Hello all,
I've noticed that the child domain used by our students is not properly reported in the From: field in reports and message lists, such as 'Recent Messages' and the 'From:' field when viewing said message. For example, these report the from domain as 'schooldomain.edu' rather than 'my.schooldomain.edu'
The 'Message Headers' section for the message does properly show the child domain but the From: field right below it does not.
The To: field shows the addresses properly when we send to the child domain. The only problem noted is the From: field.
Email for the child domain is hosted by Google, and incoming email to that domain never touches EFA.
For more fun, child domains do appear to be listed for messages coming from other domains.
Any ideas?
[Edited for clarity]
RESOLVED: Missing Child Domain in From: Report Fields
RESOLVED: Missing Child Domain in From: Report Fields
Last edited by skoppes on 16 May 2019 18:04, edited 1 time in total.
Re: Missing Child Domain in From: Report Fields
After reading your post several times, I'm still confused about your issue. When mail to this child domain, hosted by Google, never touches EFA, what's the problem?Email for the child domain is hosted by Google, and incoming email to that domain never touches EFA.
Just for clarity add some examples/details.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: Missing Child Domain in From: Report Fields
Yes, figuring out how to describe this issue has been bugging me. I've noticed it for a long time (a year or so?) and just ignored it for that exact reason, but it troubles me that there may be something else going on.
Incoming mail from from Internet -> Google-hosted child domain does NOT go through EFA
Outgoing mail from Google-hosted child domain -> Internet does NOT go through EFA
Mail from Internet (including child domain above) -> our on-site domain goes through EFA
Mail from our on-site domain -> Internet (including child domain above) goes through EFA
The oddity is seen when an email comes from the child domain to our on-site domain. The email 'from' address is shown in EFA as 'user@schooldomain.edu' rather than 'user@my.schooldomain.edu'. If I open the message, within the message headers it shows the From: address properly, but on the From: field it shows the incorrect address. Very strange!
This behavior does not manifest for outbound messages - the To: address shows correctly on EFA when we send a message from on-site domain -> child domain.
Incoming mail from from Internet -> Google-hosted child domain does NOT go through EFA
Outgoing mail from Google-hosted child domain -> Internet does NOT go through EFA
Mail from Internet (including child domain above) -> our on-site domain goes through EFA
Mail from our on-site domain -> Internet (including child domain above) goes through EFA
The oddity is seen when an email comes from the child domain to our on-site domain. The email 'from' address is shown in EFA as 'user@schooldomain.edu' rather than 'user@my.schooldomain.edu'. If I open the message, within the message headers it shows the From: address properly, but on the From: field it shows the incorrect address. Very strange!
This behavior does not manifest for outbound messages - the To: address shows correctly on EFA when we send a message from on-site domain -> child domain.
Re: Missing Child Domain in From: Report Fields
The first example shows how the message looks in the recent/quarantine lists. The second example shows the message details once you open it up. The From: fields are incorrect, but the From: listed in the message header is correct.
<images removed since issue resolved>
It's very puzzling. I have no idea what to look at next
<images removed since issue resolved>
It's very puzzling. I have no idea what to look at next
Last edited by skoppes on 16 May 2019 17:50, edited 1 time in total.
Re: Missing Child Domain in From: Report Fields
Explain a problem can be a real pain in the .. believe me I know
Maybe someone who knows something about Google can step in..
Just some basics.
dig MX penncommercial.edu
;; ANSWER SECTION:
penncommercial.edu. 839 IN MX 20 mail.penncommercial.edu.
penncommercial.edu. 839 IN MX 10 smtp.penncommercial.edu.
dig mail.penncommercial.edu
mail.penncommercial.edu. 84 IN A 173.13.62.20
[root@sansspam dovecot]# dig MX my.penncommercial.edu
;; ANSWER SECTION:
my.penncommercial.edu. 855 IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 10 ALT4.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 1 ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 10 22:03:49 2018
;; MSG SIZE rcvd: 157
dig TXT my.penncommercial.edu
;; ANSWER SECTION:
my.penncommercial.edu. 900 IN TXT "MS=ms16105980"
Maybe someone who knows something about Google can step in..
Just some basics.
dig MX penncommercial.edu
;; ANSWER SECTION:
penncommercial.edu. 839 IN MX 20 mail.penncommercial.edu.
penncommercial.edu. 839 IN MX 10 smtp.penncommercial.edu.
dig mail.penncommercial.edu
mail.penncommercial.edu. 84 IN A 173.13.62.20
[root@sansspam dovecot]# dig MX my.penncommercial.edu
;; ANSWER SECTION:
my.penncommercial.edu. 855 IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 10 ALT4.ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 1 ASPMX.L.GOOGLE.COM.
my.penncommercial.edu. 855 IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 10 22:03:49 2018
;; MSG SIZE rcvd: 157
dig TXT my.penncommercial.edu
;; ANSWER SECTION:
my.penncommercial.edu. 900 IN TXT "MS=ms16105980"
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: Missing Child Domain in From: Report Fields
I must re-visit this issue, because it has become a problem with the insane amount of scam/fraud messages coming through.
I took a deeper look and have determined that the web interface is working properly. The information has been populated incorrectly into the maillog table in the mailscanner database. For example:
Fields from_address and from_domain are already bad in the database. They should be 'mytestaccount@my.schooldomain.edu' and 'my.schooldomain.edu'
These appear to come from lines 358 & 359 in /usr/share/MailScanner/perl/custom/MailWatch.pm:
TxRep is getting the from address correctly - lines 1244-1247 in /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/TxRep.pm:
Unfortunately, that's as far as I can get. I don't know where to look from here.
Any suggestions?
I took a deeper look and have determined that the web interface is working properly. The information has been populated incorrectly into the maillog table in the mailscanner database. For example:
Code: Select all
SELECT *
FROM maillog
WHERE ID = '06820100BD8.A0723'
timestamp;id;size;from_address;from_domain;to_address;to_domain;subject;...
2019-04-26 14:56:19;06820100BD8.A0723;3571;mytestaccount@schooldomain.edu;schooldomain.edu;me@schooldomain.edu;schooldomain.edu;My PC - Domain Test;...
These appear to come from lines 358 & 359 in /usr/share/MailScanner/perl/custom/MailWatch.pm:
Code: Select all
$msg{from} = $message->{from};
$msg{from_domain} = $message->{fromdomain};
TxRep is getting the from address correctly - lines 1244-1247 in /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/TxRep.pm:
Code: Select all
my $from = lc $pms->get('From:addr') || $pms->get('EnvelopeFrom:addr');;
return 0 unless $from =~ /\S/;
my $domain = $from;
$domain =~ s/^.+@//;
Unfortunately, that's as far as I can get. I don't know where to look from here.
Any suggestions?
Re: Missing Child Domain in From: Report Fields
I FINALLY FIGURED THIS OUT!
EFA, by default, is configured to masquerade (re-write) child domains of it's own domain. This causes ANY child domain (of the EFA configured domain) on incoming email to be re-written! This is a default configuration option that is disabled by default in postfix but enabled in EFA!
For example - with EFA configured for foo.com:
From:user@me.foo.com -> becomes -> From:user@foo.com
From:user@bar.foo.com -> becomes -> From:user@foo.com
To fix, edit /etc/postfix/main.cf and comment out the following line:
Don't forget to:
postmap /etc/postfix/main.cf
postfix reload
EFA, by default, is configured to masquerade (re-write) child domains of it's own domain. This causes ANY child domain (of the EFA configured domain) on incoming email to be re-written! This is a default configuration option that is disabled by default in postfix but enabled in EFA!
For example - with EFA configured for foo.com:
From:user@me.foo.com -> becomes -> From:user@foo.com
From:user@bar.foo.com -> becomes -> From:user@foo.com
To fix, edit /etc/postfix/main.cf and comment out the following line:
Code: Select all
masquerade_domains = $mydomain
becomes
#masquerade_domains = $mydomain
postmap /etc/postfix/main.cf
postfix reload