Understanding messages from MAILER-DAEMON

Discussion:

Richard Koett

2009-01-06 19:41:05 UTC

Before asking my question I should mention that it involves a somewhat
dated version of OpenBSD (3.9) and a Microsoft Exchange server. If
either of these makes this too off-topic for the list, please accept
my apology and ignore this post.

OpenBSD is running sendmail 8.13.4 as a backup MX server for a domain
hosted on MS Exchange. (The OpenBSD box has been fantastically reliable
in this role, btw. Thanks!). The /etc/mail/aliases file sends root's
email to me, in case that's relevant.

I receive a fair number of messages from MAILER-DAEMON with the subject
"Undeliverable: returned mail: see transcript for details".

The messages are always sent to an address I've never heard of, so I
assume someone is forging my address in the From: field of their
spam. (I've implemented SPF records, incidentally, but it hasn't had
a noticeable effect).

Here's part of a sample message. Note that mail.mydomain.com
is the OpenBSD server:

--- BEGIN SAMPLE ---
Generating server: mail.mydomain.com

***@myramstore.com
sitemail.everyone.net #<sitemail.everyone.net #5.1.1 SMTP;
550 Recipient Rejected: No account by that name here> #SMTP#

Original message headers:

Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by mail.mydomain.com (8.13.4/8.13.4) id n06HNI36007149;
Tue, 6 Jan 2009 09:23:18 -0800 (PST)
Date: Tue, 6 Jan 2009 09:23:18 -0800
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-ID: <***@mail.mydomain.com>
To: <***@myramstore.com>
MIME-Version: 1.0
Content-Type: text/plain
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
--- END SAMPLE ---

This appears straightforward. I was forged as the sender, so I
received the bounce. However, here's where I'm confused...

The above sample is only the bottom part of what I receive.
The top part reads:

--- BEGIN SAMPLE ---
Delivery has failed to these recipients or distribution lists:

***@gawilliamsfineart.com
The recipient's e-mail address was not found in the recipient's
e-mail system. Microsoft Exchange will not try to redeliver this
message for you. Please check the e-mail address and try resending
this message, or provide the following diagnostic text to your
system administrator.

The following organization rejected your message: mx1.emailsrvr.com.

Diagnostic information for administrators:
--- END SAMPLE ---

What's confusing me is the "Microsoft Exchange will not try to
redeliver this message" part. The bottom part says "Generating
server: mail.mydomain.com", which is the OpenBSD server. I take
that to mean that the OpenBSD machine was trying to deliver the
message, not the Exchange server. Plus, the message is from
MAILER-DAEMON. Why would MAILER-***@mydomain.com e-mail me to
say that an Exchange server won't retry delivery? It makes sense
that the Exchange server is receiving the bounce message for me,
(since OpenBSD forwards my mail there), but not that it had anything
to do with the original delivery attempt.

I must be misunderstanding something about the origin/flow of
these messages and would appreciate if anyone can point me in
the right direction.

Thanks,
Richard Koett.

Richard Koett

2009-01-06 21:44:22 UTC

Permalink

Hi Stuart:

Thanks for the reply. I noticed that I had cut & pasted from two
different messages, so here is an intact sample:

(It's To: ***@cybernet.ca, which OpenBSD forwards to
the Exchange server, From: MAILER-***@cybernet.ca):

--- BEGIN SAMPLE ---
Delivery has failed to these recipients or distribution lists:

***@myramstore.com
The recipient's e-mail address was not found in the recipient's
e-mail system. Microsoft Exchange will not try to redeliver this
message for you. Please check the e-mail address and try resending
this message, or provide the following diagnostic text to your
system administrator.

The following organization rejected your message:
sitemail.everyone.net.

Diagnostic information for administrators:

Generating server: mail.cybernet.ca

***@myramstore.com
sitemail.everyone.net #<sitemail.everyone.net #5.1.1 SMTP;
550 Recipient Rejected: No account by that name here> #SMTP#

Original message headers:

Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by mail.cybernet.ca (8.13.4/8.13.4) id n06HNI36007149;
Tue, 6 Jan 2009 09:23:18 -0800 (PST)
Date: Tue, 6 Jan 2009 09:23:18 -0800
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-ID: <***@mail.cybernet.ca>
To: <***@myramstore.com>
MIME-Version: 1.0
Content-Type: text/plain
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
--- END SAMPLE ---

I'm mulling over a reply from L. V Lammert on this but still
not quite clear on the sequence of events. Any further elucidation
would be much appreciated.

Thanks,
Richard Koett.

Stuart Henderson

2009-01-06 23:22:59 UTC

Permalink

Post by Richard Koett
Thanks for the reply. I noticed that I had cut & pasted from two

Ok, most likely scenario: spammer sends to ***@myramstore.com,
hits Sendmail, Sendmail tries to pass it to Exchange.

Exchange generates a bounce *by email* to the sender
address (most Exchange versions don't reject "user unknown"
at the SMTP port, instead they fully bounce the email. oops.)

I guess you are also relaying outbound mail via the sendmail
box so Exchange sends it there, Sendmail tries to deliver it
and fails, then as you're receiving postmaster's mail you get
a copy of the "double bounce".

If that is what's happening, the fix is to reject mail for
invalid users before the message hits Sendmail. You can create
/etc/mail/access populated with a list of the valid addresses
on the Exchange server, something like:

To:myramstore.com error:550 5.1.1 No such user
***@myramstore.com OK
***@myramstore.com OK
etc.

Then rebuild the hash file as shown in the comments.

You can actually build the list from the MS directory
fetching it via ldapsearch (from OpenLDAP) but the exact
command line is dependent on how the Windows server is
arranged.

Keep an eye on /var/log/maillog (tail -f is good for this)
when you put this in place, and you might like to do it with
a test domain first.

Post by Richard Koett
--- BEGIN SAMPLE ---
The recipient's e-mail address was not found in the recipient's
e-mail system. Microsoft Exchange will not try to redeliver this
message for you. Please check the e-mail address and try resending
this message, or provide the following diagnostic text to your
system administrator.
sitemail.everyone.net.
Generating server: mail.cybernet.ca
sitemail.everyone.net #<sitemail.everyone.net #5.1.1 SMTP;
550 Recipient Rejected: No account by that name here> #SMTP#
Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by mail.cybernet.ca (8.13.4/8.13.4) id n06HNI36007149;
Tue, 6 Jan 2009 09:23:18 -0800 (PST)
Date: Tue, 6 Jan 2009 09:23:18 -0800
From: Mail Delivery Subsystem <MAILER-DAEMON>
MIME-Version: 1.0
Content-Type: text/plain
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
--- END SAMPLE ---
I'm mulling over a reply from L. V Lammert on this but still
not quite clear on the sequence of events. Any further elucidation
would be much appreciated.
Thanks,
Richard Koett.

Richard Koett

2009-01-07 19:48:10 UTC

Permalink

Post by Stuart Henderson
hits Sendmail, Sendmail tries to pass it to Exchange.

Thanks again for taking time to help. Just to clarify, however,
my sendmail box is not an MX server for myramstore.com. Perhaps
what's happening is:

1. Someone sends spam to my domain from ***@myramstore.com
2. Although it is not the preferred MX server for my domain, my
sendmail box receives the spam first
3. My sendmail tries to bounce the spam back to
***@myramstore.com for some reason (perhaps a non-existent
addressee)
4. The MX server for myramstore.com responds that solomany is
not a valid user and tries to bounce my bounce back to
MAILER-***@cybernet.ca
5. This double-bounce is sent to the Exchange server because it's
the preferred MX server for cybernet.ca
6. Exchange doesn't recognize MAILER-DAEMON as a valid user.

The above scenario seems plausible to me, but it doesn't explain
why Exchange appears to have been asked to delivery something to

Post by Stuart Henderson
Exchange generates a bounce *by email* to the sender
address (most Exchange versions don't reject "user unknown"
at the SMTP port, instead they fully bounce the email. oops.)
I guess you are also relaying outbound mail via the sendmail
box so Exchange sends it there, Sendmail tries to deliver it
and fails, then as you're receiving postmaster's mail you get
a copy of the "double bounce".
If that is what's happening, the fix is to reject mail for
invalid users before the message hits Sendmail. You can create
/etc/mail/access populated with a list of the valid addresses
To:myramstore.com error:550 5.1.1 No such user
etc.
Then rebuild the hash file as shown in the comments.

I'm actually using virtusertable to relay mail to specific users,
and include lines like this after the list of accepted names for
each domain:

@cybernet.ca error:nouser User unknown

I'm not sure if this is rejecting invalid users "before the message
hits sendmail", however.

It seems to me that I need to do several things:
1. Disable sending bounce messages to non-local users in Exchange
(I seem to recall doing this previously but will double-check)
2. Disable sending bounce messages from sendmail to domains it's
not an MX server for. (I'll have to look into how to do this).
3. Make MAILER-DAEMON a valid alias on Exchange for when messages
hit MX servers out of order

Any other thoughts or suggestions?

Richard Koett.

Post by Stuart Henderson

Stuart Henderson

2009-01-07 20:10:32 UTC

Permalink

Post by Richard Koett

Post by Stuart Henderson
hits Sendmail, Sendmail tries to pass it to Exchange.

Thanks again for taking time to help. Just to clarify, however,
my sendmail box is not an MX server for myramstore.com. Perhaps

Oh, I had to guess a bit because the full information wasn't there -
full headers and log entries might help explain things..

Post by Richard Koett
2. Although it is not the preferred MX server for my domain, my
sendmail box receives the spam first
3. My sendmail tries to bounce the spam back to
addressee)
4. The MX server for myramstore.com responds that solomany is
not a valid user and tries to bounce my bounce back to
5. This double-bounce is sent to the Exchange server because it's
the preferred MX server for cybernet.ca
6. Exchange doesn't recognize MAILER-DAEMON as a valid user.
The above scenario seems plausible to me, but it doesn't explain
why Exchange appears to have been asked to delivery something to

I'm actually using virtusertable to relay mail to specific users,
and include lines like this after the list of accepted names for
@cybernet.ca error:nouser User unknown
I'm not sure if this is rejecting invalid users "before the message
hits sendmail", however.
1. Disable sending bounce messages to non-local users in Exchange
(I seem to recall doing this previously but will double-check)
2. Disable sending bounce messages from sendmail to domains it's
not an MX server for. (I'll have to look into how to do this).
3. Make MAILER-DAEMON a valid alias on Exchange for when messages
hit MX servers out of order
Any other thoughts or suggestions?
Richard Koett.

Post by Stuart Henderson

Richard Koett

2009-01-08 02:06:56 UTC

Permalink

Post by Stuart Henderson
I had to guess a bit because the full information wasn't there -
full headers and log entries might help explain things...

Perhaps the following will be of more use than my previous information.
I've used a packet sniffer to capture what goes on when my OpenBSD
server sends one of these messages to the Exchange server:

--- BEGIN SMTP TRANSCRIPT ---
(openbsd)
SYN

(exchange)
SYN,ACK

(openbsd)
ACK

(exchange)
220 server.koett.ca Microsoft ESMTP MAIL Service ready at Wed,
7 Jan 2009 16:49:16 -0800

(openbsd)
EHLO mail.cybernet.ca

(exchange)
250-server.koett.ca Hello [154.5.74.158]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST

(openbsd)
MAIL From:<>

(exchange)
250 2.1.0 Sender OK

(openbsd)
RCPT To:<***@server.koett.ca>
DATA

(exchange)
250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>

(openbsd)
Received: from localhost (localhost)
by mail.cybernet.ca (8.13.4/8.13.4) id n0810Ler018239;
Wed, 7 Jan 2009 17:00:36 -0800 (PST)
Date: Wed, 7 Jan 2009 17:00:36 -0800 (PST)
From: Mail Delivery Subsystem <MAILER-***@cybernet.ca>
Message-Id: <***@mail.cybernet.ca>
To: ***@mail.cybernet.ca
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="n0810Ler018239.1231376436/mail.cybernet.ca"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--n0810Ler018239.1231376436/mail.cybernet.ca
The original message was received at Wed, 7 Jan 2009 17:00:21
-0800 (PST)from localhost with id n0810Leq018239
----- The following addresses had permanent fatal errors -----
<***@brainpod.com>
(reason: 550 <***@brainpod.com>: invalid address)
----- Transcript of session follows -----

Post by Stuart Henderson

DATA

<<< 550 <***@brainpod.com>: invalid address
550 5.1.1 <***@brainpod.com>... User unknown
<<< 554 no valid recipients
--n0810Ler018239.1231376436/mail.cybernet.ca

Content-Type: message/delivery-status
Reporting-MTA: dns; mail.cybernet.ca
Received-From-MTA: DNS; [153.5.129.153]
Arrival-Date: Wed, 7 Jan 2009 17:00:21 -0800 (PST)
Final-Recipient: RFC822; ***@brainpod.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mx00.1and1.com
Diagnostic-Code: SMTP; 550 <***@brainpod.com>: invalid address
Last-Attempt-Date: Wed, 7 Jan 2009 17:00:35 -0800 (PST)

--n0810Ler018239.1231376436/mail.cybernet.ca
Content-Type: text/rfc822-headers
Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by mail.cybernet.ca (8.13.4/8.13.4) id n0810Leq018239;
Wed, 7 Jan 2009 17:00:21 -0800 (PST)
Date: Wed, 7 Jan 2009 17:00:21 -0800 (PST)
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <***@mail.cybernet.ca>
To: <***@brainpod.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="n0810Leq018239.1231376421/mail.cybernet.ca"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
--n0810Ler018239.1231376436/mail.cybernet.ca--

(exchange)
250 2.6.0 <***@mail.cybernet.ca> Queued
mail for delivery

(openbsd)
QUIT
--- END SMTP TRANSCRIPT ---

Now, here is the message as delivered by Exchange:

--- BEGIN DELIVERED MESSAGED ---
Delivery has failed to these recipients or distribution lists:

***@brainpod.com
The recipient's e-mail address was not found in the recipient's e-mail
system. Microsoft Exchange will not try to redeliver this message for you.
Please check the e-mail address and try resending this message, or provide
the following diagnostic text to your system administrator.

The following organization rejected your message: mx00.1and1.com.

Diagnostic information for administrators:

Generating server: mail.cybernet.ca

***@brainpod.com
mx00.1and1.com #<mx00.1and1.com #5.1.1 SMTP; 550 <***@brainpod.com>: invalid
address> #SMTP#

Original message headers:

Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
by mail.cybernet.ca (8.13.4/8.13.4) id n0810Leq018239;
Wed, 7 Jan 2009 17:00:21 -0800 (PST)
Date: Wed, 7 Jan 2009 17:00:21 -0800
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-ID: <***@mail.cybernet.ca>
To: <***@brainpod.com>
MIME-Version: 1.0
Content-Type: text/plain
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
--- END DELIVERED MESSAGE ---

So it appears that sendmail is sending me notification of a delivery
failure to ***@brainpod.com, because my aliases file contains:

MAILER-DAEMON: postmaster
postmaster: root
root: ***@server.koett.ca

Exchange made it confusing by dropping a lot of content from the
message, while adding that "Exchange will not try to redeliver this
message" when in fact Exchange seems to have had nothing to do with
its delivery in the first place.

So, what I still don't know is:
1. Why was sendmail trying to deliver anything to ***@brainpod.com?
2. How can I stop such behaviour?

Thanks again,
Richard Koett.

Continue reading on narkive:

Search results for 'Understanding messages from MAILER-DAEMON' (Questions and Answers)

replies

Why doesn't God email (or text etc.) EVERYONE? If we ALL got his communication how could we deny his existence?

started 2011-08-25 14:20:30 UTC

religion & spirituality

replies

Help! I don't know what' to do with my boyfriend!! Cheating?

started 2013-05-02 00:10:43 UTC

family & relationships

replies

is my friend yahoo inbox 1) too full? 2)deactivated or 3)closed or 4)something wrong with yahoo system?

started 2006-11-24 01:14:19 UTC

security