Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting,
please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 12:47
I have noticed something weird in my logs...
Is seems to be a read receipt, hence the empty sender address (MAIL FROM: <>)
Code: Select all
"SMTPD" 7252 108816 "2017-06-20 11:37:34.180" "[remote ipaddress]" "SENT: 220 mail.mailserver.com ESMTP"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.211" "[remote ipaddress]" "RECEIVED: EHLO DELL-LAPTOP"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.260" "[remote ipaddress]" "SENT: 250-mail.mailserver.com [nl]250-SIZE 40960000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.292" "[remote ipaddress]" "RECEIVED: AUTH LOGIN"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.292" "[remote ipaddress]" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 7460 108816 "2017-06-20 11:37:34.323" "[remote ipaddress]" "RECEIVED: [USERNAME]
"SMTPD" 7460 108816 "2017-06-20 11:37:34.323" "[remote ipaddress]" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.354" "[remote ipaddress]" "RECEIVED: [PASSWORD]
"SMTPD" 6416 108816 "2017-06-20 11:37:34.370" "[remote ipaddress]" "SENT: 235 authenticated."
"SMTPD" 7252 108816 "2017-06-20 11:37:34.416" "[remote ipaddress]" "RECEIVED: MAIL FROM: <>"
"SMTPD" 7252 108816 "2017-06-20 11:37:34.432" "[remote ipaddress]" "SENT: 250 OK"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.463" "[remote ipaddress]" "RECEIVED: RCPT TO: <info@remoteaddress.com>"
"SMTPD" 6416 108816 "2017-06-20 11:37:34.463" "[remote ipaddress]" "SENT: 550 Delivery is not allowed to this address."
"SMTPD" 7460 108816 "2017-06-20 11:37:37.006" "[remote ipaddress]" "RECEIVED: QUIT"
"SMTPD" 7460 108816 "2017-06-20 11:37:37.006" "[remote ipaddress]" "SENT: 221 goodbye"
As the user authenticated successfully I assumed this would be treated as being a "local" address
Anyone has a idea what the problem can be?
Note: 'Allow empty sender address' is checked in SMTP protocol settings
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Post
by jimimaseye » 2017-06-20 13:02
I think it is right.
The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).
One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.
I presume if you have DEFAULT DOMAIN set then it wouldnt happen. Does it?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 13:06
jimimaseye wrote:I think it is right.
The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).
One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.
this post says otherwise
jimimaseye wrote:
I presume if you have DEFAULT DOMAIN set then it wouldnt happen. Does it?
No idea...will have to try that
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Post
by jimimaseye » 2017-06-20 13:19
RvdH wrote:jimimaseye wrote:I think it is right.
The absence of the FROM address means there is not a match to a local domain and therefore this is being seen as an EXTERNAL to EXTERNAL delivery. I wouldnt expect being authenticated as making any difference except in whether you 'Allow Ext to Ext With Authentication'. (Authentication taking place only really determines whether you are trusted or not and therefore exempts you from Spam checking).
One could argue that authenticating should then assume an empty FROM is a local domain but then you could argue "what if it isnt?" - it would then be wrong to make such an assumption.
this post says otherwise
Good spot. So the action does seem to counter the intention according to that post in 2009. Heres a thought though: early versions of HMS didnt refer to LOCAL as by domain. And that is bourne out by his comment:
In version 4.x and 5.0, a sender is considered local if he is sending from a local account address OR or if he has authenticated.
But now we have it purely based on DOMAIN existence - something that we acknowledge and adhere to every day (as written in the documentation too). In the *old days* there were only 2 or 3 combinations for 'allow deliveries', now there are 4 combinations - a sign that these versions do things differently. My conclusion is that martins post (referenced) in 2009 belongs to old functionality and doesnt fit the current methods.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 13:24
Spot on!
I have been looking in the source, no reference to authentication whatsoever
Code: Select all
/*
Returns true if
- the domain-part of the email matches an active local domain.
- the sender address matches a route address.
*/
bool
SMTPConnection::GetIsLocalSender_()
{
if (sender_domain_ && sender_domain_->GetIsActive())
return true;
const String senderAddress = current_message_->GetFromAddress();
String senderDomainName = StringParser::ExtractDomain(senderAddress);
std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);
if (route)
{
if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
{
if (route->GetTreatSenderAsLocalDomain())
return true;
}
}
// Does not match a local domain or route.
return false;
}
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 13:26
So basically my only option is to enable external to external deliveries for the internet ip-range (with authentication only!)?
That doesn't sound right, does it?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Post
by jimimaseye » 2017-06-20 13:30
Reckon so. Or dont have blank FROMs if possible. (Cant you do "donotreply@localdomain" instead?) Although technically not against the rules or wrong, blank FROMs are not that common and are frowned upon by some systems. (Even HMS has the option to allow them or not).
Or a script that looks for these mails and changes/recofigures the outgoing email accordingly? (Hard work though).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 13:35
The blank FROM addresses are caused by Outlook, not much i can do about that i guess
Maybe i should 'fix' the code
Code: Select all
/*
Returns true if
- the domain-part of the email matches an active local domain.
- the sender address matches a route address.
- the sender is authenticated
*/
bool
SMTPConnection::GetIsLocalSender_()
{
if (isAuthenticated_)
return true;
if (sender_domain_ && sender_domain_->GetIsActive())
return true;
const String senderAddress = current_message_->GetFromAddress();
String senderDomainName = StringParser::ExtractDomain(senderAddress);
std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);
if (route)
{
if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
{
if (route->GetTreatSenderAsLocalDomain())
return true;
}
}
// Does not match a local domain or route.
return false;
}
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Post
by jimimaseye » 2017-06-20 13:46
What would the FROMADDRESS be? If the receiving server doesnt like blank FROM addresses and it bounces/rejects, then who will get the NDR? mailer_daemon@theauthenticationdomain ?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 13:55
I just did a test here, Outlook 2013....the read receipt is send with FROM address ....what the hell?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Post
by jimimaseye » 2017-06-20 13:58
Google it and you will see LOADS of entries moaning about blanks in Outlook 2016.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 14:06
God damn, typically Microsoft
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
mattg
- Moderator
- Posts: 22435
- Joined: 2007-06-14 05:12
- Location: 'The Outback' Australia
Post
by mattg » 2017-06-20 14:07
FWIW I have allow external to external with Auth on my internet IP range, and have always done that, but then I have a script that says that FROM must equal the Authenticated account
There is also a SMTP >> RFC setting about 'allow empty sender address'
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 14:10
Can a script help here? I mean to fix outlook's 2016 behaviour...
Something like...
Code: Select all
OnSMTPData
If oClient.Username <> "" And Message.FromAddress = "" Then
... add FromAddress header with value from oClient.Username
end if
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 15:03
mattg wrote:FWIW I have allow external to external with Auth on my internet IP range, and have always done that, but then I have a script that says that FROM must equal the Authenticated account
There is also a SMTP >> RFC setting about 'allow empty sender address'
me too for the script part, i use this one:
viewtopic.php?t=25938
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-20 22:27
This code seems to be working, any interest in a pull request for this functionality?
Code: Select all
/*
Returns true if
- the domain-part of the email matches an active local domain.
- the sender address matches a route address.
- the sender is authenticated and the domain-part of the username matches an active local domain and no default domain is set
*/
bool
SMTPConnection::GetIsLocalSender_()
{
String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();
if (sDefaultDomain.IsEmpty())
{
auth_domain_ = CacheContainer::Instance()->GetDomain(StringParser::ExtractDomain(username_));
if (isAuthenticated_ && auth_domain_ && auth_domain_->GetIsActive())
return true;
}
if (sender_domain_ && sender_domain_->GetIsActive())
return true;
const String senderAddress = current_message_->GetFromAddress();
String senderDomainName = StringParser::ExtractDomain(senderAddress);
std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);
if (route)
{
if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
{
if (route->GetTreatSenderAsLocalDomain())
return true;
}
}
// Does not match a local domain or route.
return false;
}
Although it could be as simple as this as the domain has to be active to be able to authenticate
Code: Select all
/*
Returns true if
- the domain-part of the email matches an active local domain.
- the sender address matches a route address.
- the sender is authenticated and no default domain is set
*/
bool
SMTPConnection::GetIsLocalSender_()
{
String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();
if (sDefaultDomain.IsEmpty() && isAuthenticated_)
return true;
if (sender_domain_ && sender_domain_->GetIsActive())
return true;
const String senderAddress = current_message_->GetFromAddress();
String senderDomainName = StringParser::ExtractDomain(senderAddress);
std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);
if (route)
{
if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
{
if (route->GetTreatSenderAsLocalDomain())
return true;
}
}
// Does not match a local domain or route.
return false;
}
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
mattg
- Moderator
- Posts: 22435
- Joined: 2007-06-14 05:12
- Location: 'The Outback' Australia
Post
by mattg » 2017-06-20 23:57
Perhaps allowed by IP range for security purposes
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-06-21 08:42
mattg wrote:Perhaps allowed by IP range for security purposes
That is a bit tricky, as i have no control on who of our clients is using Outlook 2016 (quite a few after inspecting the logs)
It could be a ini setting though, eg:
Code: Select all
String sDefaultDomain = Configuration::Instance()->GetDefaultDomain();
if (IniFileSettings::Instance()->GetAuthUserIsLocal() && sDefaultDomain.IsEmpty() && isAuthenticated_)
return true;
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2017-07-04 10:07
I finally took the time to setup a VM to test this behavior with Office 2016, this are the headers of such read receipt:
Code: Select all
Return-Path:
Delivered-To: ruud@domainname.nl
Received: from VM (domainname.nl [IPADDRESS])
by mailserver with ESMTPSA
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256)
; Tue, 4 Jul 2017 01:52:26 +0200
X-AuthUser: test@domainname.nl
From: "Test" <test@domainname.nl>
To: "Ruud" <ruud@domainname.nl>
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAIOCMpPt0C5Dt51z6h2ej6jCgAAAEAAAAEOa6LbvhRdOqWY6Ez+R5EUBAAAAAA==@domainname.nl>
Subject: Gelezen: test (Gelezen = Read translated in English)
Date: Tue, 4 Jul 2017 01:52:21 +0200
Message-ID: <002401d2e9fe$bba874b0$32f95e10$@domainname.nl>
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=disposition-notification;
boundary="----=_NextPart_000_0025_01D2EA0F.7F3144B0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG2hQXtQCJgCKkX1fR7WmxXU6IBSaJm8v78
As the Return-Path is blank it is more then likely the oMessage.FormAddress value is empty on such read receipt, eg: that's why it is failing
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
CraigT
- New user
- Posts: 17
- Joined: 2010-08-12 10:06
- Location: Adelaide, Australia
Post
by CraigT » 2021-06-03 10:13
Hi all...
So what was the outcome of this? I have users on Office365 trying to sent read-receipts that are being dropped with the SENT 550. They are on RdvH's B2555 version. Is there a script or rule that can fix the problem?
Thanks Guys.
-
mattg
- Moderator
- Posts: 22435
- Joined: 2007-06-14 05:12
- Location: 'The Outback' Australia
Post
by mattg » 2021-06-04 00:05
don't know about the B2555 version
This is the latest RvdH build >>
viewtopic.php?p=228140#p228140
#9 Treat authenticated users as localsender if the sender is authenticated and AuthUserIsLocal=1 INI setting Office 2016/2019 Bug
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
-
SorenR
- Senior user
- Posts: 6308
- Joined: 2006-08-21 15:38
- Location: Denmark
Post
by SorenR » 2021-06-04 07:17
IIRC B2538 and B2555 is codewise the same. Martin made some changes to systems testing thus the difference in version numbering.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
-
CraigT
- New user
- Posts: 17
- Joined: 2010-08-12 10:06
- Location: Adelaide, Australia
Post
by CraigT » 2021-06-04 07:57
Thanks Mattg.....that INI setting I assume you refer to hmailserver.ini?
-
jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Post
by jimimaseye » 2021-06-04 09:06
CraigT wrote: ↑2021-06-04 07:57
Thanks Mattg.....that INI setting I assume you refer to hmailserver.ini?
Yes under a section
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
-
CraigT
- New user
- Posts: 17
- Joined: 2010-08-12 10:06
- Location: Adelaide, Australia
Post
by CraigT » 2021-06-04 09:20
Thanks.
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-06-16 00:17
For anyone that is interested, this code has change since but never was posted here, and now reads like:
Code: Select all
/*
Returns true if
- the domain-part of the email matches an active local domain.
- the sender address matches a route address.
- the sender is authenticated, AuthUserIsLocal=1 INI setting and allow empty sender address is true
*/
bool
SMTPConnection::GetIsLocalSender_()
{
// Workaround for Outlook bug that sends a read-receipt without FromAddress when delivery from external to external e-mail addresses is disallowed
// the sender is authenticated and AuthUserIsLocal=1 INI setting and RFC compliance: allow empty sender address is checked
if (IniFileSettings::Instance()->GetAuthUserIsLocal() && isAuthenticated_ && CheckIfValidSenderAddress(current_message_->GetFromAddress()))
return true;
if (sender_domain_ && sender_domain_->GetIsActive())
return true;
const String senderAddress = current_message_->GetFromAddress();
String senderDomainName = StringParser::ExtractDomain(senderAddress);
std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);
if (route)
{
if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
{
if (route->GetTreatSenderAsLocalDomain())
return true;
}
}
// Does not match a local domain or route.
return false;
}
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-06-16 01:15
Now i look at this once again this doesn't seem right, as CheckIfValidSenderAddress() also returns true if the senderAddress is not empty and valid, and therefor would except all authenticated mail as being local which might be a security risk as it bypasses the check if delivery from external to external e-mail addresses is disallowed, not?
True i also have a script in place that checks if the authenticated user is the same as the sender (if not empty) but maybe, as this is sorely created for the Outlook 2016/2019(/2021?) read-receipt bug it better to also check if the senderAddress is empty.
Code: Select all
bool
SMTPConnection::CheckIfValidSenderAddress(const String &sFromAddress)
{
if (sFromAddress.IsEmpty())
{
// The user is trying to send an e-mail without
// specifying an email address. Should we allow this?
if (!smtpconf_->GetAllowMailFromNull())
{
// Nope, we should'nt... We send the below text even
// though RFC 822 tells us not to...
SendErrorResponse_(550, "Sender address must be specified.");
return false;
}
}
else
{
if (!StringParser::IsValidEmailAddress(sFromAddress))
{
// The address is not valid...
SendErrorResponse_(550, "The address is not valid.");
return false;
}
}
return true;
}
Code: Select all
/*
Returns true if
- the domain-part of the email matches an active local domain.
- the sender address matches a route address.
- the sender address is empty, the sender is authenticated, AuthUserIsLocal=1 INI setting and RFC compliance: allow empty sender address is checked
*/
bool
SMTPConnection::GetIsLocalSender_()
{
const String senderAddress = current_message_->GetFromAddress();
// Workaround for Outlook 2016/2019/2021 bug that sends a read-receipt without FromAddress when delivery from external to external e-mail addresses is disallowed
if (IniFileSettings::Instance()->GetAuthUserIsLocal() && isAuthenticated_ && senderAddress.IsEmpty() && CheckIfValidSenderAddress(senderAddress))
return true;
if (sender_domain_ && sender_domain_->GetIsActive())
return true;
String senderDomainName = StringParser::ExtractDomain(senderAddress);
std::shared_ptr<Route> route = Configuration::Instance()->GetSMTPConfiguration()->GetRoutes()->GetItemByNameWithWildcardMatch(senderDomainName);
if (route)
{
if (route->ToAllAddresses() || route->GetAddresses()->GetItemByName(senderAddress))
{
if (route->GetTreatSenderAsLocalDomain())
return true;
}
}
// Does not match a local domain or route.
return false;
}
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-06-16 08:38
Reviewed this, with the
current code this:
Means that a authenticated user is
always considered local even if "delivery of external to external e-mail addresses is disallowed/unchecked" for that IP or IP Range, which effectively means that "delivery of external to external e-mail" is allowed, but
only when authenticated
So basically it does as the AuthUserIsLocal INI setting kinda says, and by doing this it
also is a workaround for the Outlook 2016/2019/2021 read-receipt bug behavior that sets the FromAddress as "<>"
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-06-16 09:24
To achieve what i proposed
here, you can do this by script, eg:
Code: Select all
Sub OnSMTPData(oClient, oMessage)
Dim strRegEx : strRegEx = "^(.+\@.+)$"
If (oClient.Authenticated) Then
' Outlook 2016/2019/2021 Read Receipt Fix
If (oMessage.FromAddress <> "" And Lookup(strRegEx, oMessage.FromAddress)) Then
If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
Dim obBaseApp
Set obBaseApp = CreateObject("hMailServer.Application")
Call obBaseApp.Authenticate(HMUSER, HMPASSWORD)
Dim StrClientDomain, StrFromDomain, StrFromAddress
StrClientDomain = Split(oClient.Username,"@")(1)
StrFromDomain = Split(oMessage.FromAddress,"@")(1)
Dim obDomain
Set obDomain = obBaseApp.Domains.ItemByName(StrClientDomain)
Dim obAliases
Dim obAlias
Dim AliasFound : AliasFound = False
Dim i
If LCase(StrClientDomain) <> LCase(StrFromDomain) Then
Set obAliases = obDomain.DomainAliases
For i = 0 To (obAliases.Count - 1)
Set obAlias = obAliases.Item(i)
If LCase(obAlias.AliasName) = LCase(StrFromDomain) Then
AliasFound = True
Exit For
End If
Next
If AliasFound Then
StrFromAddress = Split(oMessage.FromAddress,"@")(0) + "@" + StrClientDomain
End If
Else
StrFromAddress = oMessage.FromAddress
AliasFound = True
End If
If LCase(oClient.Username) <> LCase(StrFromAddress) Then
If AliasFound Then
Set obAliases = obDomain.Aliases
AliasFound = False
For i = 0 To (obAliases.Count - 1)
Set obAlias = obAliases.Item(i)
If (obAlias.Active) And (LCase(obAlias.Name) = LCase(StrFromAddress)) And (LCase(obAlias.Value) = LCase(oClient.UserName)) Then
AliasFound = True
Exit For
End If
Next
End If
If Not AliasFound Then
Result.Value = 2
Result.Message = "BLOCKED: You are only allowed to send from your own account or any of its aliases."
EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not is a authenticated user or alias , eg: " & oClient.Username)
End If
End If
Set obAlias = Nothing
Set obAliases = Nothing
Set obDomain = Nothing
Set obBaseApp = Nothing
End If
End if
End If
End Sub
Function Lookup(strRegEx, strMatch)
If strRegEx = "" Then Exit Function
With CreateObject("VBScript.RegExp")
.Global = False
.Pattern = strRegEx
.IgnoreCase = True
Lookup = .Test(strMatch)
End With
End Function
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-06-16 13:56
Thinking about ditching the AuthUserIsLocal=1 setting, it really makes not much sense
If i remember right at the time i had External to External disabled, and created that workaround, since then i re-enabled External to External so that workaround is no longer needed and together with a script like the one above should be sufficient
External to External is enabled by default, so it is a bit weird to have a workaround for non standard setting, not?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
mattg
- Moderator
- Posts: 22435
- Joined: 2007-06-14 05:12
- Location: 'The Outback' Australia
Post
by mattg » 2022-06-16 23:54
RvdH wrote: ↑2022-06-16 13:56
External to External is enabled by default, so it is a bit weird to have a workaround for non standard setting, not?
yep
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-06-17 00:02
mattg wrote: ↑2022-06-16 23:54
RvdH wrote: ↑2022-06-16 13:56
External to External is enabled by default, so it is a bit weird to have a workaround for non standard setting, not?
yep
https://github.com/RvdHout/hmailserver/ ... 0b805086ff
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup