Solved Email forwarder with multiple forwarding addresses failing with 'Bad sender address syntax'

S

simplificare

Verified User
Joined
Jul 10, 2019
Messages
52
I've found a forwarding issue with one of the recent updates:

A user on my server has [email protected] to forward mail to two different email accounts, say [email protected] and [email protected].

When user an external sender sends mail to an [email protected], the forwarder fails with the following bounce back:

Code: 
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    (generated from [email protected])
    host outboundhost.email.com [XXX.XXX.XXX.XXX]
    SMTP error from remote mail server after pipelined MAIL FROM:<SRS0=XXXX=XX=yourdomain.com=external@> SIZE=7602:
    501 5.1.7 Bad sender address syntax
  [email protected]
    (generated from [email protected])
    host outboundhost.email.com [XXX.XXX.XXX.XXX]
    SMTP error from remote mail server after pipelined MAIL FROM:<SRS0=XXXX=XX=yourdomain.com=external@> SIZE=7602:
    501 5.1.7 Bad sender address syntax

Does anyone have any idea how to correct this?

It looks like something is missing here:
Code: 
SMTP error from remote mail server after pipelined MAIL FROM:<SRS0=XXXX=XX=yourdomain.com=external@[MISSING PART HERE]> SIZE=7602:

Thanks,
Michael
 
First thing I would do is rebuild exim and it's config with custombuild, because this should be working out of the box. Aside from that, this line should be in your "remote_smtp_forward_transport" transport:

return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
Click to expand...

I can't imagine that transport looks normal in this case. But perhaps also importantly, are you using any custom includes like exim.routers.pre.conf? If so, the recommendation for that was recently changed to address some slight changes that would have broken SRS in those: https://docs.directadmin.com/other-hosting-services/exim/smarthost.html

But if you were using one of those exactly according to the previously documented recommendation, the result should have simply been no SRS as opposed to SRS minus the recipient domain. But perhaps if you'd done a bit more to it than had been previously recommended, there might have been a different offset for your case.
 
Rebuilding Exim didn’t work. :(

I’ve been away on holidays so trying to fix things remotely has been challenging. I’ll be back at my computer later tonight/tomorrow and be able to look a bit deeper.

I do have the smart host stuff (exim.routers.pre.conf) enabled as I send all outbound mail through a third party service. They also require username and password auth so I also have exim.transports and exim.authenticators enabled as well. I filled in my blanks and copy/pasted direct from the docs website. Not sure what else could be going wrong.

Will do some more digging soon.

Thanks for your reply!!

Michael
 
Did a bit more digging and can confirm everything is as it should be in the config files based on the documentation and the additional files per the smart host config.

In my logs, I do see that the R= and T= sections for the message are indeed the ones identified in the pre.conf files.

Code: 
2022-08-14 19:58:56 1oNNVN-0006Yx-0D <= [email protected] H=st43p00im-ztbu10063701.externaldomain.com [XX.XX.XX.XX] P=esmtps X=TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256 CV=no S=4520 DKIM=externaldomain.com [email protected] T="Testing #4" from <[email protected]> for [email protected]
2022-08-14 19:58:57 1oNNVN-0006Yx-0D ** [email protected] <[email protected]> F=<[email protected]> R=smart_route_forward T=auth_relay_forward H=outbound.mailservice.org [XX.XXX.XXX.XXX] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after pipelined MAIL FROM:<SRS0=f161=ys=externaldomain.com=address@> SIZE=5629: 501 5.1.7 Bad sender address syntax
2022-08-14 19:58:57 1oNNVN-0006Yx-0D ** [email protected] <[email protected]> F=<[email protected]> R=smart_route_forward T=auth_relay_forward H=outbound.mailservice.org [XX.XXX.XXX.XXX] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after pipelined MAIL FROM:<SRS0=f161=ys=externaldomain.com=address@> SIZE=5629: 501 5.1.7 Bad sender address syntax

For reference, my exim.routers.pre.conf
Code: 
smart_route_forward:
    driver = manualroute
    domains = ! +local_domains
    ignore_target_hosts = 127.0.0.0/8
    condition = ${if !eq{$original_domain}{$domain}}
    condition = ${if !eq{$original_domain}{}}
    condition = "${perl{check_limits}}"

    transport = auth_relay_forward

    route_list = * outbound.mailhost.org
    no_more

smart_route:
    driver = manualroute
    domains = ! +local_domains
    ignore_target_hosts = 127.0.0.0/8
    condition = "${perl{check_limits}}"

    transport = auth_relay

    route_list = * outbound.mailhost.org
    no_more

And, my exim.transports.pre.conf
Code: 
auth_relay:
    driver = smtp
    port = 25
    hosts_require_auth = $host_address
    hosts_require_tls = $host_address
    headers_add = "${if def:authenticated_id{X-Authenticated-Id: ${authenticated_id}}}"
    interface = <; ${if exists{/etc/virtual/domainips}{${lookup{$sender_address_domain}lsearch*{/etc/virtual/domainips}}}}
    helo_data = ${if exists{/etc/virtual/helo_data}{${lookup{$sending_ip_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}
    hosts_try_chunking =
    hosts_try_fastopen =
.include_if_exists /etc/exim.dkim.conf

auth_relay_forward:
    driver = smtp
    port = 25
    hosts_require_auth = $host_address
    hosts_require_tls = $host_address
    headers_add = "${if def:authenticated_id{X-Authenticated-Id: ${authenticated_id}}}"
    interface = <; ${if exists{/etc/virtual/domainips}{${lookup{$sender_address_domain}lsearch*{/etc/virtual/domainips}}}}
    helo_data = ${if exists{/etc/virtual/helo_data}{${lookup{$sending_ip_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}
    hosts_try_chunking =
    hosts_try_fastopen =
    return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
.include_if_exists /etc/exim.dkim.conf

Further, I tested sending from an internal address on the same domain as the alias, and the same result is produced. That trailing domain after the @ in the SRS is missing.

I didn't mention in the first post, but if there is only one forwarding address attached to the alias, it works just fine.

Are there any other places I should be looking to debug?

Thanks again for your help looking into this!
Michael
 
If there's an issue in what you presented there, I'll confess that I can't see it. You said it works fine with one forwarding recipient, but where it fails is when there's more than one. So that'd be like when an alias looks like this one I just made I assume:

jarland: [email protected],[email protected]
Click to expand...

So what I just did was set jarland @ mxroute.com to forward to jarland @ gmail.com and me @ jarland.me, so that I can test and confirm that my configuration properly uses SRS when forwarding to two recipients. I only tested one in the last change, so seems like a valid question until I do.

So I did that, and I sent myself a test email from jarland-desktop @ outlook.com to jarland @ mxroute.com. The goal being, of course, to verify that SRS is used when sending to both recipients.

Pulling the logs from my filter server (the one I relay out through first), it does seem this worked in my case:

Aug 15 01:42:42 filter006 postfix/qmgr[21743]: 64A71616E5: from=<SRS0=38dc=yt=outlook.com=[email protected]>, size=8083, nrcpt=1 (queue active)
Aug 15 01:42:42 filter006 postfix/qmgr[21743]: 596B16169C: from=<SRS0=38dc=yt=outlook.com=[email protected]>, size=8083, nrcpt=1 (queue active)
Click to expand...

So I guess the best question at this stage is, what is different about my configuration than yours? Right off the bat I have to say, I don't have authentication so I am going to be short on comparison. But I do have my config available for comparison. Maybe we'll get lucky and you'll see something that I don't by comparison where possible/relevant.

I haven't actually re-evaluated exim.transports.pre.conf since the most recent change where the DA documentation only recommends using exim.routers.pre.conf, so presently I do have both of these files live in /etc on all production servers:

github.com

da_server_updates/exim.transports.pre.conf at master · mxroute/da_server_updates

Scripts for updating our DirectAdmin servers. Contribute to mxroute/da_server_updates development by creating an account on GitHub.
github.com github.com
github.com

da_server_updates/exim.routers.pre.conf at master · mxroute/da_server_updates

Scripts for updating our DirectAdmin servers. Contribute to mxroute/da_server_updates development by creating an account on GitHub.
github.com github.com

Otherwise I have to say, I'm legitimately stumped.
 
Likewise, stumped. Thanks for looking at it!

My next test, a bit later in the evening (when there is less potential for outbound mail traffic), will be to disable the additional .conf files to see if it handles things the same way.

Thanks,
Michael
 
When I disabled the three .conf files, it appears as though it would work. (The messages failed because the server I was testing from is on Digital Ocean and the IPs have a bad reputation.)

I can see in the "Mail delivery failed" bounce that the SRS was written correctly with the trailing domain name. So something is broken in the additional configuration files.

More digging later, vacation is over and it's back to work tomorrow.
 
I tried 15 or so different config edits, reading the complete verbose log output for the mail and have no clue what is going on other than to say the {$original_domain} variable part of the return_path line in exim.transports.pre.conf file seems to be empty when it is being parsed for two or more forwarders, when authentication is turned on, but not when it is off.

Any suggestion for next steps... ticket with DirectAdmin Support, or posting on Exim mailing list?
 
DA support were able to identify that a line was missing in the exim.transports.pre.conf file. The docs have been updated to reflect the change.

In the auth_relay_forward section add:

Code: 
max_rcpt = 1

After
Code: 
hosts_try_fastopen =

I've implemented this fix on all of my servers and confirmed it is operating.

Thanks @mxroute for your help with this!

Michael
 
You must log in or register to reply here.
Back
Top