zone-eu / zone-mta

📤 Modern outbound MTA cross platform and extendable server application
European Union Public License 1.2
606 stars 96 forks source link

Bounces emails are not sending back from modules #406

Closed ravivgolov closed 4 months ago

ravivgolov commented 5 months ago

Hello,

I just realized that the emails are not bouncing back. What could be causing this issue? The only recent change I made was adding more zones.

Example: info SPF 190012ab6f90000e0c SPFCHECK from=raviv@test.com ip=x.x.x.x result=softfail resolution=DROP

The bounces are working for bounces but not for module rejection.

For an example. this code should return a bounce and message the sender when the SPF fails:

    if (['none', 'softfail', 'fail'].includes(result?.status?.result)) {
        // SPF was rejected, not enabled or ended with ~all
        let err = new Error(`SPF Rejected: Not allowed to send from ${address.address}`);
        err.name = 'SMTPReject';
        err.responseCode = 550;
        throw err;
    }

I haven't received any message. I just saw the rejection in the console.

ravivgolov commented 5 months ago

I have also found that bounces are not fired, even for the default zone, when receiving bounces from Google, for example, on SPF not existing or mailbox not existing. Why is ZoneMTA not sending the bounces?

Example bounce not fired:

info Sender/default/867[1] id=xugpvq7nvpfql6p4 19001ba5ad80001cdc.001 DEFERRED[other] from=raviv@test.com to=test@gmail.com src=x.x.x.x mx=gmail-smtp-in.l.google.com[142.251.163.26] id=<20240610053828.831267@mail.test.com> (550-5.7.26 Your email has been blocked because the sender is unauthenticated. Gmail requires all senders to authenticate with either SPF or DKIM. Authentication results: DKIM = did not pass SPF [test.com] with ip: [x.x.x.x] = did not pass For instructions on setting up authentication, go to https://support.google.com/mail/answer/81126#authentication d75a77b69052e-44038b5fea6si104501641cf.537 - gsmtp)

info Sender/default/867[1] id=xugpvq7nvpfql6p4 19001ba5ad80001cdc.001 SMTPCLOSE [whrBXyjHiO0] Connection closed response="550-5.7.26 Your email has been blocked because the sender is unauthenticated.

info Sender/default/867[1] 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
info Sender/default/867[1] 550-5.7.26
info Sender/default/867[1] 550-5.7.26 Authentication results:
info Sender/default/867[1] 550-5.7.26 DKIM = did not pass
info Sender/default/867[1] 550-5.7.26 SPF [test.com] with ip: [x.x.x.x] = did not pass
info Sender/default/867[1] 550-5.7.26
info Sender/default/867[1] 550-5.7.26 For instructions on setting up authentication, go to
info Sender/default/867[1] 550 5.7.26 https://support.google.com/mail/answer/81126#authentication d75a77b69052e-44038b5fea6si104501641cf.537 - gsmtp"

.... nothing after that

louis-lau commented 5 months ago

For an example. this code should return a bounce and message the sender when the SPF fails

No, it rejects the message during the smtp transaction. The client will get this error directly during message submission.

I have also found that bounces are not fired, even for the default zone, when receiving bounces from Google

The log says "DEFERRED" there. It didn't bounce. Not sure why, normal behavior for that response is to treat it as a rejection. Unless you modified bounces.txt?

$ echo "550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
550-5.7.26
550-5.7.26 Authentication results:
550-5.7.26 DKIM = did not pass
550-5.7.26 SPF [test.com] with ip: [x.x.x.x] = did not pass
550-5.7.26
550-5.7.26 For instructions on setting up authentication, go to
550 5.7.26 https://support.google.com/mail/answer/81126#authentication d75a77b69052e-44038b5fea6si104501641cf.537 - gsmtp" | node node_modul
es/zone-mta/bin/check-bounce.js 

data     : 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
           550-5.7.26
           550-5.7.26 Authentication results:
           550-5.7.26 DKIM = did not pass
           550-5.7.26 SPF [test.com] with ip: [x.x.x.x] = did not pass
           550-5.7.26
           550-5.7.26 For instructions on setting up authentication, go to
           550 5.7.26 https://support.google.com/mail/answer/81126#authentication d75a77b69052e-44038b5fea6si104501641cf.537 - gsmtp
action   : reject
message  : Mailbox unavailable
category : other
code     : 550
status   : 5.7.26
line     : 563
ravivgolov commented 5 months ago

The log says "DEFERRED" there. It didn't bounce. Not sure why, normal behavior for that response is to treat it as a rejection. Unless you modified bounces.txt?

How you did that check?

No, it rejects the message during the smtp transaction. The client will get this error directly during message submission.

And that should trigger the bounce from the mail server using ZoneMTA to deliver emails. What am I missing here? How do I instruct ZoneMTA to send a bounce message in this situation? Because I am also using the rate limit plugin, and it follows a similar approach, the sender should be made aware of the issue.

I saw my settings in bounces.toml was set in the pool to bounce instead of pool default, what exactly is that for the var for pool in the zone settings?

[bounces]
preferIPv6=false
ignoreIPv6=true
processes=1
connections=2
pool="bounce"
logger=true

Sorry for the noob and stupid questions, and thank you for your time god bless you.

louis-lau commented 5 months ago

How you did that check?

I sent the command I used. It's also in the readme: https://github.com/zone-eu/zone-mta/blob/master/README.md#utilities

And that should trigger the bounce from the mail server using ZoneMTA to deliver emails

I don't think so? Bounces should be sent if an error happens after submission, not during submission. Message submission fails, and the user will see this error in their client, just not as a bounce message. That's how SMTP works.

what exactly is that for the var for pool in the zone settings?

See the readme:

You can define as many Sending Zones as you want. Every Sending Zone can have its own local address IP pool that is used to send out messages designated for that Zone

If you don't have a pool called "bounce", don't set it to use the pool called "bounce". Probably set it back to "default" like the initial config?

ravivgolov commented 5 months ago

The bounce will return fine if sent through my mail server to zonemta, and the mail server will return the bounce, but not zonemta. I just checked. probably I have an issue with postfix returning the bounces.

About the pools, yes I have figured out.