Page 1 of 1

RESOLVED: Missing Child Domain in From: Report Fields

Posted: 10 May 2018 14:11
by skoppes
Hello all,

I've noticed that the child domain used by our students is not properly reported in the From: field in reports and message lists, such as 'Recent Messages' and the 'From:' field when viewing said message. For example, these report the from domain as 'schooldomain.edu' rather than 'my.schooldomain.edu'

The 'Message Headers' section for the message does properly show the child domain but the From: field right below it does not.
The To: field shows the addresses properly when we send to the child domain. The only problem noted is the From: field.

Email for the child domain is hosted by Google, and incoming email to that domain never touches EFA.

For more fun, child domains do appear to be listed for messages coming from other domains.

Any ideas?

[Edited for clarity]

Re: Missing Child Domain in From: Report Fields

Posted: 10 May 2018 17:26
by henk
Email for the child domain is hosted by Google, and incoming email to that domain never touches EFA.
After reading your post several times, I'm still confused about your issue. When mail to this child domain, hosted by Google, never touches EFA, what's the problem?

Just for clarity add some examples/details.

Re: Missing Child Domain in From: Report Fields

Posted: 10 May 2018 19:11
by skoppes
Yes, figuring out how to describe this issue has been bugging me. I've noticed it for a long time (a year or so?) and just ignored it for that exact reason, but it troubles me that there may be something else going on.

Incoming mail from from Internet -> Google-hosted child domain does NOT go through EFA
Outgoing mail from Google-hosted child domain -> Internet does NOT go through EFA

Mail from Internet (including child domain above) -> our on-site domain goes through EFA
Mail from our on-site domain -> Internet (including child domain above) goes through EFA

The oddity is seen when an email comes from the child domain to our on-site domain. The email 'from' address is shown in EFA as 'user@schooldomain.edu' rather than 'user@my.schooldomain.edu'. If I open the message, within the message headers it shows the From: address properly, but on the From: field it shows the incorrect address. Very strange!

This behavior does not manifest for outbound messages - the To: address shows correctly on EFA when we send a message from on-site domain -> child domain.

Re: Missing Child Domain in From: Report Fields

Posted: 10 May 2018 19:22
by skoppes
The first example shows how the message looks in the recent/quarantine lists. The second example shows the message details once you open it up. The From: fields are incorrect, but the From: listed in the message header is correct.

<images removed since issue resolved>

It's very puzzling. I have no idea what to look at next :?

Re: Missing Child Domain in From: Report Fields

Posted: 10 May 2018 20:27
by henk
Explain a problem can be a real pain in the .. believe me I know :drool:

Maybe someone who knows something about Google can step in..

Just some basics.
dig MX penncommercial.edu
;; ANSWER SECTION:
penncommercial.edu. 839 IN MX 20 mail.penncommercial.edu.
penncommercial.edu. 839 IN MX 10 smtp.penncommercial.edu.

dig mail.penncommercial.edu
mail.penncommercial.edu. 84 IN A 173.13.62.20

[root@sansspam dovecot]# dig MX my.penncommercial.edu
;; ANSWER SECTION:
my.penncommercial.edu. 855 IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 10 ALT4.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 1 ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 10 22:03:49 2018
;; MSG SIZE rcvd: 157

dig TXT my.penncommercial.edu

;; ANSWER SECTION:
my.penncommercial.edu. 900 IN TXT "MS=ms16105980"

Re: Missing Child Domain in From: Report Fields

Posted: 03 May 2019 20:53
by skoppes
I must re-visit this issue, because it has become a problem with the insane amount of scam/fraud messages coming through.

I took a deeper look and have determined that the web interface is working properly. The information has been populated incorrectly into the maillog table in the mailscanner database. For example:

Code: Select all

SELECT *
FROM maillog
WHERE ID = '06820100BD8.A0723'

timestamp;id;size;from_address;from_domain;to_address;to_domain;subject;...
2019-04-26 14:56:19;06820100BD8.A0723;3571;mytestaccount@schooldomain.edu;schooldomain.edu;me@schooldomain.edu;schooldomain.edu;My PC - Domain Test;...
Fields from_address and from_domain are already bad in the database. They should be 'mytestaccount@my.schooldomain.edu' and 'my.schooldomain.edu'

These appear to come from lines 358 & 359 in /usr/share/MailScanner/perl/custom/MailWatch.pm:

Code: Select all

    $msg{from} = $message->{from};
    $msg{from_domain} = $message->{fromdomain};

TxRep is getting the from address correctly - lines 1244-1247 in /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/TxRep.pm:

Code: Select all

  my $from   = lc $pms->get('From:addr') || $pms->get('EnvelopeFrom:addr');;
  return 0 unless $from =~ /\S/;
  my $domain = $from;
  $domain =~ s/^.+@//;

Unfortunately, that's as far as I can get. I don't know where to look from here.

Any suggestions?

Re: Missing Child Domain in From: Report Fields

Posted: 16 May 2019 17:46
by skoppes
I FINALLY FIGURED THIS OUT!

EFA, by default, is configured to masquerade (re-write) child domains of it's own domain. This causes ANY child domain (of the EFA configured domain) on incoming email to be re-written! This is a default configuration option that is disabled by default in postfix but enabled in EFA!

For example - with EFA configured for foo.com:
From:user@me.foo.com -> becomes -> From:user@foo.com
From:user@bar.foo.com -> becomes -> From:user@foo.com

To fix, edit /etc/postfix/main.cf and comment out the following line:

Code: Select all

masquerade_domains = $mydomain

becomes

#masquerade_domains = $mydomain
Don't forget to:
postmap /etc/postfix/main.cf
postfix reload