RT4 Postfix/Apache Email Return-Path causing issues

Hello,

I’m not much of a linux guy, but we’re having an issue with emails coming from RT to external organizations.

We’re running RT 4.0.10 on CentOS 6.3 with Postfix (MailCommand: sendmailpipe) as the email solution. I mostly followed the install guide and prayed during installation and config.

We get tickets from some external sources that when they get the autoreply from us they do a reverse lookup domain check on the Return-Path instead of the From or Reply-To address (All three are present). The Return-Path is apache@servername.domainmailto:apache@servername.domain, so the emails get denied since it’s not a valid domain with an external MX record. Then we get the undeliverable message from our external mail servers, complete with the raw header info.

I searched the gossamer archives but didn’t find anything solid that helped. Maybe I didn’t use the right search terms or something because I imagine this has come up before. How can I fix this? Can I change the Return-Path? Or omit it completely? What are my options here?

Any help is appreciated.

Thanks,

James Billington
Senior Systems Administrator
ManTech

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

Hi,

Sorry I gave you a wrong google word of “impersonation” it should be “masquerade”… Here is an article to do just that:

http://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html

Another way is to relay off your main server(we do that with our Exchange box) again no need for MX record changes since it looks like it will come from the right place.

Hope this helps as this is always the worst part of these kinds of apps since it really varies so much from distro to distro. It is why I switched from Debian (I like them better) to CentOS when setting up RT.
Thank You,
Rafal Roginela
Office (847) 827-9740 x109
Fax (847) 493-8031From: Billington, James [mailto:jbillington@itsfac.com]
Sent: Wednesday, March 20, 2013 3:04 PM
To: Rafal Roginela; rt-users@lists.bestpractical.com
Subject: RE: RT4 Postfix/Apache Email Return-Path causing issues

Adding an external MX record for this isn’t really an option I can explore. I agree it would solve the problem, more as a workaround, but we’d need to revisit our agreement with our DNS provider.

I googled “postfix impersonation settings” and “sendmail impersonation settings” with no luck. Can you be more specific? I’d appreciate it.
Thanks,

James Billington
Senior Systems Administrator

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. (3.8) Please consider the environment before printing this email.

Adding an external MX record for this isn’t really an option I can explore. I agree it would solve the problem, more as a workaround, but we’d need to revisit our agreement with our DNS provider.

I googled “postfix impersonation settings” and “sendmail impersonation settings” with no luck. Can you be more specific? I’d appreciate it.
Thanks,

James Billington
Senior Systems Administrator

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

This looks like it might work. It just feels like we’re tricking the system as a workaround instead of fixing it at the root.

Isn’t there a way to set the Return-Path without changing the From: and/or ReplyTo: headers? RT already set those properly. I just need the Return-Path to change.

Just to confirm a starting point… where are these headers set? Where is the Return-Path: header set? Sendmail right? RT hands off the formatted email with most of the needed headers/content and sendmail adds the Return-Path: header, right? Postfix doesn’t do it, does it?
Just confirming where to check?

James Billington
Senior Systems Administrator
Email: jbillington@itsfac.com
Phone: (703) 445-3715
Important Notice: This email message and any attachments may contain information and/or trade secrets that are private, and are meant to be delivered solely for the use of the intended recipient(s). If you are not the intended recipient, please do not read, copy, use, forward or disclose the contents of this communication to others. Interception of e-mail is a crime under the Electronic Communications Privacy Act, 18 U.S.C. 2510-2522 and 2701-2709. If you have received this email in error, please immediately notify us by return email or by telephone at [703-221-0200 Ext 51119] and promptly delete this message. Thank You.From: Rafal Roginela [mailto:rroginela@AmeriCashLoans.net]
Sent: Wednesday, March 20, 2013 4:12 PM
To: Billington, James; rt-users@lists.bestpractical.com
Subject: RE: RT4 Postfix/Apache Email Return-Path causing issues

Hi,

Sorry I gave you a wrong google word of “impersonation” it should be “masquerade”… Here is an article to do just that:

http://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html

Another way is to relay off your main server(we do that with our Exchange box) again no need for MX record changes since it looks like it will come from the right place.

Hope this helps as this is always the worst part of these kinds of apps since it really varies so much from distro to distro. It is why I switched from Debian (I like them better) to CentOS when setting up RT.
Thank You,
Rafal Roginela
Office (847) 827-9740 x109
Fax (847) 493-8031

From: Billington, James [mailto:jbillington@itsfac.com]
Sent: Wednesday, March 20, 2013 3:04 PM
To: Rafal Roginela; rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: RE: RT4 Postfix/Apache Email Return-Path causing issues

Adding an external MX record for this isn’t really an option I can explore. I agree it would solve the problem, more as a workaround, but we’d need to revisit our agreement with our DNS provider.

I googled “postfix impersonation settings” and “sendmail impersonation settings” with no luck. Can you be more specific? I’d appreciate it.
Thanks,

James Billington
Senior Systems Administrator

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

This e-mail may contain confidential and/or privileged information. If you are

not the intended recipient (or have received this e-mail in error) please

notify the sender immediately and destroy this e-mail. Any unauthorized

copying, disclosure or distribution of the material in this e-mail is strictly

forbidden. (3.8)

Please consider the environment before printing this email.

I would suggest you use postfix canonical maps on the host running RT, regardless whether it sends out mail directly or via a mail relay server (e.g. corporate mail server). This way you rewrite the domain part of the email address to an address with public MX record (…@servername.domain to …@domain or …@rt.domain).

RTFM:
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/canonical.5.html

A versatile setup is to relay mail from RT host to corporate mail server. Then it is easy to accept incoming mail via corporate mail server (via public aliases or addresses with subdomain, whichever is more appropriate) which then delivers it to postfix on RT host.

But there are many ways to skin a cat, this being just one of them.

Nejc----- Original Message -----

From: “James Billington” jbillington@itsfac.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, 20 March, 2013 5:55:49 PM
Subject: [rt-users] RT4 Postfix/Apache Email Return-Path causing issues

Hello,

I’m not much of a linux guy, but we’re having an issue with emails coming from RT to external organizations.

We’re running RT 4.0.10 on CentOS 6.3 with Postfix (MailCommand: sendmailpipe) as the email solution. I mostly followed the install guide and prayed during installation and config.

We get tickets from some external sources that when they get the autoreply from us they do a reverse lookup domain check on the Return-Path instead of the From or Reply-To address (All three are present). The Return-Path is apache@servername.domain , so the emails get denied since it’s not a valid domain with an external MX record. Then we get the undeliverable message from our external mail servers, complete with the raw header info.

I searched the gossamer archives but didn’t find anything solid that helped. Maybe I didn’t use the right search terms or something because I imagine this has come up before. How can I fix this? Can I change the Return-Path? Or omit it completely? What are my options here?

Any help is appreciated.

Thanks,

James Billington
Senior Systems Administrator
ManTech

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

This looks like it might work. It just feels like we’re tricking the
system as a workaround instead of fixing it at the root.

Isn’t there a way to set the Return-Path without changing the From:
and/or ReplyTo: headers? RT already set those properly. I just need the
Return-Path to change.

http://bestpractical.com/rt/docs/latest/RT_Config.html#Outgoing-mail

Hi,

Postfix is the mta, sendmail just hands it off to postfix is what I understand . The reason you’re seeing the headers the way they are because of how intrinsic email is to Linux/ Unix. What’s there is how mail works inside Linux itself because each system has an internal mail flow that is there for the internal users and you are using it for external communication but it still is internal email until it leaves that box. Someone with real Linux knowledge can probably correct all this and explain it better

That is why you have to masquerade for the domain that you want and it is done in postfix per the link I sent.

Thank you,

Rafal Roginela
Network Engineer

AmeriCash Loans, LLC
880 Lee Street, Suite 302
Des Plaines, IL 60016

Office (847) 827-9740 x109
Fax (847) 493-8031

rroginela@americashloans.net"Billington, James" jbillington@itsfac.com wrote:

This looks like it might work. It just feels like we’re tricking the system as a workaround instead of fixing it at the root.

Isn’t there a way to set the Return-Path without changing the From: and/or ReplyTo: headers? RT already set those properly. I just need the Return-Path to change.

Just to confirm a starting point… where are these headers set? Where is the Return-Path: header set? Sendmail right? RT hands off the formatted email with most of the needed headers/content and sendmail adds the Return-Path: header, right? Postfix doesn’t do it, does it?
Just confirming where to check?

James Billington
Senior Systems Administrator
Email: jbillington@itsfac.com
Phone: (703) 445-3715
Important Notice: This email message and any attachments may contain information and/or trade secrets that are private, and are meant to be delivered solely for the use of the intended recipient(s). If you are not the intended recipient, please do not read, copy, use, forward or disclose the contents of this communication to others. Interception of e-mail is a crime under the Electronic Communications Privacy Act, 18 U.S.C. 2510-2522 and 2701-2709. If you have received this email in error, please immediately notify us by return email or by telephone at [703-221-0200 Ext 51119] and promptly delete this message. Thank You.

From: Rafal Roginela [mailto:rroginela@AmeriCashLoans.net]
Sent: Wednesday, March 20, 2013 4:12 PM
To: Billington, James; rt-users@lists.bestpractical.com
Subject: RE: RT4 Postfix/Apache Email Return-Path causing issues

Hi,

Sorry I gave you a wrong google word of “impersonation” it should be “masquerade”… Here is an article to do just that:

http://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html

Another way is to relay off your main server(we do that with our Exchange box) again no need for MX record changes since it looks like it will come from the right place.

Hope this helps as this is always the worst part of these kinds of apps since it really varies so much from distro to distro. It is why I switched from Debian (I like them better) to CentOS when setting up RT.
Thank You,
Rafal Roginela
Office (847) 827-9740 x109
Fax (847) 493-8031

From: Billington, James [mailto:jbillington@itsfac.com]
Sent: Wednesday, March 20, 2013 3:04 PM
To: Rafal Roginela; rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: RE: RT4 Postfix/Apache Email Return-Path causing issues

Adding an external MX record for this isn’t really an option I can explore. I agree it would solve the problem, more as a workaround, but we’d need to revisit our agreement with our DNS provider.

I googled “postfix impersonation settings” and “sendmail impersonation settings” with no luck. Can you be more specific? I’d appreciate it.
Thanks,

James Billington
Senior Systems Administrator

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

This e-mail may contain confidential and/or privileged information. If you are

not the intended recipient (or have received this e-mail in error) please

notify the sender immediately and destroy this e-mail. Any unauthorized

copying, disclosure or distribution of the material in this e-mail is strictly

forbidden. (3.8)

Please consider the environment before printing this email.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. (3.8) Please consider the environment before printing this email.

This looks like it might work. It just feels like we’re tricking the
system as a workaround instead of fixing it at the root.

Not really. Return-Path is a header that gets created by an MTA for
local delivery or when constructing a bounce message, with the SMTP
envelope sender address as the header value. The SMTP envelope sender
address domain is checked by receiving MTA’s because that is the address
that bounces get sent to, it is visible to the receiving MTA before any
message data is sent, and a bad domain in that address is proof of a
misconfigured sending system. Historically, a bad envelope sender domain
was common in spam, before Sendmail made rejection of such mail a
default setting. No system should be generating ANY mail with an
envelope sender in a domain that has no MX or A record, and any envelope
sender address should actually deliverable (even if final delivery
consists of a pipe into /dev/null).

So one root is that RT isn’t setting the envelope sender to something
that works. The other root is that your Postfix config is wrong in
that it sends mail with a bad domain part in envelope sender addresses.
The fix for that is to set myhostname to something sane in
/etc/postfix/main.conf.

Isn’t there a way to set the Return-Path without changing the From:
and/or ReplyTo: headers? RT already set those properly. I just need
the Return-Path to change.

It may have changed with RT4, but historically RT has set the envelope
sender address via the $SendmailArguments variable in RT_StiteConfig.pm
using the sendmail “-f” option, with an address that gets delivered
into the rtbouncehandler program. For example:

Set($SendmailArguments , “-frtbounce@requesttracker.example.com -oi
-t”);

On a machine running “real” Sendmail that knows itself as
requesttracker.example.com, that operates in concert with an entry in
the alias file:

rtbounce: “|/etc/smrsh/rtbouncehandler | /etc/smrsh/rt-mailgate --queue
incoming --action comment --url https://requesttracker.example.com/rt/
–timeout 300”

The alias provides feedback into RT when ticket mail bounces.
Constructing an equivalent alias for Postfix is left as an exercise

Just to confirm a starting point… where are these headers set? Where
is the Return-Path: header set? Sendmail right? RT hands off the
formatted email with most of the needed headers/content and sendmail
adds the Return-Path: header, right? Postfix doesn’t do it, does it?
Just confirming where to check?

RT pipes a fully-formed (in theory) message into a sendmail process. If
you are using Postfix, that “sendmail” is in fact a Postfix version
built to mimic “real” Sendmail. Postfix’s sendmail transforms the
message (as influenced by its arguments & environment) into Postfix
queue format and passes it to postdrop, which injects it in the maildrop
queue. That queue file has an envelope sender address, which is either
the -f argument to sendmail or if there is no -f argument, the user that
ran sendmail @ the Postfix myhostname setting. It is possible to use
Postfix “generic” address mapping to fix a bad myhostname config, but
that is not the most robust approach.

Hi,

As it was mentioned you have to configure -f flag in sendmail
arguments in RT site config. Also, some MTAs (sendmail ™ and may be
other) may mention that return-path was adjusted, to avoid such
mentioning you should mark web server’s user (apache, www, httpd or
how it’s named on your system) as trusted one by adding it to
/etc/mail/trusted-users (may depend on MTA, double check file name as
I just wrote it from memory).On Wed, Mar 20, 2013 at 8:55 PM, Billington, James jbillington@itsfac.com wrote:

Hello,

I’m not much of a linux guy, but we’re having an issue with emails coming
from RT to external organizations.

We’re running RT 4.0.10 on CentOS 6.3 with Postfix (MailCommand:
sendmailpipe) as the email solution. I mostly followed the install guide and
prayed during installation and config.

We get tickets from some external sources that when they get the autoreply
from us they do a reverse lookup domain check on the Return-Path instead of
the From or Reply-To address (All three are present). The Return-Path is
apache@servername.domain, so the emails get denied since it’s not a valid
domain with an external MX record. Then we get the undeliverable message
from our external mail servers, complete with the raw header info.

I searched the gossamer archives but didn’t find anything solid that helped.
Maybe I didn’t use the right search terms or something because I imagine
this has come up before. How can I fix this? Can I change the Return-Path?
Or omit it completely? What are my options here?

Any help is appreciated.

Thanks,

James Billington
Senior Systems Administrator
ManTech

---

This e-mail and any attachments are intended only for the use of the
addressee(s) named herein and may contain proprietary information. If you
are not the intended recipient of this e-mail or believe that you received
this email in error, please take immediate action to notify the sender of
the apparent error by reply e-mail; permanently delete the e-mail and any
attachments from your computer; and do not disseminate, distribute, use, or
copy this message and any attachments.

Best regards, Ruslan.

I am relaying RT mail through our corporate Exchange Server. I have each of the 10 queue’s correspond/comment address set to a valid external address, and have made contacts in Exchange to relay the mail properly. That doesn’t change the Return-Path that Postfix sets. Whether I setup contacts on the Exchange Server or not the Return-Path still isn’t from a valid domain.

I’d seen this in their documentation before I’d ever started this mail chain…

The sendmail documentation says the following… http://www.sendmail.org/~ca/email/man/sendmail.html
-fname Sets the name of the from'' person (i.e., the sender of the mail). -f can only be used by trusted’’ users (normally
root, daemon, and network) or if the person you are trying to
become is the same as the person you are.

This looks like it would change the “From:” header and I wouldn’t want to do that. As I mentioned before RT has already set this properly and I don’t want to mess with it.

The RT documentation says the following… RT Config - RT 5.0.3 Documentation - Best Practical

$SetOutgoingMailFrom

$SetOutgoingMailFrom tells RT to set the sender envelope to the Correspond mail address of the ticket's queue.

Warning: If you use this setting, bounced mails will appear to be incoming mail to the system, thus creating new tickets.

$OverrideOutgoingMailFrom

$OverrideOutgoingMailFrom is used for overwriting the Correspond address of the queue as it is handed to sendmail -f. This helps force the From_ header away from www-data or other email addresses that show up in the "Sent by" line in Outlook.

The option is a hash reference of queue name to email address. If there is no ticket involved, then the value of the Default key will be used.

This option is irrelevant unless $SetOutgoingMailFrom is set.

However I assumed that this would change the “From:” and/or “ReplyTo:” headers. It mentions the “from” header, and sendmail -f specifically so I took what I thought I knew of that documentation and applied it here.

If I understand you all correctly it appears that if I use the sendmail -f argument it will only change the “Return-Path” header. If that’s true then the documentation is confusing. Maybe a note should be added to the documentation clarifying this. Perhaps more detail about the “sendmail -f” argument and the “$SetOutgoingMailFrom” option.

I don’t like the idea of changing the postfix hostname since it is technically correct and works as designed for internal email. Though that could be what I end up doing if “sendmail -f” doesn’t only change the Return-Path. If “sendmail -f” DOES only change the Return-Path then I’ll probably go with the “$SetOutgoingMailFrom” option. I don’t think the warning would be true in my case since the bounces are from “AutoReply” and “Resolved” emails and have the proper [RTName ticket number] in the subject so they should just be added to the tickets. This could be annoying if the ticket is already closed and bounce message reopens (or keeps reopening) the ticket, but I suppose having the bounce message in the ticket history would be the best for ticket tracking.

If I could just get a final word of clarification on my “sendmail -f” concern I would appreciate it, and I really do appreciate all the help from everybody thus far.

Thanks,

James Billington
Senior Systems Administrator
ManTech

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

If I understand you all correctly it appears that if I use the sendmail -f argument it will only change the “Return-Path” header. If that’s true then the documentation is confusing. Maybe a note should be added to the documentation clarifying this. Perhaps more detail about the “sendmail -f” argument and the “$SetOutgoingMailFrom” option.

Those options change the envelope address i.e., the “MAIL FROM” in the
smtp transaction:

MAIL FROM: <…>
RCPT TO: <…>
DATA
Subject: …
From: …
To: …

blah
.

and the Return-path is set by the last smtp in the workflow, to this
envelope sender (MAIL FROM) which can be different from the “From:”.

Typically, you want fhe “From:” to be the queue email (where the target
user will reply, this is how RT works), but the envelope sender to be
some administrative address outside of RT like postmaster@foo.bar. This
last one will receive any bounces, i.e. any mail sent by RT to an email
address that does not works (quota full, non existent address, …).
Sending the bounces to an RT queue is often not wanted as this will
create new tickets.

So you should just set something like:

RT < 4.0:
Set($SendmailArguments , ‘-oi -t -f"postmaster@foo.bar"’);

RT >=4.0:
Set($SetOutgoingMailFrom, 1);
Set($OverrideOutgoingMailFrom, {
‘Default’ => ‘postmaster@foo.bar’,
},
);

I agree that the documentation should be more accurate about which
“From” it affects and rather than talking about ‘sendmail -f’, talking
about bounce/envelope/return-path.

Easter-eggs Spécialiste GNU/Linux
44-46 rue de l’Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76
mailto:elacour@easter-eggs.com - http://www.easter-eggs.com

[…]

whoops, didn’t read the full threat, this as already been answered

Easter-eggs Spécialiste GNU/Linux
44-46 rue de l’Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76
mailto:elacour@easter-eggs.com - http://www.easter-eggs.com