GNOME Bugzilla – Bug 621198
Bugzilla email comes from invalid address
Last modified: 2011-03-18 16:12:53 UTC
I just noticed I wasn't getting bugmail. It looks like the 'bugzilla@gnome.org' address is no longer valid... 2010-06-10 12:59:56 +0000 H=menubar.gnome.org [209.132.180.169] sender verify fail for <bugzilla@gnome.org> 2010-06-10 12:59:56 +0000 H=menubar.gnome.org [209.132.180.169] F=<bugzilla@gnome.org> rejected RCPT <dwmw2@infradead.org>: Sender verify failed [root@bombadil ~]# telnet mail.gnome.org 25 Trying 209.132.180.169... Connected to mail.gnome.org. Escape character is '^]'. 220 menubar.gnome.org ESMTP Postfix helo me 250 menubar.gnome.org mail from:<> 250 2.1.0 Ok rcpt to:<bugzilla@gnome.org> 554 5.7.1 <bugzilla@gnome.org>: Recipient address rejected: Please use the web interface at http://bugzilla.gnome.org/ quit 221 2.0.0 Bye Connection closed by foreign host.
Yes, you cannot email to bugzilla@gnome.org. This to inform users whom reply to bugmail that they shouldn't reply like that (it will get lost). But that is not related to whether bugmail can be sent. Looks like you're doing sender verification for all email. I recommend reading http://www.postfix.org/ADDRESS_VERIFICATION_README.html#sender_always
(In reply to comment #1) > Yes, you cannot email to bugzilla@gnome.org. This to inform users whom reply to > bugmail that they shouldn't reply like that (it will get lost). Um, that's not relevant. You're talking about incoming mail with a _non-empty_ sender. Of course that's rejected, for the reason you state. The example above isn't one of those. The example above is a _bounce_ (or a sender verification callout), which should be accepted (even if it's later discarded). It's has an _empty_ sender (MAIL FROM:<>). > Looks like you're doing sender verification for all email. I recommend reading > http://www.postfix.org/ADDRESS_VERIFICATION_README.html#sender_always That page calls gnome.org a 'misconfigured system', which is fairly much in line with what I said :)
I don't see why I should make an exception for bounces. That'll mean we a) have to complicate the Postfix config and b) have to accept various emails and then discard them (pretty sure we get bounces).
(In reply to comment #3) > I don't see why I should make an exception for bounces. You should accept bounces to bugzilla@gnome.org because you're sending MAIL FROM:<bugzilla@gnome.org>. To do otherwise is, as it says in the URL you showed, 'misconfigured'. You _want_ to make an exception for non-bounces though, so that when users send mail to that address they get a rejecting. As you also said. It shouldn't complicate the config very much at all, unless Postfix is _dramatically_ worse than Exim in this respect. It's fairly trivial in Exim (which is all I know).
I do not see an easy way on: http://www.postfix.org/access.5.html (reject except for <> and send it in that case to /dev/null). I do of course know of a way, but that adds a lot of extra stuff to the configuration for IMO little benefit.
I am not familiar with Postfix; I just know that it's trivial with Exim. But I have led to believe that there is a lot of stuff that's trivial with Exim that cannot easily be done with Postfix, so perhaps you are right. Still, as it stands it is quite clear that the gnome.org mailserver is misconfigured. Some would argue that fixing that problem is not "little benefit". Please do fix it.
*** Bug 625141 has been marked as a duplicate of this bug. ***
I subscribed to the postfix-users mailing list and asked them how to do it and this is the response I got: recipient_access: # Discard all mail to this address dropmail@example.com DISCARD virtual_aliases: # Pass recipient validation dropmail@example.com postmaster main.cf: indexed = ${default_database_type}:${config_directory}/ smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_recipient_access ${indexed}recipient_access virtual_alias_maps = ${indexed}virtual_aliases You'd replace dropmail@example.com with bugzilla@gnome.org I expect. I don't know anything about postfix config so I'm not sure how much of this is more or less boilerplate and how much is special, but it doesn't seem too bad to me.
I don't want to play around with testing random config changes. Currently we show an error message that people should use the web interface. This is what I really care about. Above discards, doesn't reject. Maybe it'll still work with a reject, but I'd have to investigate. But above is way cleaner than the way I know. So thanks!
Thanks Olav. Can I ask you to reopen this bug, until you have time to look into the configuration changes? Cheers!
Applied configuration change as suggested, still no go. I don't understand the indexed bit, maybe that is the magic that makes this work. But need to be careful with mail.gnome.org... $ telnet mail.gnome.org 25 Trying 209.132.180.169... Connected to mail.gnome.org (209.132.180.169). Escape character is '^]'. HEL220 menubar.gnome.org ESMTP Postfix O bkor.ath.cx 250 menubar.gnome.org MAIL FROM:<> 250 2.1.0 Ok RCPT TO:<bugzilla@gnome.org> 554 5.7.1 <bugzilla@gnome.org>: Recipient address rejected: Please use the web interface at http://bugzilla.gnome.org/ RSET 250 2.0.0 Ok MAIL FROM:<olav@bkor.dhs.org> 250 2.1.0 Ok RCPT TO:<bugzilla@gnome.org> 554 5.7.1 <bugzilla@gnome.org>: Recipient address rejected: Please use the web interface at http://bugzilla.gnome.org/ QUIT 221 2.0.0 Bye
That still seems to be rejecting the mail (at RCPT time). You need to at least appear to accept the RCPT. I'm slightly confused by comment 9. Did you apply the suggested change (which AIUI should make postfix accept-and-discard instead of rejecting), but modify it so that it makes postfix reject the message? If so, you just changed your configuration to explicitly reject the callouts instead of just rejecting them because there's no alias for that user. Which doesn't really change much. Rejecting at the DATA command would be fine, but I'm not sure if you have that much flexibility with postfix. You may need to accept the data too, and discard.
I don't want to discard, I want to reject and show an error message. Except for sender based verification. But I don't want a complicated config as well.
That means you *either* reject at the DATA command, or accept the data then reject after receiving the actual data (as if spam/virus checks had failed)... or perhaps discard *only* bounces (MAIL FROM:<>) and not normal mail. Any of these would be trivial with a decent mailer, but I'm not sure what postfix allows.
> $ telnet mail.gnome.org 25 > Trying 209.132.180.169... > Connected to mail.gnome.org (209.132.180.169). > Escape character is '^]'. > 220 menubar.gnome.org ESMTP Postfix > HELO bkor.ath.cx > 250 menubar.gnome.org > MAIL FROM:<me@bkor.dhs.org> > 250 2.1.0 Ok > RCPT TO:<bugzilla@gnome.org> > 554 5.7.1 <bugzilla@gnome.org>: Recipient address rejected: Please use the web interface at http://bugzilla.gnome.org/ > RSET > 250 2.0.0 Ok > MAIL FROM:<> > 250 2.1.0 Ok > RCPT TO:<bugzilla@gnome.org> > 250 2.1.5 Ok > DATA > 354 End data with <CR><LF>.<CR><LF> > Subject: test >· > test > . > 250 2.0.0 Ok: queued as 5AD1775052D > QUIT > 221 2.0.0 Bye > Connection closed by foreign host. Thought of a simple solution just now: 1. Already have "check_sender_access hash:/etc/postfix/access-sender" In that file, put "<> check_recipient_bounce" Note: The check_sender_access must be before the check_recipient_access! 2. In main.cf, add: smtpd_restriction_classes = check_recipient_bounce check_recipient_bounce = check_recipient_access hash:/etc/postfix/access-recipient-bounce 3. In /etc/postfix/access-recipient-bounce: bugzilla-daemon@bugzilla.gnome.org OK bugzilla@gnome.org OK Solution I always thought of was a different smtpd_restriction_class per recipient (so the custom error message still is visible). Never thought to put the exception before that for just <>. Simple, but never thought of it.