gmail is bouncing our bounce reports

[jfly]

While debugging #649, I ran into the following:

(Note: email addresses have been scrambled, but the intent should be clear.)

• Send an email from [email protected] to [email protected]
• nixos.org is configured to forward test-list@ to [email protected], where jfly.example.com is managed by final-mailserver.example.com, which I control. I intentionally configured that mailserver to bounce emails from nixos.org
• nixos.org's mailserver sees the bounce from the final mailserver, and then tries to send a bounce to jfly@gmail. That bounce is rejected by gmail.

Here's what we see on umbriel:

Apr 21 20:40:10 umbriel postfix/smtp[259316]: 5A720658C: to=<[email protected]>, orig_to=<[email protected]>, relay=final-mailserver.example.com[MAILSERVER_IP]:25, delay=3.3, delays=0.47/0/2.5/0.36, dsn=5.7.1, status=bounced (host final-mailserver.example.com[MAILSERVER_IP] said: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied (in reply to RCPT TO command))
Apr 21 20:40:10 umbriel postfix/cleanup[259328]: B6942658D: message-id=<[email protected]>
Apr 21 20:40:10 umbriel postfix/bounce[259332]: 5A720658C: sender non-delivery notification: B6942658D
Apr 21 20:40:10 umbriel postfix/qmgr[258926]: B6942658D: from=<>, size=6759, nrcpt=1 (queue active)
Apr 21 20:40:10 umbriel postfix/qmgr[258926]: 5A720658C: removed
Apr 21 20:40:10 umbriel postfix/smtp[259316]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
Apr 21 20:40:11 umbriel postfix/smtp[259316]: B6942658D: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25, delay=0.46, delays=0/0/0.19/0.27, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26  550-5.7.26  Authentication results: 550-5.7.26  DKIM = did not pass 550-5.7.26  SPF [] with ip: [2a01:4f9:c011:8fb5::1] = did not pass 550-5.7.26  550-5.7.26  For instructions on setting up authentication, go to 550 5.7.26  https://support.google.com/mail/answer/81126#authentication 38308e7fff4ca-31090755b70si32094831fa.41 - gsmtp (in reply to end of DATA command))
Apr 21 20:40:11 umbriel postfix/qmgr[258926]: B6942658D: removed

We see the bounce when umbriel tries to forward to [email protected]:

Apr 21 20:40:10 umbriel postfix/smtp[259316]: 5A720658C: to=<[email protected]>, orig_to=<[email protected]>, relay=final-mailserver.example.com[MAILSERVER_IP]:25, delay=3.3, delays=0.47/0/2.5/0.36, dsn=5.7.1, status=bounced (host final-mailserver.example.com[MAILSERVER_IP] said: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied (in reply to RCPT TO command))

And then we see another bounce when umbriel tries to notify the sender ([email protected]) of the bounce:

Apr 21 20:40:11 umbriel postfix/smtp[259316]: B6942658D: to=<[email protected]>, orig_to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a]:25, delay=0.46, delays=0/0/0.19/0.27, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c0d::1a] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26  550-5.7.26  Authentication results: 550-5.7.26  DKIM = did not pass 550-5.7.26  SPF [] with ip: [2a01:4f9:c011:8fb5::1] = did not pass 550-5.7.26  550-5.7.26  For instructions on setting up authentication, go to 550 5.7.26  https://support.google.com/mail/answer/81126#authentication 38308e7fff4ca-31090755b70si32094831fa.41 - gsmtp (in reply to end of DATA command))

[jfly]

We discussed this briefly at today's infra team meeting. @mweinelt is interested in creating a email and testing this out.