Empty SMTP FROM for successful delivery notification message

[paulmenzel]

Using Debian 12 (stable/bookworm) with sympa 6.2.70~dfsg-2 and exim4-daemon-heavy 4.96-15+deb12u4, a non-subscriber with a Google Mail (gmail) address sent a message, that got moderated. After accepting the message, a delivery confirmation message was to be sent, but got stuck in the queue, because Exim tries to send it with an empty envelope from:

Incoming message:

Received: from mail-yw1-x1146.google.com ([2607:f8b0:4864:20::1146]:47471)
    by mail.gw90.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.96)
    (envelope-from <3YRZPZgoJBgQvmwglywxD4kqemp.gsqmrxivrzsgerxevi.hi@trix.bounces.google.com>)
    id 1sA5QI-00GjwC-2P
    for mylist@vocantare.de;
    Thu, 23 May 2024 9:00:00 +0000

The notification message about the moderation (Nachrichtenverteilung) is then successfully sent:

2024-05-23 9:00:10.652 [3989855] 1sA5QM-00GjwQ-2c => ab@gmail.com F=<mylist-owner@vocantare.de> P=<mylist-owner@vocantare.de> R=dnslookup T=remote_smtp S=658 H=gmail-smtp-in.l.google.com [2a00:1450:4013:c1a::1b]:25 I=[2a01:4f8:200:641c::d0d0:c0de]:54588 TFO X=TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes DN="CN=mx.google.com" L K C="250 2.0.0 OK <somehash> - gsmtp" QT=0.836s DT=0.675s

But the message about the successful delivery does not have the F= field set, and therefore Google Mail rejects it:

2024-05-23 10:00:00.000 [3991450] 1sA5sL-00GkMC-2O ** ab@gmail.com F=<> P=<> R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [2a00:1450:4013:c1a::1a]:25 I=[2a01:4f8:200:641c::d0d0:c0de]:59848 X=TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes DN="CN=mx.google.com": SMTP error from remote mail server after end of data: 550-5.7.26 Your email has been blocked because the sender is unauthenticated.\n550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.\n550-5.7.26\n550-5.7.26  Authentication results:\n550-5.7.26  DKIM = did not pass\n550-5.7.26  SPF [] with ip: [2a01:4f8:200:641c::d0d0:c0de] = did not pass\n550-5.7.26\n550-5.7.26  For instructions on setting up authentication, go to\n550 5.7.26  https://support.google.com/mail/answer/81126#authentication a640c23a62f3a-a5a17b20fdcsi1619192466b.431 - gsmtp DT=0.458s

[ikedas]

The rejection message by recipient (gmail.com) is:

550-5.7.26 Your email has been blocked because the sender is unauthenticated.
550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
550-5.7.26
550-5.7.26  Authentication results:
550-5.7.26  DKIM = did not pass
550-5.7.26  SPF [] with ip: [2a01:4f8:200:641c::d0d0:c0de] = did not pass
550-5.7.26
550-5.7.26  For instructions on setting up authentication, go to
550 5.7.26  https://support.google.com/mail/answer/81126#authentication a640c23a62f3a-a5a17b20fdcsi1619192466b.431 - gsmtp DT=0.458s

Follow the link above and read the description by Google. They require authentication at least by either SPF or DKIM, or both. However your site provides neither.

Your options are either:

• Setting Sympa to add DKIM signature to the messages it originates. See the documentation.

• Setting DNS resource record for SPF. A common mistake is not setting a SPF record on the smtp.helo host for the DSNs that has empty envelope sender. Check the description. In fact, there is no SPF record for your SMTP HELO host mail.gw90.de.

[paulmenzel]

@ikedas, thank you for looking into this. That was my first thought too, but then I wondered, why do all the other messages pass. If envelope-from is empty, then whose SPF record should be checked, and that is the problem in my opinion. This is substantiated by looking at other rejection messages:

SPF [jjworldtrade.com] with ip: …

So Google Mail tells the domain, for which the SPF record is missing. In my case it’s the empty string.

[paulmenzel]

And for the record, SPF records are set up:

$ dig txt vocantare.de +short | grep spf
"v=spf1 mx ~all"
$ dig mx vocantare.de +short
10 mail.gw90.de.

[ikedas]

No, please read my explanation and description on open-spf.org carefully.

SPF record should be set up on SMTP HELO/EHLO host. Expected result is:

$ dig txt mail.gw90.de +short
"v=spf1 (...appropriate SPF specifications...) ~all"

[paulmenzel]

Please explain the Google Mail error message (empty []) and the Exim logs, why envelope sender is not set.

[ikedas]

Why the envelope sender of DSN is empty is that it must be empty. RFC 3464 says: Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a NULL return address, i.e., "MAIL FROM:<>". Sympa merely conforms to this. Moreover, your Exim also sets envelope sender to be null when it originates DSN: Please check the logs.

RFC 7208 says: In this [Delivery Status Notification] case, the only entity available for performing an SPF check is the "HELO" identity.

That't why you should set up SPF record for SMTP HELO/EHLO host name also, not only for the email domain name.

[paulmenzel]

Thank you for going into the details. I set this up now, so let’s see if it works next time.

$ host -t txt mail.gw90.de
mail.gw90.de descriptive text "v=spf1 a -all"

Thank you, thank you, again.