XFORWARD warning after Update from 4.6.2 to 4.11

Hello,

we have made the first catch-up-the-release step from stable working
Ciphermail 4.6.2 to the latest 4.x version 4.11. After that all looks
well but we get the following warning all the time:

WARN XFORWARD error code: 550
(org.apache.james.transport.mailets.RemoteDelivery) [Remote delivery
thread (0)]

The only thing we have found in the release notes which might be
related is from version 4.9.1:

"X-Forward-For header is now by default removed unless the IP address
comes from a trusted proxy (see /etc/httpd/conf.d/x-forward-for.xml)
[PRO/ENT]."

Any idea what Ciphermail actually is complaining about?

Thanks

Andreas

The most likely reason for this error is that Postfix does not allow
the XFORWARD for command from the back-end to postfix.

Check whether postfix main config contains the following line:

smtpd_authorized_xforward_hosts = 127.0.0.1/32

See https://www.postfix.org/postconf.5.html for more information on smt
pd_authorized_xforward_hosts

Kind regards,

Martijn Brinkers

···

On Thu, 2022-04-28 at 14:55 +0000, Andi via Users wrote:

Hello,

we have made the first catch-up-the-release step from stable
working
Ciphermail 4.6.2 to the latest 4.x version 4.11. After that all
looks
well but we get the following warning all the time:

WARN XFORWARD error code: 550
(org.apache.james.transport.mailets.RemoteDelivery) [Remote
delivery
thread (0)]

The only thing we have found in the release notes which might be
related is from version 4.9.1:

"X-Forward-For header is now by default removed unless the IP
address
comes from a trusted proxy (see /etc/httpd/conf.d/x-forward-
for.xml)
[PRO/ENT]."

Any idea what Ciphermail actually is complaining about?

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

Zitat von Martijn Brinkers <martijn(a)ciphermail.com>:

Hello,

we have made the first catch-up-the-release step from stable
working
Ciphermail 4.6.2 to the latest 4.x version 4.11. After that all
looks
well but we get the following warning all the time:

WARN XFORWARD error code: 550
(org.apache.james.transport.mailets.RemoteDelivery) [Remote
delivery
thread (0)]

The only thing we have found in the release notes which might be
related is from version 4.9.1:

"X-Forward-For header is now by default removed unless the IP
address
comes from a trusted proxy (see /etc/httpd/conf.d/x-forward-
for.xml)
[PRO/ENT]."

Any idea what Ciphermail actually is complaining about?

The most likely reason for this error is that Postfix does not allow
the XFORWARD for command from the back-end to postfix.

Check whether postfix main config contains the following line:

smtpd_authorized_xforward_hosts = 127.0.0.1/32

See https://www.postfix.org/postconf.5.html for more information on smt
pd_authorized_xforward_hosts

Kind regards,

Martijn Brinkers

Hm, ok

we have a custom forward from ciphermail to AV-Scanner. It could be
the problem that the SMTP engine for this product does not support
XFORWARD at all. I will check it.
Do we have a possibility to not use XFORWARD from ciphermail side?

Regards

Andreas

···

On Thu, 2022-04-28 at 14:55 +0000, Andi via Users wrote:

You can try to (XML) comment the following line in the file config.xml
(I haven't tested it though):

<xForward> true </xForward>

Then restart the back-end.

Please note that this might be overwritten on an update

Alternatively you might try to configure the postfix reinjection port
to forward the email to the AV-scanner after the back-end sent the mail
back to postfix.

Kind regards,

Martijn Brinkers

···

On Thu, 2022-04-28 at 15:09 +0000, Andi via Users wrote:

Zitat von Martijn Brinkers <martijn(a)ciphermail.com>:

> On Thu, 2022-04-28 at 14:55 +0000, Andi via Users wrote:
> > Hello,
> >
> > we have made the first catch-up-the-release step from stable
> > working
> > Ciphermail 4.6.2 to the latest 4.x version 4.11. After that all
> > looks
> > well but we get the following warning all the time:
> >
> > WARN XFORWARD error code: 550
> > (org.apache.james.transport.mailets.RemoteDelivery) [Remote
> > delivery
> > thread (0)]
> >
> > The only thing we have found in the release notes which might be
> > related is from version 4.9.1:
> >
> > "X-Forward-For header is now by default removed unless the IP
> > address
> > comes from a trusted proxy (see /etc/httpd/conf.d/x-forward-
> > for.xml)
> > [PRO/ENT]."
> >
> > Any idea what Ciphermail actually is complaining about?
>
> The most likely reason for this error is that Postfix does not
> allow
> the XFORWARD for command from the back-end to postfix.
>
> Check whether postfix main config contains the following line:
>
> smtpd_authorized_xforward_hosts = 127.0.0.1/32
>
> See https://www.postfix.org/postconf.5.html for more information on
> smt
> pd_authorized_xforward_hosts
>
>
> Kind regards,
>
> Martijn Brinkers

Hm, ok

we have a custom forward from ciphermail to AV-Scanner. It could be
the problem that the SMTP engine for this product does not support
XFORWARD at all. I will check it.
Do we have a possibility to not use XFORWARD from ciphermail side?

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger