installation however. Eric Ripa On 2015-03-12, at 17:15, Seth l...@sysfu.com wrote: I was going to build and configure dkimproxy for use with OpenSMTPD according to this guide [1] but got stopped cold by the following error: $ sudo make Fatal: /usr/local/lib/X11/app-defaults should exist and be a symlink *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2513 '/usr/ports/pobj/dkimproxy-1.4.1/.extract_started': @appdefaults=/usr/local/...) *** Error 1 in /usr/ports/mail/dkimproxy (/usr/ports/infrastructure/mk/bsd.port.mk:2455 'all') The dkimproxy port apparently requires X11 OpenBSD install sets? I know that some people on this list help to finish up the OpenBSD port of dkimproxy [2], can anyone assist with getting it to build on a headless server with no X install sets present? [1] http://technoquarter.blogspot.com/2015/02/openbsd-mail-server-part-5-dkimproxy.html [2] http://www.mail-archive.com/ports%40openbsd.org/msg47873.html -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org signature.asc Description: Message signed with OpenPGP using GPGMail
Mail not bouncing on missing system user (451 Temporary failure Instead of 550 Invalid user)
Hi, I originally posted this as an issue on Github but then I realized that the mail list probably would be a better match. So I'm reposting here and have closed the Github issue. I've setup OpenBSD 5.6 with OpenSMTPD 5.4.4 for use with system user (LDAP, using ypldap) on one primary domain. The setup is based on the guide available here: http://technoquarter.blogspot.se http://technoquarter.blogspot.se/ This is the two rules that (in my mind) should affect this. table domains db:/etc/mail/domains.db accept for domain domains deliver to lmtp /var/dovecot/lmtp And my domains file: example.com http://example.com/ accept If I send to a user that does exist on the system I get correct behavior and the mail delivers, but when I send to a non-existing user the mail goes into limbo with '451 Temporary Failure' Using smtpd -d -T lookup I can see the following behaviors, first an existing user: lookup: lookup eric.ripa as USERINFO in table getpwnam:getpwnam - eric.ripa:1101:1025:/home/eric.ripa delivery: Ok for f23a96c23e2500b8: from=t...@example.com mailto:t...@example.com, to=eric.r...@example.com mailto:eric.r...@example.com, user=eric.ripa, method=lmtp, delay=1s, stat=Delivered Then the non-existing user: lookup: lookup foo as USERINFO in table getpwnam:getpwnam - -1 smtp-in: Failed command on session a6ee64eda205f046: RCPT TO:f...@example.com mailto:f...@example.com = 451 Temporary failure relay: TempFail for c534b8c7f5ad4a41: session=a6ee64ec089bf84f, from=t...@example.com mailto:t...@example.com, to=f...@example.com mailto:f...@example.com, rcpt=-, source=127.0.0.1, relay=127.0.0.1 (localhost), delay=6m41s, stat=451 Temporary failure Shouldn't this mail bounce with a 550 or something similar? Currently the mail stays in the queue until the envelope expires. Any ideas? Is it possible to force a reject if user doesn't exist on the system? Thanks, Eric Ripa