Koozali.org: home of the SME Server

Cname Expansion Issues

Offline Warbird30

  • 19
  • +0/-0
Cname Expansion Issues
« on: October 25, 2018, 09:19:30 PM »
We use spiceworks cloud ticket system, but suddenly (as of this month) email responses are not making it to spiceworks cloud service. 

We have been in contact with Spiceworks support and they state the following:

What is happening is your email service is seeing the reply to address being help@polmvakc.on.spiceworks.com but sees that the address is also a cname pointing to the MX for help@swincapsula.on.spiceworks.com. It is then rewriting the header to list the swincapsula.on.spiceworks.com address. This causes the email to come in to sendgrid (our third party email provider), but the APIs that pull from SendGrid no longer know where to route the email as Spiceworks looks at the subdomain to determine into which help desk the tickets should be processed.

You need to find how to turn off that rewriting from CName Expansion on qmail.


Email ticket responses are not going to our IT.  How do we go about resolving this issue?  Any help would be greatly appreciated.


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cname Expansion Issues
« Reply #1 on: October 26, 2018, 12:12:39 AM »
No expert here but a search on the interwebs reveals things like this:

https://serverfault.com/questions/117847/do-some-mail-servers-rewrite-envelope-to-in-response-to-a-cname

Might just be Spiceworks need to look at their DNS?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Warbird30

  • 19
  • +0/-0
Re: Cname Expansion Issues
« Reply #2 on: October 26, 2018, 12:36:37 AM »
Thanks for the reply ReetP:

Not certain it's spiceworks DNS as tickets coming in from Gmail, Hotmail, etc work just fine.  It only seems to be from SME server (9.2) and only since this past month.

If it helps, this was found in one of the logs:
delivery 106317: deferral: 167.89.118.48_does_not_like_recipient./Remote_host_said:_454_4.7.1_<help@swincapsula.on.spiceworks.com>:_Relay_access_denied/Giving_up_on_167.89.118.48./

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cname Expansion Issues
« Reply #3 on: October 26, 2018, 12:56:33 AM »
Gmail, Hotmail, etc may all appear to be fine, but you are comparing apples & oranges without any underlying evidence.

It may just be their DNS is setup correctly.....

Needs a greater mind than mine to investigate this who can ask the right questions and understand the data.

You might want to start by looking at the DNS records for the Spiceworks servers with say 'dig'
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Warbird30

  • 19
  • +0/-0
Re: Cname Expansion Issues
« Reply #4 on: October 26, 2018, 01:14:11 AM »
We appreciate the help and we also need a greater mind that ours for this... :)

When we look at DNS for spiceworks we receive:
# nslookup -q=cname plomvakc.on.spiceworks.com

Non-authoritative answer:
plomvakc.on.spiceworks.com      canonical name = swincapsula.on.spiceworks.com.


They are saying we need to turn off Cname expansion, but having a hard time finding the information to allow us to do that on SME Server.

Offline michelandre

  • *
  • 261
  • +0/-0
Re: Cname Expansion Issues
« Reply #5 on: October 26, 2018, 04:33:46 AM »
Hi Warbird30,

It looks like it is: swincapsula.on.spiceworks.com that is not defined.


Code: [Select]
swincapsula.on.spiceworks.com -

Resolving failed
Error code 22

The proxy failed to resolve site from host name, if this site was recently added please allow a few minutes before trying again.
2018-10-26 02:27:00 UTC

Michel-André

Offline Warbird30

  • 19
  • +0/-0
Re: Cname Expansion Issues
« Reply #6 on: October 26, 2018, 11:03:20 AM »
Thanks for the information michelandre, I will pass this along to spiceworks support and see what they have to say.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cname Expansion Issues
« Reply #7 on: October 26, 2018, 01:05:29 PM »
Thanks for the information michelandre, I will pass this along to spiceworks support and see what they have to say.

As I previously hinted at, I have a feeling this is more a mess with Spiceworks DNS setup than an issue with your mail server. It may well be they want you to bodge your mail server to fit their messy setup rather than fixing their own issues..... 

(M$ have good form on this with their mail servers where they can't be bothered to add A records etc etc so try and break standard email RFCs)

However, I am no DNS guru so can't really tell....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline warbird_30

  • 12
  • +0/-0
Re: Cname Expansion Issues
« Reply #8 on: November 01, 2018, 07:34:58 AM »
Well, each side seems to say it's the other side's issue.. lol.

expanded logs given to me by server team:

2018-10-31 14:54:54.936192500 starting delivery 137872: msg 18483362 to remote help@plomvakc.on.spiceworks.com
2018-10-31 14:54:54.936194500 status: local 0/40 remote 1/60
2018-10-31 14:54:55.383160500 delivery 137872: deferral: 167.89.118.48_does_not_like_recipient./Remote_host_said:_454_4.7.1_<help@swincapsula.on.spiceworks.com>:_Relay_access_denied/Giving_up_on_167.89.118.48./

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Cname Expansion Issues
« Reply #9 on: November 01, 2018, 12:32:08 PM »
To help us to help you, we will need more informations.

- what is the domain name of the sme server
- what arr the domain that should be handled by spicework
- did it works in the past ?
- what is 167.89.118.48?
- have you done any upgrade of SME around the time it stoppes working.

- is the help desk mail hosted on a SME ?

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Cname Expansion Issues
« Reply #10 on: November 01, 2018, 09:00:24 PM »
Well, each side seems to say it's the other side's issue.. lol.

expanded logs given to me by server team:

2018-10-31 14:54:54.936192500 starting delivery 137872: msg 18483362 to remote help@plomvakc.on.spiceworks.com
2018-10-31 14:54:54.936194500 status: local 0/40 remote 1/60
2018-10-31 14:54:55.383160500 delivery 137872: deferral: 167.89.118.48_does_not_like_recipient./Remote_host_said:_454_4.7.1_<help@swincapsula.on.spiceworks.com>:_Relay_access_denied/Giving_up_on_167.89.118.48./

Your server tried to inject a message to help@plomvakc.on.spiceworks.com which their server rejected as "relay access denied". So their server, 167.89.118.48, AKA mx.sendgrid.net, is not configured to accept mail for plomvakc.on.spiceworks.com. That's problem one. The second is that their mail server has rewritten the envelope to address help@swincapsula.on.spiceworks.com which is included in the rejection message. We can't tell from the outside whether their mail server rewrote the address before checking local delivery domains or after.

In both cases, it is their problem. SME server looked up the MX record for plomvakc.on.spiceworks.com, got mx.sendgrid.net, looked up the IP address of mx.sendgrid.net, connected to the mail server, and tried to deliver the message.

FWIW, they seem to have fixed the problem now:

-bash-3.00$ telnet mx.sendgrid.net 25
Trying 167.89.118.48...
Connected to mx.sendgrid.net.
Escape character is '^]'.
220 mx0036p1las1.sendgrid.net ESMTP Postfix
ehlo charliebrady.org
250-mx0036p1las1.sendgrid.net
250-PIPELINING
250-SIZE 204800000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <charlieb@charliebrady.org>
250 2.1.0 Ok
rcpt to: <help@plomvakc.on.spiceworks.com>
250 2.1.5 Ok


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cname Expansion Issues
« Reply #11 on: November 01, 2018, 11:33:18 PM »
And so sayeth The Oracle :-)

Nice one Charlie. Glad my gut feeling waa right... you have taught me well my Jedi friend ;-)

Note to the OP. If Charlie says so, believe me, he is right....

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Cname Expansion Issues
« Reply #12 on: November 02, 2018, 09:53:07 PM »
If Charlie says so, believe me, he is right....

Except when I am not. We are all fallible. Thanks for the kudos though...

Offline Warbird30

  • 19
  • +0/-0
Re: Cname Expansion Issues
« Reply #13 on: November 04, 2018, 05:31:38 AM »
To help us to help you, we will need more informations.

- what is the domain name of the sme server
- what arr the domain that should be handled by spicework
- did it works in the past ?
- what is 167.89.118.48?
- have you done any upgrade of SME around the time it stoppes working.

- is the help desk mail hosted on a SME ?


- Domain is: knox.net
- Domain that should be handled by by spiceworks: plomvakc.on.spiceworks.com
- Yes, it worked up to Oct 3, 2018
- 167.89.118.48 is SENDGRID-167-89-0-0-17  https://www.ultratools.com/tools/ipWhoisLookupResult
- Upgrades to the server occurred Oct 11, 2018 (Issue began Oct 3, 2018)
- Help desk mail is hosted on spiceworks cloud

Offline Warbird30

  • 19
  • +0/-0
Re: Cname Expansion Issues
« Reply #14 on: November 04, 2018, 05:35:40 AM »
Your server tried to inject a message to help@plomvakc.on.spiceworks.com which their server rejected as "relay access denied". So their server, 167.89.118.48, AKA mx.sendgrid.net, is not configured to accept mail for plomvakc.on.spiceworks.com. That's problem one. The second is that their mail server has rewritten the envelope to address help@swincapsula.on.spiceworks.com which is included in the rejection message. We can't tell from the outside whether their mail server rewrote the address before checking local delivery domains or after.

In both cases, it is their problem. SME server looked up the MX record for plomvakc.on.spiceworks.com, got mx.sendgrid.net, looked up the IP address of mx.sendgrid.net, connected to the mail server, and tried to deliver the message.

FWIW, they seem to have fixed the problem now:

-bash-3.00$ telnet mx.sendgrid.net 25
Trying 167.89.118.48...
Connected to mx.sendgrid.net.
Escape character is '^]'.
220 mx0036p1las1.sendgrid.net ESMTP Postfix
ehlo charliebrady.org
250-mx0036p1las1.sendgrid.net
250-PIPELINING
250-SIZE 204800000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <charlieb@charliebrady.org>
250 2.1.0 Ok
rcpt to: <help@plomvakc.on.spiceworks.com>
250 2.1.5 Ok


We appreciate everyone's help and while it looks like the issue is resolved with your test, we are still getting the same errors on server when someone replies from our sme server to help@plomvakc.on.spiceworks.com. 

I will pass along your words of wisdom to them and see if they reply.

Offline Warbird30

  • 19
  • +0/-0
Re: Cname Expansion Issues
« Reply #15 on: November 15, 2018, 01:12:13 AM »
We haven't been able to directly resolve the issue, but we found a work around using gmail forwarding.  Here is what spiceworks had to say after sending them Charlie's words of wisdom.


The plomvakc.on.spiceworks.com address is working as I am able to email directly to it from my own email account. The main problem is that the email address is being rewritten. When it rewrites the email then goes to an address that is just used for pointing to the MX record rather than being an active email address.

Unfortunately, this isn't something on our end but rather the sending email itself. There isn't really anything else we can do on this side beyond saying the system shouldn't be rewriting the address as it comes in. That is a function of some email systems with CName expansion which is why we mention it needs to be turned off.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cname Expansion Issues
« Reply #16 on: November 15, 2018, 01:35:32 AM »
You really need to go back and read and understand Charlies response.

He is a world class expert on this mail system (I think he probably helped write at least some of it) - which is more than can probably said for the people at Spiceworks.

Your server is doing exactly what it is meant to and is replying as instructed by THEIR setup.

Charlie may add to this thread, but I am pretty sure he'll echo something similar.

The plomvakc.on.spiceworks.com address is working as I am able to email directly to it from my own email account.

This is nonsense and means nothing - it is comparing apples and pears

Quote
The main problem is that the email address is being rewritten. When it rewrites the email then goes to an address that is just used for pointing to the MX record rather than being an active email address.

It is not rewriting. Just replying correctly, as it is meant to do by published RFCs. If they publish the wrong information it isn't your mail servers fault.

Quote
Unfortunately, this isn't something on our end but rather the sending email itself. There isn't really anything else we can do on this side beyond saying the system shouldn't be rewriting the address as it comes in. That is a function of some email systems with CName expansion which is why we mention it needs to be turned off.

AFAIAA your server isn't doing CNAME expansion...... nor is it rewriting. This comment just means they can't be arsed to try and fix their own mess.

I know it doesn't necessarily help you, and this is always the problem when you are up against a large company. They just can't be bothered to change, or don't know who to contact in their organisation to get it fixed so just lob the issue back at you.

I am not sure exactly how you CAN bodge your mail server to try and conform to their messy systems, and personally even if I knew it would be unprofessional to suggest it.

You really need to go back to them armed with the right information from here and tell them where they are wrong. It might do you some good to go and read up on some of the whys and wherefores of DNS, MX records etc so you fully understand what is going on, and why they are wrong. Charlie may be able to give you some pointers on how to do that, but reading yourself will help.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation