This is going to be an unusual post, since it’s going to be almost completely devoid of facts and filled with various paragraphs of me ranting about the behaviour of Apple Mail.
I’m in a position that is quite typical for most people working in IT - friends and family come to me when they need help with their computer-related issues. Eventually I got so fed up with fighting various freemailers (looking at you, GMX) that I ended up offering to host e-mail for a couple of people.
Contrary to what most people, including me, believe, this went smooth, far smoother than I anticipated. Par the occasional password reset I have not had any complaints about delivery issues up until now. My system isn’t overly complex, but it follows a few simple rules.
- Don’t be on any blacklists. I am lucky enough that my server resides in an IP-space with a good reputation, and I have checks in place that make it difficult for my users to send spam
- Do what everyone is doing, even if you aren’t agreeing. I have a properly configured reverse record for my MX, the mails are signed by DKIM, I have a strict DMARC-policy and a correct SPF-record, despite it needing to die
- If there are any complaints, deal with them swiftly. So far I’ve only ever received two abuse mails, and I made sure to remediate the issues the mails were complaining about as quickly as possible.
And that has worked, quietly and without any hiccups - until now. A friend called me and told me that she’s facing issues with her mails being rejected. Coincidentally I started receiving DMARC-reports that had failures in them, for example:
<row> <source_ip>104.131.123.xxx</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>domain.org</header_from> </identifiers> <auth_results> <dkim> <domain>anotherdomain.org</domain> <result>pass</result> <selector>default</selector> </dkim> <spf> <domain>anotherdomain.org</domain> <result>fail</result> </spf>
That didn’t make any sense at all. The IP-address was the mailserver for anotherdomain.org, mails for domain.org simply shouldn’t be sent through it. There’s also no way that I could fathom how this would happen, since the systems are physically separate.
I did a lot of testing on my end, an all mails I sent were sent from the correct system and properly authenticated. Her issues didn’t make any sense to me.
Eventually she visited me for a cup of coffee and we take a look at things together. Eventually we learned that Apple Mail was to blame for this, in a way I absolutely did not think about.
Said friend has two addresses hosted with me:
Because it was the simpler thing to do I decided against virtual addresses at the time I was setting up the mailserver, users are authenticated against system users. Which means that for both systems, her username is the same. And because people are people, despite me regularly asking her not to, used the same password for both accounts.
She uses a Macbook and Apple Mail. Apparently whenever Apple Mail can’t reach a configured mailserver (we haven’t debugged why that was happening, but I’m suspecting her work VPN interfering .. somehow) it proceeds to try all other configured mailservers until the mail either gets sent or no mailserver is left.
And in her case, because the credentials are valid, the mailserver for her other account works, and sends out the mail. Just that it’s without the correct signature and from the wrong system.
While I agree that there is definite room for improvement on the end of the setup, which I will definitely work on, this is, to put it diplomatically, sub-ideal behaviour from Apple Mail. It’s potentially endangering for the privacy of users, and speaking in general it’s a bad idea to just randomly send your credentials to some server.
Because I have no idea to turn that behaviour off I switched her over for the time being. The problems are gone now, but let me assure you, I’m still shaking my head in disbelief at this idiotic behaviour.