550 Delivery is not allowed to this address

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 12:47

I have noticed something weird in my logs...

Is seems to be a read receipt, hence the empty sender address (MAIL FROM: <>)

Code: Select all

"SMTPD" 7252 108816 "2017-06-20 11:37:34.180" "[remote ipaddress]" "SENT: 220 mail.mailserver.com ESMTP"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.211" "[remote ipaddress]" "RECEIVED: EHLO DELL-LAPTOP"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.260" "[remote ipaddress]" "SENT: 250-mail.mailserver.com [nl]250-SIZE 40960000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.292" "[remote ipaddress]" "RECEIVED: AUTH LOGIN"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.292" "[remote ipaddress]" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.323" "[remote ipaddress]" "RECEIVED: [USERNAME]
"SMTPD" 7460 108816 "2017-06-20 11:37:34.323" "[remote ipaddress]" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.354" "[remote ipaddress]" "RECEIVED: [PASSWORD]
"SMTPD" 6416 108816 "2017-06-20 11:37:34.370" "[remote ipaddress]" "SENT: 235 authenticated."
"SMTPD" 7252 108816 "2017-06-20 11:37:34.416" "[remote ipaddress]" "RECEIVED: MAIL FROM: <>"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.432" "[remote ipaddress]" "SENT: 250 OK"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.463" "[remote ipaddress]" "RECEIVED: RCPT TO: <info@remoteaddress.com>"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.463" "[remote ipaddress]" "SENT: 550 Delivery is not allowed to this address."
"SMTPD" 7460 108816 "2017-06-20 11:37:37.006" "[remote ipaddress]" "RECEIVED: QUIT"
"SMTPD" 7460 108816 "2017-06-20 11:37:37.006" "[remote ipaddress]" "SENT: 221 goodbye"
As the user authenticated successfully I assumed this would be treated as being a "local" address

Anyone has a idea what the problem can be?


Note: 'Allow empty sender address' is checked in SMTP protocol settings
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:02

I think it is right.

The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).

One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.

I presume if you have DEFAULT DOMAIN set then it wouldnt happen. Does it?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:06

jimimaseye wrote:I think it is right.

The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).

One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.
this post says otherwise
jimimaseye wrote: I presume if you have DEFAULT DOMAIN set then it wouldnt happen. Does it?
No idea...will have to try that
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:19

RvdH wrote:
jimimaseye wrote:I think it is right.

The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).

One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.
this post says otherwise
Good spot. So the action does seem to counter the intention according to that post in 2009. Heres a thought though: early versions of HMS didnt refer to LOCAL as by domain. And that is bourne out by his comment:
In version 4.x and 5.0, a sender is considered local if he is sending from a local account address OR or if he has authenticated.
But now we have it purely based on DOMAIN existence - something that we acknowledge and adhere to every day (as written in the documentation too). In the *old days* there were only 2 or 3 combinations for 'allow deliveries', now there are 4 combinations - a sign that these versions do things differently. My conclusion is that martins post (referenced) in 2009 belongs to old functionality and doesnt fit the current methods.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:24

Spot on!

I have been looking in the source, no reference to authentication whatsoever

Code: Select all

   /*
      Returns true if 
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
       if (sender_domain_ && sender_domain_->GetIsActive())
          return true;

       const String senderAddress = current_message_->GetFromAddress();

       String senderDomainName = StringParser::ExtractDomain(senderAddress);
       std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

       if (route)
       {
          if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
          {
             if (route->GetTreatSenderAsLocalDomain())
                return true;
          }
       }       

       // Does not match a local domain or route.
       return false;
   }
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:26

So basically my only option is to enable external to external deliveries for the internet ip-range (with authentication only!)?

That doesn't sound right, does it?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:30

Reckon so. Or dont have blank FROMs if possible. (Cant you do "donotreply@localdomain" instead?) Although technically not against the rules or wrong, blank FROMs are not that common and are frowned upon by some systems. (Even HMS has the option to allow them or not).

Or a script that looks for these mails and changes/recofigures the outgoing email accordingly? (Hard work though).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:35

The blank FROM addresses are caused by Outlook, not much i can do about that i guess

Maybe i should 'fix' the code ;)

Code: Select all

   /*
      Returns true if 
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
      - the sender is authenticated
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
       if (isAuthenticated_)
          return true;
         
       if (sender_domain_ && sender_domain_->GetIsActive())
          return true;

       const String senderAddress = current_message_->GetFromAddress();

       String senderDomainName = StringParser::ExtractDomain(senderAddress);
       std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

       if (route)
       {
          if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
          {
             if (route->GetTreatSenderAsLocalDomain())
                return true;
          }
       }       

       // Does not match a local domain or route.
       return false;
   }
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:46

What would the FROMADDRESS be? If the receiving server doesnt like blank FROM addresses and it bounces/rejects, then who will get the NDR? mailer_daemon@theauthenticationdomain ?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 13:55

I just did a test here, Outlook 2013....the read receipt is send with FROM address ....what the hell?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2017-06-20 13:58

Google it and you will see LOADS of entries moaning about blanks in Outlook 2016.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 14:06

God damn, typically Microsoft :evil:
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: 550 Delivery is not allowed to this address

Post by mattg » 2017-06-20 14:07

FWIW I have allow external to external with Auth on my internet IP range, and have always done that, but then I have a script that says that FROM must equal the Authenticated account

There is also a SMTP >> RFC setting about 'allow empty sender address'
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 14:10

Can a script help here? I mean to fix outlook's 2016 behaviour...
Something like...

Code: Select all

OnSMTPData

If oClient.Username <> "" And Message.FromAddress = "" Then

      ... add FromAddress header with value from oClient.Username 

end if
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 15:03

mattg wrote:FWIW I have allow external to external with Auth on my internet IP range, and have always done that, but then I have a script that says that FROM must equal the Authenticated account

There is also a SMTP >> RFC setting about 'allow empty sender address'
me too for the script part, i use this one: viewtopic.php?t=25938
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-20 22:27

This code seems to be working, any interest in a pull request for this functionality?

Code: Select all

   /*
      Returns true if 
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
      - the sender is authenticated and the domain-part of the username matches an active local domain and no default domain is set
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
	   String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();

	   if (sDefaultDomain.IsEmpty())
	   {
		   auth_domain_ = CacheContainer::Instance()->GetDomain(StringParser::ExtractDomain(username_));
		   if (isAuthenticated_ && auth_domain_ && auth_domain_->GetIsActive())
		          return true;
	   }

	   if (sender_domain_ && sender_domain_->GetIsActive())
           return true;

       const String senderAddress = current_message_->GetFromAddress();

       String senderDomainName = StringParser::ExtractDomain(senderAddress);
       std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

       if (route)
       {
          if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
          {
             if (route->GetTreatSenderAsLocalDomain())
                return true;
          }
       }       

       // Does not match a local domain or route.
       return false;
   }
Although it could be as simple as this as the domain has to be active to be able to authenticate

Code: Select all

   /*
      Returns true if 
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
      - the sender is authenticated and no default domain is set
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
	   String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();

	   if (sDefaultDomain.IsEmpty() && isAuthenticated_)
		  return true;

	   if (sender_domain_ && sender_domain_->GetIsActive())
          return true;

       const String senderAddress = current_message_->GetFromAddress();

       String senderDomainName = StringParser::ExtractDomain(senderAddress);
       std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

       if (route)
       {
          if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
          {
             if (route->GetTreatSenderAsLocalDomain())
                return true;
          }
       }       

       // Does not match a local domain or route.
       return false;
   }
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: 550 Delivery is not allowed to this address

Post by mattg » 2017-06-20 23:57

Perhaps allowed by IP range for security purposes
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-06-21 08:42

mattg wrote:Perhaps allowed by IP range for security purposes
That is a bit tricky, as i have no control on who of our clients is using Outlook 2016 (quite a few after inspecting the logs)

It could be a ini setting though, eg:

Code: Select all

	   String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();

	   if (IniFileSettings::Instance()->GetAuthUserIsLocal() && sDefaultDomain.IsEmpty() && isAuthenticated_)
		  return true;
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2017-07-04 10:07

I finally took the time to setup a VM to test this behavior with Office 2016, this are the headers of such read receipt:

Code: Select all

Return-Path: 
Delivered-To: ruud@domainname.nl
Received: from VM (domainname.nl [IPADDRESS])
	by mailserver with ESMTPSA
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256)
	; Tue, 4 Jul 2017 01:52:26 +0200
X-AuthUser: test@domainname.nl
From: "Test" <test@domainname.nl>
To: "Ruud" <ruud@domainname.nl>
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAIOCMpPt0C5Dt51z6h2ej6jCgAAAEAAAAEOa6LbvhRdOqWY6Ez+R5EUBAAAAAA==@domainname.nl>
Subject: Gelezen: test (Gelezen = Read translated in English)
Date: Tue, 4 Jul 2017 01:52:21 +0200
Message-ID: <002401d2e9fe$bba874b0$32f95e10$@domainname.nl>
MIME-Version: 1.0
Content-Type: multipart/report;
	report-type=disposition-notification;
	boundary="----=_NextPart_000_0025_01D2EA0F.7F3144B0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG2hQXtQCJgCKkX1fR7WmxXU6IBSaJm8v78
As the Return-Path is blank it is more then likely the oMessage.FormAddress value is empty on such read receipt, eg: that's why it is failing
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

CraigT
New user
New user
Posts: 17
Joined: 2010-08-12 10:06
Location: Adelaide, Australia

Re: 550 Delivery is not allowed to this address

Post by CraigT » 2021-06-03 10:13

Hi all...
So what was the outcome of this? I have users on Office365 trying to sent read-receipts that are being dropped with the SENT 550. They are on RdvH's B2555 version. Is there a script or rule that can fix the problem?
Thanks Guys.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: 550 Delivery is not allowed to this address

Post by mattg » 2021-06-04 00:05

don't know about the B2555 version

This is the latest RvdH build >> viewtopic.php?p=228140#p228140

#9 Treat authenticated users as localsender if the sender is authenticated and AuthUserIsLocal=1 INI setting Office 2016/2019 Bug
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: 550 Delivery is not allowed to this address

Post by SorenR » 2021-06-04 07:17

IIRC B2538 and B2555 is codewise the same. Martin made some changes to systems testing thus the difference in version numbering.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

CraigT
New user
New user
Posts: 17
Joined: 2010-08-12 10:06
Location: Adelaide, Australia

Re: 550 Delivery is not allowed to this address

Post by CraigT » 2021-06-04 07:57

Thanks Mattg.....that INI setting I assume you refer to hmailserver.ini?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: 550 Delivery is not allowed to this address

Post by jimimaseye » 2021-06-04 09:06

CraigT wrote:
2021-06-04 07:57
Thanks Mattg.....that INI setting I assume you refer to hmailserver.ini?
Yes under a section

Code: Select all

[Settings]
AuthUserIsLocal=1
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

CraigT
New user
New user
Posts: 17
Joined: 2010-08-12 10:06
Location: Adelaide, Australia

Re: 550 Delivery is not allowed to this address

Post by CraigT » 2021-06-04 09:20

Thanks.

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2022-06-16 00:17

For anyone that is interested, this code has change since but never was posted here, and now reads like:

Code: Select all

   /*
   Returns true if
   - the domain-part of the email matches an active local domain.
   - the sender address matches a route address.
   - the sender is authenticated, AuthUserIsLocal=1 INI setting and allow empty sender address is true
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
      // Workaround for Outlook bug that sends a read-receipt without FromAddress when delivery from external to external e-mail addresses is disallowed 
      // the sender is authenticated and AuthUserIsLocal=1 INI setting and RFC compliance: allow empty sender address is checked
      if (IniFileSettings::Instance()->GetAuthUserIsLocal() && isAuthenticated_ && CheckIfValidSenderAddress(current_message_->GetFromAddress()))
         return true;
      
      if (sender_domain_ && sender_domain_->GetIsActive())
         return true;

      const String senderAddress = current_message_->GetFromAddress();

      String senderDomainName = StringParser::ExtractDomain(senderAddress);
      std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

      if (route)
      {
         if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
         {
            if (route->GetTreatSenderAsLocalDomain())
               return true;
         }
      }

      // Does not match a local domain or route.
      return false;
   }
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2022-06-16 01:15

Now i look at this once again this doesn't seem right, as CheckIfValidSenderAddress() also returns true if the senderAddress is not empty and valid, and therefor would except all authenticated mail as being local which might be a security risk as it bypasses the check if delivery from external to external e-mail addresses is disallowed, not?

True i also have a script in place that checks if the authenticated user is the same as the sender (if not empty) but maybe, as this is sorely created for the Outlook 2016/2019(/2021?) read-receipt bug it better to also check if the senderAddress is empty.

Code: Select all

   bool 
   SMTPConnection::CheckIfValidSenderAddress(const String &sFromAddress)
   {
      if (sFromAddress.IsEmpty())
      {
         // The user is trying to send an e-mail without
         // specifying an email address. Should we allow this?
         if (!smtpconf_->GetAllowMailFromNull())
         {
            // Nope, we should'nt... We send the below text even
            // though RFC 822 tells us not to...
            SendErrorResponse_(550, "Sender address must be specified.");             
            return false;
         }
      }
      else
      {
         if (!StringParser::IsValidEmailAddress(sFromAddress))
         {
            // The address is not valid...
            SendErrorResponse_(550, "The address is not valid.");
            return false;
         }
      }

      return true;
   }

Code: Select all

   /*
      Returns true if
      - the domain-part of the email matches an active local domain.
      - the sender address matches a route address.
      - the sender address is empty, the sender is authenticated, AuthUserIsLocal=1 INI setting and RFC compliance: allow empty sender address is checked
   */
   bool
   SMTPConnection::GetIsLocalSender_()
   {
      const String senderAddress = current_message_->GetFromAddress();

      // Workaround for Outlook 2016/2019/2021 bug that sends a read-receipt without FromAddress when delivery from external to external e-mail addresses is disallowed 
      if (IniFileSettings::Instance()->GetAuthUserIsLocal() && isAuthenticated_ && senderAddress.IsEmpty() && CheckIfValidSenderAddress(senderAddress))
         return true;

      if (sender_domain_ && sender_domain_->GetIsActive())
         return true;

      String senderDomainName = StringParser::ExtractDomain(senderAddress);
      std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);

      if (route)
      {
         if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
         {
            if (route->GetTreatSenderAsLocalDomain())
               return true;
         }
      }

      // Does not match a local domain or route.
      return false;
   }
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2022-06-16 08:38

Reviewed this, with the current code this:

Code: Select all

[Settings]
AuthUserIsLocal=1
Means that a authenticated user is always considered local even if "delivery of external to external e-mail addresses is disallowed/unchecked" for that IP or IP Range, which effectively means that "delivery of external to external e-mail" is allowed, but only when authenticated

So basically it does as the AuthUserIsLocal INI setting kinda says, and by doing this it also is a workaround for the Outlook 2016/2019/2021 read-receipt bug behavior that sets the FromAddress as "<>"
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2022-06-16 09:24

To achieve what i proposed here, you can do this by script, eg:

Code: Select all

Sub OnSMTPData(oClient, oMessage)

	Dim strRegEx : strRegEx = "^(.+\@.+)$"

	If (oClient.Authenticated) Then
		' Outlook 2016/2019/2021 Read Receipt Fix
		If (oMessage.FromAddress <> "" And Lookup(strRegEx, oMessage.FromAddress)) Then
			If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
				Dim obBaseApp
				Set obBaseApp = CreateObject("hMailServer.Application")
				Call obBaseApp.Authenticate(HMUSER, HMPASSWORD)
				 
				Dim StrClientDomain, StrFromDomain, StrFromAddress
				StrClientDomain = Split(oClient.Username,"@")(1) 
				StrFromDomain = Split(oMessage.FromAddress,"@")(1)
				 
				Dim obDomain 
				Set obDomain = obBaseApp.Domains.ItemByName(StrClientDomain) 
				 
				Dim obAliases
				Dim obAlias		
				Dim AliasFound : AliasFound = False
				Dim i
				 
				If LCase(StrClientDomain) <> LCase(StrFromDomain) Then
					Set obAliases = obDomain.DomainAliases
					For i = 0 To (obAliases.Count - 1)
						Set obAlias = obAliases.Item(i)
						If LCase(obAlias.AliasName) = LCase(StrFromDomain) Then
							AliasFound = True
							Exit For
						End If
					Next
					If AliasFound Then
						StrFromAddress = Split(oMessage.FromAddress,"@")(0) + "@" + StrClientDomain 
					End If
				Else
					StrFromAddress = oMessage.FromAddress
					AliasFound = True
				End If
				 
				If LCase(oClient.Username) <> LCase(StrFromAddress) Then
					If AliasFound Then
						Set obAliases = obDomain.Aliases
						AliasFound = False
						For i = 0 To (obAliases.Count - 1)
							Set obAlias = obAliases.Item(i)
							If (obAlias.Active) And (LCase(obAlias.Name) = LCase(StrFromAddress)) And (LCase(obAlias.Value) = LCase(oClient.UserName)) Then
								AliasFound = True
								Exit For
							End If
						Next
					End If
					 
					If Not AliasFound Then
						Result.Value = 2
						Result.Message = "BLOCKED: You are only allowed to send from your own account or any of its aliases."
						EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not is a authenticated user or alias , eg: " & oClient.Username)
					End If
				End If
				Set obAlias = Nothing
				Set obAliases = Nothing
				Set obDomain = Nothing
				Set obBaseApp = Nothing			
			End If
		End if
	End If
End Sub

Function Lookup(strRegEx, strMatch)
	If strRegEx = "" Then Exit Function
	With CreateObject("VBScript.RegExp")
		.Global = False
		.Pattern = strRegEx
		.IgnoreCase = True
		Lookup = .Test(strMatch)
	End With
End Function
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2022-06-16 13:56

Thinking about ditching the AuthUserIsLocal=1 setting, it really makes not much sense

If i remember right at the time i had External to External disabled, and created that workaround, since then i re-enabled External to External so that workaround is no longer needed and together with a script like the one above should be sufficient

External to External is enabled by default, so it is a bit weird to have a workaround for non standard setting, not?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: 550 Delivery is not allowed to this address

Post by mattg » 2022-06-16 23:54

RvdH wrote:
2022-06-16 13:56
External to External is enabled by default, so it is a bit weird to have a workaround for non standard setting, not?
yep
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: 550 Delivery is not allowed to this address

Post by RvdH » 2022-06-17 00:02

mattg wrote:
2022-06-16 23:54
RvdH wrote:
2022-06-16 13:56
External to External is enabled by default, so it is a bit weird to have a workaround for non standard setting, not?
yep
https://github.com/RvdHout/hmailserver/ ... 0b805086ff :wink:
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Post Reply