Hi,

We seem to have a problem using LMTP over TCP where the receiving system
accepts a RCPT TO: with local-part and domain.

The relevant .mc information:
Mlmtpalumnus, P=[IPC], F=ClsDFMnqXzA [at] /:|m,
S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, E=\r\n,
T=DNS/RFC822/SMTP,
A=TCP $h 2003

I thought the F= [at] should add the domain part.

Mailertable:
linux039.utsp.utwente.nl lmtpalumnus:[linux039.utsp.utwente.nl]

Virtusertable:
test1 [at] alumnus.utwente.net test1 [at] linux039.utsp.utwente.nl

Sendmail logging:
Nov 7 16:28:11 netlx094 sendmail-in[10074]: lA7FSBYl010074:
from=<p.g.m.peters [at] student.utwente.nl>, size=1614, class=0, nrcpts=1,
msgid=<4731D98B.1030407 [at] student.utwente.nl>, proto=ESMTP, daemon=SMTP,
relay=itbe-tens042.itbe.utwente.nl [130.89.36.4]
Nov 7 16:28:11 netlx094 sendmail-in[10074]: lA7FSBYl010074:
to=<test1 [at] alumnus.utwente.net>, delay=00:00:00, mailer=lmtpalumnus,
pri=31614, stat=queued
Nov 7 16:28:22 netlx094 sendmail[10098]: lA7FSBYl010074:
to=<test1 [at] alumnus.utwente.net>, delay=00:00:11, xdelay=00:00:00,
mailer=lmtpalumnus, pri=121614, relay=linux039.utsp.utwente.nl.
[130.89.1.116], dsn=5.1.3, stat=Service unavailable
Nov 7 16:28:22 netlx094 sendmail[10098]: lA7FSBYl010074:
lA7FSMtt010098: DSN: Service unavailable

And the transaction log at the LMTP server:
LOG: Starting LMTP server connection
LOG:
LOG: Sending greeting
LOG: S: 220 UTAlumniPortal LMTP server ready
LOG: C: LHLO smtp.utwente.nl
LOG: S: 250-UTAlumniPortal greets smtp.utwente.nl
LOG: S: 250-PIPELINING
LOG: S: 250 ENHANCEDSTATUSCODES
LOG: C: MAIL From:<p.g.m.peters [at] student.utwente.nl>
LOG: S: 250 2.1.0 Originator <p.g.m.peters [at] student.utwente.nl> ok
LOG: C: RCPT To:<test1>
LOG: S: 500 5.1.3 This mail address does not compute.
LOG: C: DATA
LOG: S: 503 5.5.0 And who do you want me to send this message to?
LOG: C: RSET
LOG: S: 250 2.5.0 All state has been thrown away.
LOG: C: QUIT
LOG: S: 221 2.5.0 Sorry to see you go. See you next time!
LOG: Finished LMTP server connection
LOG:

Sendmail version:
220 smtp.utwente.nl ESMTP Sendmail 8.12.10/8.12.10/SuSE Linux 0.7; Fri,
9 Nov 2007 09:52:40 +0100

Peter Peters
--
Peter Peters

Peter Peters <p.g.m.peters [at] misc.utwente.nl> writes:
> We seem to have a problem using LMTP over TCP where the receiving system
> accepts a RCPT TO: with local-part and domain.
>
> The relevant .mc information:
> Mlmtpalumnus, P=[IPC], F=ClsDFMnqXzA [at] /:|m,
> S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, E=\r\n,
> T=DNS/RFC822/SMTP,
> A=TCP $h 2003
>
> I thought the F= [at] should add the domain part.
> [...]

0) Make sure you use smtp mailer
1) Change "R=EnvToL/HdrToL" to "R=EnvToSMTP/HdrToL" in Mlmtpalumnus

The rule set specified between R= and / rewrites envelope recipient.
EnvToL rule set strips domain part of email address.

--
[pl>en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

On Fri, 09 Nov 2007 10:02:20 +0100, Andrzej Adam Filip <anfi [at] onet.eu>
wrote:

>Peter Peters <p.g.m.peters [at] misc.utwente.nl> writes:
>> We seem to have a problem using LMTP over TCP where the receiving system
>> accepts a RCPT TO: with local-part and domain.
>>
>> The relevant .mc information:
>> Mlmtpalumnus, P=[IPC], F=ClsDFMnqXzA [at] /:|m,
>> S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, E=\r\n,
>> T=DNS/RFC822/SMTP,
>> A=TCP $h 2003
>>
>> I thought the F= [at] should add the domain part.
>> [...]
>
>0) Make sure you use smtp mailer
>1) Change "R=EnvToL/HdrToL" to "R=EnvToSMTP/HdrToL" in Mlmtpalumnus
>
>The rule set specified between R= and / rewrites envelope recipient.
>EnvToL rule set strips domain part of email address.

Thanks. This did do the trick.

Now the linux039.utsp.utwente.nl does not allow relaying for local
( [at] linux039.utsp.utwente.nl) accounts. But that is something for the
people writing configuring that server.

--
Peter Peters

Peter Peters <p.g.m.peters [at] misc.utwente.nl> writes:

> On Fri, 09 Nov 2007 10:02:20 +0100, Andrzej Adam Filip <anfi [at] onet.eu>
> wrote:
>
>>Peter Peters <p.g.m.peters [at] misc.utwente.nl> writes:
>>> We seem to have a problem using LMTP over TCP where the receiving system
>>> accepts a RCPT TO: with local-part and domain.
>>>
>>> The relevant .mc information:
>>> Mlmtpalumnus, P=[IPC], F=ClsDFMnqXzA [at] /:|m,
>>> S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, E=\r\n,
>>> T=DNS/RFC822/SMTP,
>>> A=TCP $h 2003
>>>
>>> I thought the F= [at] should add the domain part.
>>> [...]
>>
>>0) Make sure you use smtp mailer
>>1) Change "R=EnvToL/HdrToL" to "R=EnvToSMTP/HdrToL" in Mlmtpalumnus
>>
>>The rule set specified between R= and / rewrites envelope recipient.
>>EnvToL rule set strips domain part of email address.
>
> Thanks. This did do the trick.
>
> Now the linux039.utsp.utwente.nl does not allow relaying for local
> ( [at] linux039.utsp.utwente.nl) accounts. But that is something for the
> people writing configuring that server.

1) You can take a look at RTCyrus3 how to make sendmail pass *some*
local domains to custom mailer *without* striping domain name:
http://sourceforge.net/projects/open-sendmail/

Be warned: local mailer strips domain but sendmail.cf also strips domain
even before selecting local mailer (or mailer specified via
confLOCAL_MAILER).

2) Do you verify addresses accepted by cyrus before "RCPT TO:" reply?
[ it is approach "promoted" by spammers ]

--
[pl>en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

On Fri, 09 Nov 2007 23:07:37 +0100, Andrzej Adam Filip <anfi [at] onet.eu>
wrote:

>1) You can take a look at RTCyrus3 how to make sendmail pass *some*
> local domains to custom mailer *without* striping domain name:
> http://sourceforge.net/projects/open-sendmail/

Thanks for the link.

>Be warned: local mailer strips domain but sendmail.cf also strips domain
>even before selecting local mailer (or mailer specified via
>confLOCAL_MAILER).
>
>2) Do you verify addresses accepted by cyrus before "RCPT TO:" reply?
> [ it is approach "promoted" by spammers ]

What do you mean with this?
We check all our addresses (except some departments that refused until
recently to give the central department their addresses) at connection
time (with delay-check).

Peter Peters <p.g.m.peters [at] misc.utwente.nl> writes:

> On Fri, 09 Nov 2007 23:07:37 +0100, Andrzej Adam Filip <anfi [at] onet.eu>
> wrote:
>> [...]
>>2) Do you verify addresses accepted by cyrus before "RCPT TO:" reply?
>> [ it is approach "promoted" by spammers ]
>
> What do you mean with this?
> We check all our addresses (except some departments that refused until
> recently to give the central department their addresses) at connection
> time (with delay-check).

Many of sendmail and Cyrus-IMAP integration methods implement (bad)
"accept now, send bounce message later" method of handling deliveries
to non existing Cyrus-IMAP mailboxes.

Backscatter is a bad thing (you wrote you avoided it).

--
[pl>en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

On Mon, 12 Nov 2007 12:52:24 +0100, Andrzej Adam Filip <anfi [at] onet.eu>
wrote:

>>>2) Do you verify addresses accepted by cyrus before "RCPT TO:" reply?
>>> [ it is approach "promoted" by spammers ]
>>
>> What do you mean with this?
>> We check all our addresses (except some departments that refused until
>> recently to give the central department their addresses) at connection
>> time (with delay-check).
>
>Many of sendmail and Cyrus-IMAP integration methods implement (bad)
>"accept now, send bounce message later" method of handling deliveries
>to non existing Cyrus-IMAP mailboxes.

We have almost all of our addresses in the sendmail frontend to our
Exchange mailboxservers. We test on them in the connection phase. We
still are working on getting the other (appr. 10%) of addresses from the
departments that did not yet deliver them.

>Backscatter is a bad thing (you wrote you avoided it).

I know. I have once been the victim of a backscatter attack. I ended up
with over 10.000 bounces a day in my mailbox for about a week.

--
Peter Peters

On 11/13/07 05:12, Peter Peters wrote:
> I know. I have once been the victim of a backscatter attack. I ended
> up with over 10.000 bounces a day in my mailbox for about a week.

Ouch!

Were those bounces that your system sent or some from other systems from
email that spoofed your site as the sender? If it was the former you
can resolve it. If it was the latter, you are sort of up a creek. SPF
will help, but not completely resolve it. If all your email passes out
through your servers you could look in to something like milter-null
which will add a header (of your choosing) to the original message and
reject any DSNs that do not have said header (white listing is of course
possible).



Grant. . . .

On Tue, 13 Nov 2007 09:16:43 -0600, Grant Taylor
<gtaylor [at] riverviewtech.net> wrote:

>Were those bounces that your system sent or some from other systems from
>email that spoofed your site as the sender? If it was the former you
>can resolve it.

Remember the big spamrun with racists German spam a couple of years ago?
My e-mail address was used in about a milion of those messages.

>If it was the latter, you are sort of up a creek. SPF
>will help, but not completely resolve it.

If we use SPF we would have to allow sending mail from all over the
world. People want to use their local providers mailserver (because they
do that for all their mail) and not needing to change it when they send
mail from their universities address.

>If all your email passes out
>through your servers you could look in to something like milter-null
>which will add a header (of your choosing) to the original message and
>reject any DSNs that do not have said header (white listing is of course
>possible).

You mean SRS? We are looking into that. But I want to throughly test
that. And at the moment we don't have a testmachine for our e-mail
configuration. It went up in smoke when our datacenter burned down.

--
Peter Peters

Peter Peters <p.g.m.peters [at] misc.utwente.nl> writes:
> [...]
> If we use SPF we would have to allow sending mail from all over the
> world. People want to use their local providers mailserver (because
> they do that for all their mail) and not needing to change it when
> they send mail from their universities address.

It is a users' software or your "peopleware relations" problem?

> [...]

--
[pl>en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

On Wed, 14 Nov 2007 09:02:48 +0100, Andrzej Adam Filip <anfi [at] onet.eu>
wrote:

>Peter Peters <p.g.m.peters [at] misc.utwente.nl> writes:
>> [...]
>> If we use SPF we would have to allow sending mail from all over the
>> world. People want to use their local providers mailserver (because
>> they do that for all their mail) and not needing to change it when
>> they send mail from their universities address.
>
>It is a users' software or your "peopleware relations" problem?

It is caused by a number of problems. Part is the software the users use
(on systems not managed by us). And there are users who are in networks
where they can't (because of local policies) connect to our systems.

--
Peter Peters