Email to the wrong mailbox

Report bugs and workarounds
Post Reply
Phil
Posts: 11
Joined: 14 Jun 2016 20:25

Email to the wrong mailbox

Post by Phil »

Hello everyone,

I recently found a weird "bug" in my Efa. Some email are receive by the wrong person in our domain. When i checked in Efa, the "to:" show the "to:wrongperson@mydomain.com". (Checked in logs, MailWatch and outlook mail properties) And anywhere in the header it mention another possible receiver.

We ask the sender if it was a mistake by them but they never send the email to "wrongperson@mydomain.com". It happen to a couple different sender but "wrongreceiver@mydomain.com" is always the same.

My system as been running since a bit more than a year now and its up to date to the lastest version.
Everything else work fine, it only happen ~1/7000email.

Anyone would know what is this issue or have any clue where to begin ?

Thanks
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Email to the wrong mailbox

Post by pdwalker »

Sorry Phil, I do not understand what your problem is exactly.

Are you saying that someone is sending message to "me@example.com" but the message actually goes to "you@example.com"?
Phil
Posts: 11
Joined: 14 Jun 2016 20:25

Re: Email to the wrong mailbox

Post by Phil »

Hello pdwalker,

Sorry if the problem is a bit unclear :oops:

Yes, our client try to send the email to "me@example.com" but we receive it as to "you@example.com"
If i checked the email header in Efa, the to: field is "you@example.com".

Thanks
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Email to the wrong mailbox

Post by pdwalker »

What is your mail system? MS Exchange Server? Also provide the version if you know it.

It basically sounds like you have an alias defined that maps me@example.com to you@example.com.
Phil
Posts: 11
Joined: 14 Jun 2016 20:25

Re: Email to the wrong mailbox

Post by Phil »

My mail system is exchange server 2010. (sp1)

If the problem was that, should we expect Efa to get the message with to "me@example.com" and then when exchange get it, change it for "you@example.com" since Efa get the email first ? :think:

I checked and there is no alias or mapping between the 2 address.

Thanks
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Email to the wrong mailbox

Post by shawniverson »

There has to be a reason, regardless of the cause...

Exchange remapping
A fowarder rule
eFa misdirecting an email

Very curious about this cause....
Phil
Posts: 11
Joined: 14 Jun 2016 20:25

Re: Email to the wrong mailbox

Post by Phil »

I did some testing with the forward and mapping with exchange.

EFa receive the email with the initial "to" regardless of mapping or forward on the exchange side. (For receiving external mail) That mean that, even if there is mapping or not, i should see "me@example.com" and not "you@example.com". :/

Is there a config file in eFa we can do mapping or forward that i could check ? or a specific log for more detail ?

Thanks
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Email to the wrong mailbox

Post by pdwalker »

So, mail to efa addressed to "to@example.com" gets sent to your exchange server as "you@example.com".

Can you tell me what the "me" and "you" parts are? Just curious to see if that gives me an additional hint.

The answers should all be in /var/log/maillog. You should see the mail come in, and then go out to your exchange server. For example, I just sent a mail to one of my accounts and here is how the log looks like:

message received and accepted from upstream provider (they filter my messages first before EFA does for additional protection)

Code: Select all

Aug 29 12:59:18 efa postfix/smtpd[19810]: Anonymous TLS connection established from mail6.bemta12.messagelabs.com[216.82.250.247]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 29 12:59:19 efa sqlgrey: whitelist: pdwalker@from.domain, 216.82.250.247(mail6.bemta12.messagelabs.com) -> pdwalker@to.domain
Aug 29 12:59:19 efa postfix/smtpd[19810]: 62189180061: client=mail6.bemta12.messagelabs.com[216.82.250.247]
Aug 29 12:59:19 efa postfix/cleanup[19814]: 62189180061: hold: header Received: from mail6.bemta12.messagelabs.com (mail6.bemta12.messagelabs.com [216.82.250.247])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested) from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<pdwalker@from.domain> to=<pdwalker@to.domain> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>
Aug 29 12:59:19 efa postfix/cleanup[19814]: 62189180061: message-id=<CANT6AS8Ks5ko7SuZbweEkeS6ifPdUm_CVhc6u-odgCOYn_ZnuQ@mail.gmail.com>
Aug 29 12:59:19 efa opendkim[2005]: 62189180061: mail6.bemta12.messagelabs.com [216.82.250.247] not internal
Aug 29 12:59:19 efa opendkim[2005]: 62189180061: not authenticated
Aug 29 12:59:20 efa opendkim[2005]: 62189180061: DKIM verification successful
Aug 29 12:59:21 efa MailScanner[13809]: New Batch: Scanning 1 messages, 5658 bytes
Aug 29 12:59:21 efa MailScanner[13809]: Virus and Content Scanning: Starting
Aug 29 12:59:25 efa postfix/smtpd[19810]: disconnect from mail6.bemta12.messagelabs.com[216.82.250.247] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
And here is where EFA passes the message on to my exchange server

Code: Select all

Aug 29 12:59:38 efa MailScanner[13809]: Requeue: 62189180061.A9764 to C93C2180490
Aug 29 12:59:38 efa postfix/qmgr[2589]: C93C2180490: from=<pdwalker@from.domain>, size=4557, nrcpt=1 (queue active)
Aug 29 12:59:38 efa MailScanner[13809]: Uninfected: Delivered 1 messages
Aug 29 12:59:38 efa MailScanner[13809]: Deleted 1 messages from processing-database
Aug 29 12:59:38 efa MailScanner[13809]: MailWatch: Logging message 62189180061.A9764 to SQL
Aug 29 12:59:38 efa MailScanner[13813]: MailWatch: 62189180061.A9764: Logged to MailWatch SQL
Aug 29 12:59:38 efa postfix/smtp[20076]: C93C2180490: to=<pdwalker@to.domain>, relay=exchange.server.local[192.168.1.1]:25, delay=20, delays=20/0/0/0.37, dsn=2.6.0, status=sent (250 2.6.0 <CANT6AS8Ks5ko7SuZbweEkeS6ifPdUm_CVhc6u-odgCOYn_ZnuQ@mail.gmail.com> Queued mail for delivery)
Aug 29 12:59:38 efa postfix/qmgr[2589]: C93C2180490: removed
So, I can see the received message was given an ID of 62189180061, and postfix requeued it as C93C2180490.

Perhaps if you find your message ids, you can track what happens in the log files and see what postfix is sending to your exchange server.

Also, you might want look at /etc/aliases to see if there is anything weird in that file.
Phil
Posts: 11
Joined: 14 Jun 2016 20:25

Re: Email to the wrong mailbox

Post by Phil »

Me = sales@domain.com (intended receiver)
You = bob@domain.com
client = client@clientdomain.com
Scenario : Bob receive invoice from our client instead of the sales department.

Here the log in the maillog. (replace the name with the above for confidentiality) Efa received the email to bob@domain.com.

Code: Select all

Aug 24 15:50:13 efa postfix/smtpd[7661]: 9A741120067: client=relais.relaisClient[RelaisClientIP]
Aug 24 15:50:16 efa postfix/cleanup[8853]: 9A741120067: hold: header Received: from relais.relaisClient (relais.relaisClient [RelaisClientIP])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)??by efa.domain.local  from relais.relaisClient[RelaisClientIP];from=<client@clientdomain.com> to=<bob@domain.com> proto=ESMTP helo=<relais.relaisClient>
Aug 24 15:50:16 efa postfix/cleanup[8853]: 9A741120067: message-id=<8175f30de45f4b70ae2137476f70e96c@exch01.ci.local>
Aug 24 15:50:20 efa MailScanner[4624]: HTML Img tag found in message 9A741120067.A023E from client@clientdomain.com
Aug 24 15:50:25 efa MailScanner[4624]: Requeue: 9A741120067.A023E to A4E79120052
Aug 24 15:50:25 efa MailScanner[4624]: Uninfected: Delivered 1 messages
Aug 24 15:50:25 efa postfix/qmgr[1915]: A4E79120052: from=<client@clientdomain.com>, size=501695, nrcpt=1 (queue active)
Aug 24 15:50:25 efa MailScanner[4624]: Deleted 1 messages from processing-database
Aug 24 15:50:25 efa MailScanner[4624]: MailWatch: Logging message 9A741120067.A023E to SQL
Aug 24 15:50:25 efa MailScanner[4632]: MailWatch: 9A741120067.A023E: Logged to MailWatch SQL
Aug 24 15:50:26 efa postfix/smtp[8839]: A4E79120052: to=<bob@domain.com>, relay=ExchangeIP[ExchangeIP]:25, delay=13, delays=12/0/0/0.28, dsn=2.6.0, status=sent (250 2.6.0 <8175f30de45f4b70ae2137476f70e96c@exch01.ci.local> [InternalId=20117] Queued mail for delivery)
Aug 24 15:50:26 efa postfix/qmgr[1915]: A4E79120052: removed
The weird part is, it happen for that email but the rest before and after are send to the right person from that client.
It happen to a couple client but bob@domain.com is always the same unintended receiver.

For the /var/aliases file, everything looks normal and default i think.

EDITED:

i checked the router logs and it received the email "from:client@clientdomain.com, to:bob@domain.com" also. Look like the problem is before eFa. :/

Thanks
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Email to the wrong mailbox

Post by pdwalker »

You've figured it out

It's the clients mail program that's the culprit.

Are they running outlook by chance?

One neat gotcha that you can do with outlook so your address object can appear as 'sales@domain' while the actual email attribute is 'bob@domain'.

Or they may have an alias on their server that changes sales to bob. Don't know It is their system and there is nothing you can do on their side.

If the client is unwilling to fix their problem, or unable( you could setup an exchange transport rule like:
If mail from client, sent to bob, redirect it to sales.

I strongly do not recommend doing this though.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Email to the wrong mailbox

Post by ovizii »

I was about to suggest the very same thing, its most probably Outlook on the client side, maybe Outlook's autocomplete is messed up. I'm sure if you ask them to forward you one of these emails as attachments and then look into the headers of that email you will see they were actually writing to bob@domain.com
Phil
Posts: 11
Joined: 14 Jun 2016 20:25

Re: Email to the wrong mailbox

Post by Phil »

At least we know eFa is running well, thx pdwalker for taking time to look at the problem and thx to ovizli for the good idea.

Thanks
Post Reply