Email Send Error Research
-
@wrcombs said in Email Send Error Research:
@pete-s said in Email Send Error Research:
@wrcombs said in Email Send error;:
@dashrender said in Email Send error;:
@wrcombs Post the entire header - look it over for any private information and XXXX that out...
You have three
Received:sections.The bottom one is the first one that happened. That's the sender connecting to something. You can see the ISP he's using, his local IP usually and what SMTP server he connects to.
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
The middle one is the next. The mail is now sent from something to mx.google.com. That's a google mail server.
Received: fromXXXX.XXXXXX.com (XXXXXXXXXX [XXX.XXX.XXX.XXX]) by mx.google.com with ESMTPS id h18si1327216otk.177.2021.06.09.15.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jun 2021 15:47:06 -0700 (PDT)
The top one is the last transfer. There's missing "from" but judging from the IPv6 address this is likely internal google mail server to google mail server.
Received: by 2002:a05:6830:319b:0:0:0:0 with SMTP id p27csp165790ots; Wed, 9 Jun 2021 15:47:06 -0700 (PDT)
You can also get information from the
Received-SPF:section.Received-SPF: pass (google.com: domain of XXXXXXXXXX designates XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;It's google mail server telling you that the domain XXXXXXXXXX says that XXX.XXX.XXX.XXX is allowed to send emails.
But it doesn't tell me which Email server they're using on Outlook.. I thought that was the question
Yes, it does:
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)by XXXX.XXXXXX.com (Postfix)That's the SMTP server they connect to. It's running Postfix software.
They have mobile.uscc.net as ISP. -
@pete-s said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
@pete-s said in Email Send Error Research:
@wrcombs said in Email Send error;:
@dashrender said in Email Send error;:
@wrcombs Post the entire header - look it over for any private information and XXXX that out...
You have three
Received:sections.The bottom one is the first one that happened. That's the sender connecting to something. You can see the ISP he's using, his local IP usually and what SMTP server he connects to.
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)
The middle one is the next. The mail is now sent from something to mx.google.com. That's a google mail server.
Received: fromXXXX.XXXXXX.com (XXXXXXXXXX [XXX.XXX.XXX.XXX]) by mx.google.com with ESMTPS id h18si1327216otk.177.2021.06.09.15.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jun 2021 15:47:06 -0700 (PDT)
The top one is the last transfer. There's missing "from" but judging from the IPv6 address this is likely internal google mail server to google mail server.
Received: by 2002:a05:6830:319b:0:0:0:0 with SMTP id p27csp165790ots; Wed, 9 Jun 2021 15:47:06 -0700 (PDT)
You can also get information from the
Received-SPF:section.Received-SPF: pass (google.com: domain of XXXXXXXXXX designates XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;It's google mail server telling you that the domain XXXXXXXXXX says that XXX.XXX.XXX.XXX is allowed to send emails.
But it doesn't tell me which Email server they're using on Outlook.. I thought that was the question
Yes, it does:
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)by XXXX.XXXXXX.com (Postfix)That's the SMTP server they connect to. It's running Postfix software.
They have mobile.uscc.net as ISP.Ah, missed that.
SO they're running Postfix as a mail server?
-
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
-
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
-
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
No, they are not. Their mail provider is running Postfix.
Their provider is their ISP.
-
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
No. They user is running outlook.
They are connecting to their
ISP’sdomain email server, likely "free email" with domain purchase bullshit, which is running postfixOutlook connects to this type of server with SMTP
-
@wrcombs said in Email Send Error Research:
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by XXXX.XXXXXX.com (Postfix) with ESMTPSA id 80B013EC2E; Wed, 9 Jun 2021 22:47:05 +0000 (UTC)Let's break this down. This is the one that concerns you.
The mail hit the email system from this IP address
Received: from localhost XXX-XX-XXX-XXXX.mobile.uscc.net [XXX.XXX.XXX.XXX])The email was TLS encrypted
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))The mail was recevied by this server running postfix.
by XXXX.XXXXXX.com (Postfix)We can assume that this is showing his domain since you redacted it.
Because it is his domain, this is likely shit "free email" from a cpanel webhost.
Finally, this tell us that he authenticates to send SMTP to his host.
with ESMTPSA -
@jaredbusch Good information to know.. Thank you.
-
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
Outlook is an email client. It runs on your desktop. It's not a server or anything like that. Nothing runs "on it."
-
Now that we know all of that, you can make some assumptions about the connection in Outlook.
SMTP can use any port.
Port 25 is the original, standard, unauthenticated port. But also blocked on most end user connections.Typcially CPanel hosts use the standardized port 587 for inbound TLS connections.
So his Outlook is most likely configured to point to
mail.domain.com:587or simplydomain.com:587to send SMTP.Adding in authentication means it is sent with a username and password. Username is typically the full email address.
-
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
Outlook is an email client. It runs on your desktop. It's not a server or anything like that. Nothing runs "on it."
This entire discussion is about Outlook.
-
@jaredbusch said in Email Send Error Research:
Now that we know all of that, you can make some assumptions about the connection in Outlook.
SMTP can use any port.
Port 25 is the original, standard, unauthenticated port. But also blocked on most end user connections.Typcially CPanel hosts use the standardized port 587 for inbound TLS connections.
So his Outlook is most likely configured to point to
mail.domain.com:587or simplydomain.com:587to send SMTP.Adding in authentication means it is sent with a username and password. Username is typically the full email address.
So would it likely to assume that Username and password are incorrect ?
not going to pretend here, I'm very much lost and confused.
-
@jaredbusch said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
SO they're running Postfix as a mail server?
Yes, which most people do. Postfix powers the vast majority of non-Exchange email. It's the big leader.
Okay great ..
@JaredBusch They're running Postfix mail Server on outlook.
Outlook is an email client. It runs on your desktop. It's not a server or anything like that. Nothing runs "on it."
This entire discussion is about Outlook.
I know, about what Outlook is talking to. Postfix (nor any other email server) does not run on Outlook.
-
@wrcombs said in Email Send Error Research:
We have a customer who is using a host firewall
FYI, it is an assumption that every computer has a host firewall. While some crazy people turn it off, it's not a special case.
By default, host firewalls (and regular firewalls) don't block outbound traffic.
-
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
We have a customer who is using a host firewall
FYI, it is an assumption that every computer has a host firewall. While some crazy people turn it off, it's not a special case.
By default, host firewalls (and regular firewalls) don't block outbound traffic.
what I mean by "hosted firewall" is we have our vendor's security team manage the firewall on the network. . .
meaning that we do not have access to it other than to the physical box it's self. -
@wrcombs said in Email Send Error Research:
I've never touched email outside of being a user.
That's all that is likely going on here, user side settings are probably wrong. We don't have enough details to know for sure, but most likely that is all that this is. This isn't an email admin or admin thing at all, we suspect, just an MS Office configuration.
You should play with some email systems as an end user to see how they interact. Using Thunderbird and Outlook will give you a lot of exposure. Connect them to a couple different systems like O365 and Gmail and a more basic service to see what end users experience and how all of the configuration is for the end user.
Would also be recommended to run your own email server. That'll teach you a lot really quickly.
-
@wrcombs said in Email Send Error Research:
So would it likely to assume that Username and password are incorrect ?
If the computer receives email, then the username and password were likely correct. Outlook's account setup wizard will only ask for the information one time by default.
If this system has never been able to send email, what is likely incorrect is the email server configuration details.
If it once sent email, then mostlikely Outlook had a connection problem once and popped up the credentials box, then the user put in the wrong info.
-
@wrcombs said in Email Send Error Research:
@scottalanmiller said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
We have a customer who is using a host firewall
FYI, it is an assumption that every computer has a host firewall. While some crazy people turn it off, it's not a special case.
By default, host firewalls (and regular firewalls) don't block outbound traffic.
what I mean by "hosted firewall" is we have our vendor's security team manage the firewall on the network. . .
meaning that we do not have access to it other than to the physical box it's self.Oh, a "host firewall" and a "hosted firewall" are totally different things. However you don't have either in this case, you have a "managed firewall."
A hosted firewall lives elsewhere, at someone else's datacenter. Because that's the "hosted" part of it. Hosted firewalls are pretty useless in general, you have to VPN to them from behind your own firewall and it's just a lot of latency.
Managed firewalls are standard, we manage firewalls for every customer. You can test email like any other connection to see that the firewall is or isn't a problem. Just use your telnet as it is a TCP connection and that will tell you what is going on.
-
@jaredbusch said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
So would it likely to assume that Username and password are incorrect ?
If the computer receives email, then the username and password were likely correct. Outlook's account setup wizard will only ask for the information one time by default.
Customer claims everything worked up unitl Feb. 18th (just heard this today..) then it stopped working
-
@wrcombs said in Email Send Error Research:
@jaredbusch said in Email Send Error Research:
@wrcombs said in Email Send Error Research:
So would it likely to assume that Username and password are incorrect ?
If the computer receives email, then the username and password were likely correct. Outlook's account setup wizard will only ask for the information one time by default.
Customer claims everything worked up unitl Feb. 18th (just heard this today..) then it stopped working
you mentioned three locations before - is this person using a laptop and traveling between these locations?
You also mentioned that it worked at the other locations just not at this one location - is that still accurate?
