Email Send Error Research
-
@dashrender said in Email Send error;:
@wrcombs Post the entire header - look it over for any private information and XXXX that out...
Delivered-To: XXXXXXXXXXXXXX Received: by 2002:a05:6830:319b:0:0:0:0 with SMTP id p27csp165790ots; Wed, 9 Jun 2021 15:47:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw/sNc2TPrI5ipWcQK3cbAFhs19oUYuPX9foV/mFqOqPBAovXmKBs8xjw+zyJKjNNxI728X X-Received: by 2002:a4a:be86:: with SMTP id o6mr1857338oop.67.1623278826653; Wed, 09 Jun 2021 15:47:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623278826; cv=none; d=google.com; s=arc-20160816; b=M8FFBcGifjCQFjstZhbk3RHRufue28cmQwTteQnN5nKpLXEHJX+899bBzhT0CTiDX4 /+MUfqy0oF30khO2+3J8lwWrqT2iUzi6oAUegn33oGdAaSUMFy13OYW/uosrBr3aNUxB 1T+Z8x6iNHF6Wr1KGJy7Xdfw0NJPjjoPy7cZA+CD/1cMaSw0vr3vw308sf9UoQdXrIO6 a0EGWHEddgIE/vLnWqdnhoEqEnumALd9g/J47OjI7GTQo5R4bG1Du7eNTERX/8nh+3Nl iVAetsU7PrfLKFkIrSpWasTEBxSsd/l9uYMfULWgy2cHL0qlXBe98TEXxDk9+GLCYw88 qWNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:references:message-id:in-reply-to:thread-topic:subject:from:date :mime-version:dkim-signature; bh=359hOSgFVIyouoKXJjcrY15MgMQrI1lSw8u4akJ8Hgg=; b=dJv8SkgV1XvraGCosxXttUPoDwpWeSJ/ufjQ3nEmf8zf7pogH6SfiXH2I8vvPfOSQ+ qxH3w1mOm2X+nlShqNpbSDy1vVzYDQwV2CrrWVdnuzKvhC1wSJxS1LojmQev71SMTylJ 7ELX6N5CsnF7mXrid3d/xk1d4xrJnZGvJ+F9o6SpqLCOrxu34fPVEdnC09k0ETXThL/N ++46c9/3AxrYHahUlaILoXJ2mD2EIBSZe34wI5ScoD91y59TnE6EpOfDmfz+nECQP2G2 v0AJCazoKXVEIds95f9r0WyiEsS8rSNmIxiAcAY6Vf6MUb9vNR3B32eK2vxC8buBobCm HVLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass [email protected] header.s=modoboa header.b=a9kvuLKl; spf=pass (google.com: domain of XXXXXXXXX designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=XXXXXXXXXXXXXX; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=XXXXXXXX Return-Path: <XXXXXXXXXX> Received: fromXXXX.XXXXXX.com (XXXXXXXXXX [XXX.XXX.XXX.XXX]) by mx.google.com with ESMTPS id h18si1327216otk.177.2021.06.09.15.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jun 2021 15:47:06 -0700 (PDT) Received-SPF: pass (google.com: domain of XXXXXXXXXX designates XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX; Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=modoboa header.b=a9kvuLKl; spf=pass (google.com: domain of XXXXXXXXXX.com designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=XXXXXXXXX.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=XXXXXX.com Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prlwm.com; s=modoboa; t=1623278826; bh=359hOSgFVIyouoKXJjcrY15MgMQrI1lSw8u4akJ8Hgg=; h=Date:From:Subject:In-Reply-To:References:To:From; b=a9kvuLKlssqgoFBtbdLpAmaqAryNVeCxp3U8ZK3ghO/IgPrgc8hZqZOdtV4MRXDoO rr46IQn8KpdI9AADOrRWCtMHys2bzlG3sHsUxGzyivm89BhCNVji4HElpxkApGbRe3 /Y/+XXHAtIJwMHCtnEJtKIjzZQglj5Y+3a2wnmzVtqp4mfeMLageTggGXnmVxnOtyo NMFGnYJPOXQ5q9iprRGgLDpdXpdz1AaAT8eai+Gzoj1iH9KLKSmDTtuDpJJsHEya8W 6HwgZrDUndamHVnju6xXdJly2sNHjp+jtH7Dm779w+HESzsRc5n6n5nYpikW8rdeHq 4FPbve1Zz6waw== MIME-Version: 1.0 Date: Wed, 9 Jun 2021 17:47:04 -0500 From: XXXXXXXXXXXXXXXX Subject: Re: XXXXXXXXXXXXXXXX Thread-Topic: Re: XXXXXXXXXXXXX In-Reply-To: <CANZe-Sm6+Ois=T+b+UgCMfXg9xaOLKqyp=dKt=OQR279ynVB4A@mail.gmail.com> Message-ID: <[email protected]> References: <DM6PR15MB4089CE7329169D4C0A2834B4BE379@DM6PR15MB4089.namprd15.prod.outlook.com> <CANZe-Sk_T77wtN5vhe6j2TMKNFYpdEpEDNHN-OSEEWMYo3a+qg@mail.gmail.com> <DM6PR15MB4089DFBF7550A4FA6032E634BE369@DM6PR15MB4089.namprd15.prod.outlook.com>,<CANZe-
-
@wrcombs said in Email Send error;:
@dashrender said in Email Send error;:
@wrcombs Post the entire header - look it over for any private information and XXXX that out...
You have three
Received:
sections.The bottom one is the first one that happened. That's the sender connecting to something. You can see the ISP he's using, his local IP usually and what SMTP server he connects to.
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
The middle one is the next. The mail is now sent from something to mx.google.com. That's a google mail server.
Received: fromXXXX.XXXXXX.com (XXXXXXXXXX [XXX.XXX.XXX.XXX]) by mx.google.com with ESMTPS id h18si1327216otk.177.2021.06.09.15.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jun 2021 15:47:06 -0700 (PDT)
The top one is the last transfer. There's missing "from" but judging from the IPv6 address this is likely internal google mail server to google mail server.
Received: by 2002:a05:6830:319b:0:0:0:0 with SMTP id p27csp165790ots; Wed, 9 Jun 2021 15:47:06 -0700 (PDT)
You can also get information from the
Received-SPF:
section.Received-SPF: pass (google.com: domain of XXXXXXXXXX designates XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
It's google mail server telling you that the domain XXXXXXXXXX says that XXX.XXX.XXX.XXX is allowed to send emails.
-
@pete-s said in Email Send Error Research:
@wrcombs said in Email Send error;:
@dashrender said in Email Send error;:
@wrcombs Post the entire header - look it over for any private information and XXXX that out...
You have three
Received:
sections.The bottom one is the first one that happened. That's the sender connecting to something. You can see the ISP he's using, his local IP usually and what SMTP server he connects to.
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
The middle one is the next. The mail is now sent from something to mx.google.com. That's a google mail server.
Received: fromXXXX.XXXXXX.com (XXXXXXXXXX [XXX.XXX.XXX.XXX]) by mx.google.com with ESMTPS id h18si1327216otk.177.2021.06.09.15.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jun 2021 15:47:06 -0700 (PDT)
The top one is the last transfer. There's missing "from" but judging from the IPv6 address this is likely internal google mail server to google mail server.
Received: by 2002:a05:6830:319b:0:0:0:0 with SMTP id p27csp165790ots; Wed, 9 Jun 2021 15:47:06 -0700 (PDT)
You can also get information from the
Received-SPF:
section.Received-SPF: pass (google.com: domain of XXXXXXXXXX designates XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
It's google mail server telling you that the domain XXXXXXXXXX says that XXX.XXX.XXX.XXX is allowed to send emails.
But it doesn't tell me which Email server they're using on Outlook.. I thought that was the question
-
@wrcombs said in Email Send Error Research:
@pete-s said in Email Send Error Research:
@wrcombs said in Email Send error;:
@dashrender said in Email Send error;:
@wrcombs Post the entire header - look it over for any private information and XXXX that out...
You have three
Received:
sections.The bottom one is the first one that happened. That's the sender connecting to something. You can see the ISP he's using, his local IP usually and what SMTP server he connects to.
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
The middle one is the next. The mail is now sent from something to mx.google.com. That's a google mail server.
Received: fromXXXX.XXXXXX.com (XXXXXXXXXX [XXX.XXX.XXX.XXX]) by mx.google.com with ESMTPS id h18si1327216otk.177.2021.06.09.15.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jun 2021 15:47:06 -0700 (PDT)
The top one is the last transfer. There's missing "from" but judging from the IPv6 address this is likely internal google mail server to google mail server.
Received: by 2002:a05:6830:319b:0:0:0:0 with SMTP id p27csp165790ots; Wed, 9 Jun 2021 15:47:06 -0700 (PDT)
You can also get information from the
Received-SPF:
section.Received-SPF: pass (google.com: domain of XXXXXXXXXX designates XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
It's google mail server telling you that the domain XXXXXXXXXX says that XXX.XXX.XXX.XXX is allowed to send emails.
But it doesn't tell me which Email server they're using on Outlook.. I thought that was the question
Yes, it does:
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
by XXXX.XXXXXX.com (Postfix)
That's the SMTP server they connect to. It's running Postfix software.
They have mobile.uscc.net as ISP. -
@pete-s said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
@pete-s said in Email Send Error Research:
@wrcombs said in Email Send error;:
@dashrender said in Email Send error;:
@wrcombs Post the entire header - look it over for any private information and XXXX that out...
You have three
Received:
sections.The bottom one is the first one that happened. That's the sender connecting to something. You can see the ISP he's using, his local IP usually and what SMTP server he connects to.
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
The middle one is the next. The mail is now sent from something to mx.google.com. That's a google mail server.
Received: fromXXXX.XXXXXX.com (XXXXXXXXXX [XXX.XXX.XXX.XXX]) by mx.google.com with ESMTPS id h18si1327216otk.177.2021.06.09.15.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jun 2021 15:47:06 -0700 (PDT)
The top one is the last transfer. There's missing "from" but judging from the IPv6 address this is likely internal google mail server to google mail server.
Received: by 2002:a05:6830:319b:0:0:0:0 with SMTP id p27csp165790ots; Wed, 9 Jun 2021 15:47:06 -0700 (PDT)
You can also get information from the
Received-SPF:
section.Received-SPF: pass (google.com: domain of XXXXXXXXXX designates XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
It's google mail server telling you that the domain XXXXXXXXXX says that XXX.XXX.XXX.XXX is allowed to send emails.
But it doesn't tell me which Email server they're using on Outlook.. I thought that was the question
Yes, it does:
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
by XXXX.XXXXXX.com (Postfix)
That's the SMTP server they connect to. It's running Postfix software.
They have mobile.uscc.net as ISP.Ah, missed that.
SO they're running Postfix as a mail server?
-
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
-
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
-
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
No, they are not. Their mail provider is running Postfix.
Their provider is their ISP.
-
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
No. They user is running outlook.
They are connecting to their
ISP’sdomain email server, likely "free email" with domain purchase bullshit, which is running postfixOutlook connects to this type of server with SMTP
-
@wrcombs said in Email Send Error Research:
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
Let's break this down. This is the one that concerns you.
The mail hit the email system from this IP address
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX])
The email was TLS encrypted
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
The mail was recevied by this server running postfix.
by XXXX.XXXXXX.com (Postfix)
We can assume that this is showing his domain since you redacted it.
Because it is his domain, this is likely shit "free email" from a cpanel webhost.
Finally, this tell us that he authenticates to send SMTP to his host.
with ESMTPSA
-
@jaredbusch Good information to know.. Thank you.
-
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
Outlook is an email client. It runs on your desktop. It's not a server or anything like that. Nothing runs "on it."
-
Now that we know all of that, you can make some assumptions about the connection in Outlook.
SMTP can use any port.
Port 25 is the original, standard, unauthenticated port. But also blocked on most end user connections.Typcially CPanel hosts use the standardized port 587 for inbound TLS connections.
So his Outlook is most likely configured to point to
mail.domain.com:587
or simplydomain.com:587
to send SMTP.Adding in authentication means it is sent with a username and password. Username is typically the full email address.
-
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
Outlook is an email client. It runs on your desktop. It's not a server or anything like that. Nothing runs "on it."
This entire discussion is about Outlook.
-
@jaredbusch said in Email Send Error Research:
Now that we know all of that, you can make some assumptions about the connection in Outlook.
SMTP can use any port.
Port 25 is the original, standard, unauthenticated port. But also blocked on most end user connections.Typcially CPanel hosts use the standardized port 587 for inbound TLS connections.
So his Outlook is most likely configured to point to
mail.domain.com:587
or simplydomain.com:587
to send SMTP.Adding in authentication means it is sent with a username and password. Username is typically the full email address.
So would it likely to assume that Username and password are incorrect ?
not going to pretend here, I'm very much lost and confused.
-
@jaredbusch said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
Outlook is an email client. It runs on your desktop. It's not a server or anything like that. Nothing runs "on it."
This entire discussion is about Outlook.
I know, about what Outlook is talking to. Postfix (nor any other email server) does not run on Outlook.
-
@wrcombs said in Email Send Error Research:
We have a customer who is using a host firewall
FYI, it is an assumption that every computer has a host firewall. While some crazy people turn it off, it's not a special case.
By default, host firewalls (and regular firewalls) don't block outbound traffic.
-
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
We have a customer who is using a host firewall
FYI, it is an assumption that every computer has a host firewall. While some crazy people turn it off, it's not a special case.
By default, host firewalls (and regular firewalls) don't block outbound traffic.
what I mean by "hosted firewall" is we have our vendor's security team manage the firewall on the network. . .
meaning that we do not have access to it other than to the physical box it's self. -
@wrcombs said in Email Send Error Research:
I've never touched email outside of being a user.
That's all that is likely going on here, user side settings are probably wrong. We don't have enough details to know for sure, but most likely that is all that this is. This isn't an email admin or admin thing at all, we suspect, just an MS Office configuration.
You should play with some email systems as an end user to see how they interact. Using Thunderbird and Outlook will give you a lot of exposure. Connect them to a couple different systems like O365 and Gmail and a more basic service to see what end users experience and how all of the configuration is for the end user.
Would also be recommended to run your own email server. That'll teach you a lot really quickly.
-
@wrcombs said in Email Send Error Research:
So would it likely to assume that Username and password are incorrect ?
If the computer receives email, then the username and password were likely correct. Outlook's account setup wizard will only ask for the information one time by default.
If this system has never been able to send email, what is likely incorrect is the email server configuration details.
If it once sent email, then mostlikely Outlook had a connection problem once and popped up the credentials box, then the user put in the wrong info.