Using Message Headers

 < Free Open Study > 



Another valuable source of information in analyzing mail problems is the header of a message. For the header to be available, the message must have been successfully delivered, so this method will only be useful for answering questions such as where a message came from, which systems it passed through, or why it took so long to be delivered.

Key Header Fields

Internet RFC-2822, Internet Message Format, defines and describes in detail the format of the basic message header fields. Some, such as Delivered-To, are not standardized but are widely used. Others, such as the Multimedia Internet Mail Extension (MIME) header fields are defined in other documents (see Appendix C, "An Internet Mail Primer").

Return-Path

The Return-Path field is optionally added by the Message Delivery Agent (MDA) at the time of delivery. It records the SMTP envelope return path, or envelope sender. It's the value specified by the sending SMTP client in a MAIL command. It may be the same as the From field.

For example, if a remote client issues the following SMTP command:

 MAIL FROM:<root@dolphin.example.com> 

The message might be delivered with the following Return-Path field:

 Return-Path: <root@dolphin.example.com> 

Delivered-To

The Delivered-To field is optionally added by the MDA at the time of delivery. It records the SMTP envelope recipient. It's the value specified by the sending SMTP client in a RCPT command. It may be the same as one of the addresses listed in a To or Cc field.

For example, if a remote client issues the following SMTP command:

 RCPT TO:<dave@sparge.example.com> 

The message might be delivered with the following Delivered-To field:

 Delivered-To: dave@sparge.example.com 

A message may be delivered more than once before it reaches its final destination. Each of these intermediate deliveries may result in a separate Delivered-To field. If multiple Delivered-To fields appear in a header, they're listed in chronological order with the most recent delivery being recorded in the last Delivered-To field.

Messages delivered to qmail virtual domains and users go through multiple deliveries, but only the final delivery is recorded in a Delivered-To field. For example, if control/virtualdomains contains

 virtual.example.com:alias-virtual 

A message delivered to martha@virtual.example.com will contain a Delivered-To field like this:

 Delivered-To: alias-virtual-martha@virtual.example.com 

This reflects the envelope recipient address of the message when it was delivered, even though the original envelope recipient address was martha@virtual.example.com.

Received

Received fields are added by each Mail Transfer Agent (MTA) that handles a message. Each Received field is added before the previous Received field, if any, so they trace the path of the message through the Internet from sender to recipient in reverse chronological order. The format of the Received header is

 Received: ([name value] [comment])*; date-time 

In other words, an optional series of name/value pairs and comments followed by a semicolon (;) and a date/timestamp. Common name/value pairs are listed in Table 6-1.

Table 6-1: Received Field Name/Value Pairs

NAME

VALUE

from

Domain name of remote host

by

Domain name of local host

with

Protocol used to transfer message, for example, "SMTP"

for

Envelope recipient address

id

Local identifier

Useful information is also often included in the comments, which are enclosed in parentheses. Such information includes IP addresses, MTA version numbers, process IDs, and user IDs.

A message sent from one qmail host to another will contain at least two Received fields. For example:

 Received: (qmail 8339 invoked from network); 3 Jun 2001 11:03:14 -0000 Received: from dolphin.example.com (HELO dolphin.example.com) (192.168.1.8)   by sparge.example.com with SMTP; 3 Jun 2001 11:03:14 -0000 

The first Received field—the most recent—was added by qmail-queue. It records the process id (8339), notes that it was invoked by a network service, and includes the current date and time in Greenwich Mean Time (GMT), as indicated by the -0000 offset.

The second Received field—the first, chronologically—was added by qmail-smtpd. It records the sending host's domain name (dolphin.example.com), the HELO command sent by the sending host (HELO dolphin.example.com), the sending host's IP address (192.168.1.8), the local host's domain name (sparge.example.com), the protocol used to receive the message (SMTP), and the current date and time, again in GMT.

Note 

qmail uses GMT, not the local time zone, in header fields. It does this primarily because calculating the local time requires using bulky, often unreliable or unsafe system libraries. This is actually something of a convenience for the mail administrator because messages often pass through MTAs in different time zones. Logging the time in GMT saves the administrator the trouble of converting various local time zones to a common zone.

Date

Date fields record the date and time of the message's creation. They're usually added by the sender's MUA. They often specify the local time zone, but qmail generally uses GMT.

For example, a typical Date field added by qmail-inject looks like this:

 Date: 3 Jun 2001 11:05:59 -0000 

A Mail User Agent (MUA)-generated Date field might look like this:

 Date: Thu, 31 May 2001 18:43:06 -0500 (CDT) 

Notice that the date format varies, and the second example includes an offset from GMT of five hours (-0500), as well as an acronym of the time zone (CDT, meaning Central Daylight-savings Time).

Message-ID

Message-ID fields contain a supposedly unique identifier for the message, usually generated by the sender's MUA or MTA. The format of a Message-ID field is:

 Message-ID: <leftpart@rightpart> 

The leftpart is usually only guaranteed unique on the sending system, and the rightpart is unique to the sending system, often its fully qualified domain name. The leftpart is often derived from a timestamp, process ID, and/or serial number, and might be hashed—scrambled into a string of letters and numbers.

Message-IDs added by qmail-inject are in this format:

 <timestamp.processid.qmail@local-host> 

For example, a Message-ID field from a qmail system might look like this:

 Message-ID: <20010603110559.7877.qmail@dolphin.example.com> 

Because this field was generated by qmail, we can interpret its contents. It was generated at 11:05:59 GMT on June 3, 2001, by process ID 7877 on dolphin.example.com.

From

The From field usually contains the name and address of the sender of the message.

The following are typical From fields:

 From: root@dolphin.example.com From: Sensei <bill@example.com> From: bill@example.com (Sensei Bill) From: "Sensei Bill" <bill@example.com> 

Caution 

Because the From field is specified by the sender and is not subject to authentication, it's easily forged.

To

To fields usually identify the primary recipients of the message.

The following are typical To fields:

 To: Sensei <ken@example.edu> To: ken@example.edu, elaina@example.net To: "Isshinryu List" <isshinryu@list.example.com> 

Cc

Cc fields usually identify secondary ("carbon copy") recipients of the message.

The following are typical Cc fields:

 Cc: cleteth@example.net Cc: Sensei <cleteth@example.net> Cc: ken@example.edu, elaina@example.net, bill@example.com 

Resent-Fields

If a message is re-injected by a user, for example, to forward it to another user, the original Date, From, To, Cc, and Message-ID fields may be preserved by prefixing Resent- to the field name. For example, the original To field becomes a Resent-To field.

Example Header Analysis

Let's take an example header from a message that a user received from a mailing list and see what we can tell about its origin and passage through the Internet:

 1 Return-Path: <owner-extropians@example.org> 2 Delivered-To: dave-list-extropians@sparge.example.com 3 Received: (qmail 586 invoked from network); 8 May 2001 20:12:22 -0000 4 Received: from unknown (HELO tick.example.net) (192.168.238.117) 5   by sparge.example.com with SMTP; 8 May 2001 20:12:22 -0000 6 Received: (from majordom@localhost) 7          by tick.example.net (8.9.3/8.9.3) id MAA23419 8          for extropians-outgoing; Tue, 8 May 2001 12:44:25 -0600 9 X-Authentication-Warning: tick.example.net: majordom set sender to owner- extropians@example.org using -f 10 Date: Tue, 8 May 2001 11:44:20 -0700 (PDT) 11 From: List Member <user@isp.example.com> 12 Message-Id: <200105081844.LAA09754@isp.example.com> 13 To: extropians@example.org 14 Subject: Extropian Principles 15 Sender: owner-extropians@example.org 16 Precedence: bulk 17 Reply-To: extropians@example.org 

The message was apparently send by user@isp.example.com (line 11) at 11:44:20 Pacific Daylight-savings Time on May 8, 2001, (line 10) to the extropians@example.org mailing list (line 13).

The earliest Received field (line 6) indicates that the message was received by Sendmail version 8.9.3 on tick.example.net (line 7) for the local alias extropians-outgoing (line 8). The message was re-injected by the Majordomo mailing list manager (line 6), which seems to have stripped the received headers added previously. Presumably example.net is an Internet Service Provider (ISP) that hosts example.org. The timestamp on this field (line 8) shows that the message was re-injected by Majordomo at 12:44:25, GMT-0600, probably Mountain Daylight-savings Time, which is five seconds after its creation, assuming that the clocks were synchronized.

The next earliest Received field (line 4) was added by the recipient's MTA, in this case, it was qmail-smtpd. The envelope return path of the message was owner-extropians@example.org, the owner of the list (line 1). The envelope recipient was dave-list-extropians@sparge.example.com (line 2). The message was received from a host at IP address 192.168.238.117, which was not successfully looked-up in the DNS, resulting in it being identified as unknown. The remote system identified itself as tick.example.net in the SMTP HELO command. qmail-smtpd received the message at 20:12:22 GMT (line 5), which is 14:12:22 in GMT-0600, approximately 92 minutes after it was injected on tick.example.net. The recipient's MTA is sparge.example.com, and the message was received via SMTP (line 5).

qmail-inject, process ID 586, received the message from qmail-smtpd within a fraction of a second (line 5).

The processing of the message by qmail-send is recorded in the qmail-send logs.



 < Free Open Study > 



The Qmail Handbook
The qmail Handbook
ISBN: 1893115402
EAN: 2147483647
Year: 2001
Pages: 186
Authors: Dave Sill

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net