lifecycle of an email the care and feeding of electronic communications in their natural habitat
TRANSCRIPT
Lifecycle of an Email
The care and feeding of electronic communications in their natural habitat
Lifecycle of an Email
The cast of charactersFinding the trailRed herrings
The Cast of Characters
Sending mail clientSMTP ServerMX ServerPOP3 / IMAP ServerReceiving mail client
Supporting Cast
DNS sanity-checkingMTA-level blocklistsDCCClamAVLDSSpamAssassinGraymail
The General Case
Sonic.net to Sonic.net
mail.sonic.net
Ports 25, 465, and 587SMTP AuthenticationSecure Password AuthenticationSTARTTLSSSMTP
mail.sonic.net
Possible causes for rejectionUnauthenticated relayKnown-bad sender addressKnown-bad recipient domainDCC MatchVery poor SMTP behavior
mail.sonic.net
Logs: /sonic-logs/mail/maillog.mail
Jun 18 08:00:37 b.mail.sonic.net sm-mta[8695]: l5IF0b2n008695: from=<[email protected]>, size=2565, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=fw.office.sonic.net [209.204.177.119]
Jun 18 08:00:38 b.mail.sonic.net sm-mta[8702]: l5IF0b2n008695: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=122565, relay=mailin-01.mx.sonic.net. [208.201.249.228], dsn=2.0.0, stat=Sent (l5IF0cgx029469 Message accepted for delivery)
mx.sonic.net
Port 25 Over 2000 messages / minute average Domain aliases handled here
mx.sonic.net
Possible causes for rejectionKnown-bad recipientOff-site relayMTA-level blocklistClamAVDCCDNS scrutinyVery poor SMTP behavior
mx.sonic.net
Logs: /sonic-logs/mail/maillog.mxJun 18 08:00:38 e.mx.sonic.net sm-mta[29469]: l5IF0cgx029469:
from=<[email protected]>, size=2783, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=b.mail.sonic.net [64.142.19.5]
Jun 18 08:00:38 e.mx.sonic.net sm-mta[29469]: l5IF0cgx029469: Milter add: header: X-Sonic-SB-IP-RBLs: IP RBLs .
Jun 18 08:00:38 e.mx.sonic.net sm-mta[29474]: l5IF0cgx029469: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=122783, relay=lds.sonic.net. [208.201.249.231], dsn=2.0.0, stat=Sent (l5IF0c9N010294 Message accepted for delivery)
lds.sonic.net
Local Delivery System.forward happens hereSpamAssassin happens hereProcmail happens here
lds.sonic.net
Possible causes for rejectionJust about everything on the last slideFew proper bounces from lds
lds.sonic.net
Logs: /sonic-logs/maillog.ldsJun 18 08:00:38 eth0.a.lds.sonic.net sm-mta[10294]: l5IF0c9N010294:
from=<[email protected]>, size=3013, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=e.mx.sonic.net [208.201.249.228]
Jun 18 08:00:38 eth0.a.lds.sonic.net sm-mta[10295]: l5IF0c9N010294: [email protected], delay=00:00:00, xdelay=00:00:00, mailer=local, pri=153220, dsn=2.0.0, stat=Sent
Jun 18 08:00:39 eth0.a.lds.sonic.net sm-mta[10295]: l5IF0c9N010294: [email protected], delay=00:00:01, xdelay=00:00:01, mailer=local, pri=153220, dsn=2.0.0, stat=Sent
Jun 18 08:00:43 eth0.a.lds.sonic.net sm-mta[10295]: l5IF0c9N010294: [email protected], delay=00:00:05, xdelay=00:00:04, mailer=local, pri=153220, dsn=2.0.0, stat=Sent
Jun 18 08:00:43 eth0.a.lds.sonic.net sm-mta[10295]: l5IF0c9N010294: to=: [email protected],[email protected], delay=00:00:05, xdelay=00:00:00, mailer=esmtp, pri=153220, relay=mailin-02.mx.sonic.net. [209.204.159.4], dsn=2.0.0, stat=Sent (l5IF0hA6023556 Message accepted for delivery)
lds.sonic.net
When SpamAssassin works:
Jun 18 14:12:45 eth0.b.lds.sonic.net sm-mta[32736]: l5ILCj5U032736: from=<[email protected]>, size=3520, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=g.mx.sonic.net [64.142.100.90]
Jun 18 14:12:47 eth0.a.lds.sonic.net graymail: jdf sent <[email protected]> "Delois Sarah" <[email protected]> to graymail
spam.sonic.net
Logs: /sonic-logs/mail/maillog.spam
Jun 18 14:12:42 eth0.d.spam.sonic.net spamd[2017]: spamd: processing message <[email protected]> for jdf:99
Jun 18 14:12:47 eth0.d.spam.sonic.net spamd[2017]: spamd: result: Y 5 - DKIM_POLICY_SIGNS OME,HTML_MESSAGE,MIME_HTML_ONLY,MONEY_BACK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_1 00,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RDNS_NONE scantime=5.0,size=3759,user=jdf,uid=9 9,required_score=5.0,rhost=eth0.a.lds.sonic.net,raddr=208.201.249.231,rport=44935,mid=<[email protected]>,autolearn=disabled
pop.sonic.net
Ports 110 & 995 Around 500 messages / minute
Where did it go?
MTA-level
Blocklists
SpamAssassin
pop.sonic.net
Logs: /sonic-logs/mail/popper
Jun 18 08:01:12 c.pop.sonic.net pop3d: LOGIN, user=jdf, ip=[::ffff:209.204.177.119]
Jun 18 08:01:12 c.pop.sonic.net pop3d: LOGIN, dir=/var/spool/mail/03/27/jdf
Jun 18 08:01:13 c.pop.sonic.net pop3d: LOGOUT, user=jdf, ip=[::ffff:209.204.177.119], top=0, retr=6786
Jun 18 08:01:13 c.pop.sonic.net pop3d: jdf 209.204.177.119 0.638754 276(Y) 2 (6786), 276 (1490804)
Red Herrings
Not all mail goes through mxNot all activity on lds is loggedSome “missing” mail isn’t
BlocklistsAliasesForwardsGraymailMUA-level sorting
Finding the Trail
Headers show most of the story
Finding the Trail
A little different after Graymail
Lifecycle of an Email
/sonic-logs/mail/maillog.mailJun 14 21:54:28 b.mail.sonic.net sm-mta[25018]: l5F4sSsY025018: from=<[email protected]>, size=446,
class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=fw.office.sonic.net [209.204.177.119]
Jun 14 21:54:28 b.mail.sonic.net sm-mta[25025]: l5F4sSsY025018: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=120446, relay=mailin-02.mx.sonic.net. [209.204.159.4], dsn=2.0.0, stat=Sent (l5F4sS8F011121 Message accepted for delivery)
/sonic-logs/mail/maillog.mxJun 14 21:54:28 b.mx.sonic.net sm-mta[11121]: l5F4sS8F011121: from=<[email protected]>, size=643,
class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=b.mail.sonic.net [64.142.19.5]
Jun 14 21:54:28 b.mx.sonic.net sm-mta[11129]: l5F4sS8F011121: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=120643, relay=lds.sonic.net. [208.201.249.231], dsn=2.0.0, stat=Sent (l5F4sSju023934 Message accepted for delivery)
/sonic-logs/mail/maillog.ldsJun 14 21:54:28 eth0.a.lds.sonic.net sm-mta[23934]: l5F4sSju023934: from=<[email protected]>,
size=842, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=b.mx.sonic.net [209.204.159.4]
Jun 14 21:54:30 eth0.a.lds.sonic.net sm-mta[23945]: l5F4sSju023934: to=<[email protected]>, delay=00:00:02, xdelay=00:00:02, mailer=local, pri=31052, dsn=2.0.0, stat=Sent
Lifecycle of an Email