11

I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone:

example.com.                    600 IN  MX  1 mail.morpheu5.net.
example.com.                    600 IN  TXT "v=spf1 a mx -all"
_dmarc.example.com.         600 IN  TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com; sp=none; ri=86400"
mail._domainkey.example.com.    600 IN  TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSYXmE/aXew9wcS9dCZFYrPetCRC9rW3vVYRQo980JbC6pXbAkqnUd7ncWkUaQZgF2HKzrspUMklRN35rB1b9iHX3dHnf/gvxSURZPYcKT1DenFt+Vhplv2IuWCNWRSqTuXTXlVOnf+TwWLZayKNq62mCqU09sasP9kHXO5lyIbwIDAQAB"

mail.morpheu5.net is the local host/domain/thing for my postfix, and I'm managing example.com as a virtual domain. I'm running OpenDKIM and OpenDMARC as milters -- SpamAssassin too, but that's working alright.

OpenDKIM is working fine, all the messages get signed correctly and Gmail even shows the little "Signed by: example.com" and confirmation of standard encryption (TLS). In fact, if I inspect the original message, in Gmail, I get the following:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@example.com header.s=mail header.b=pixIC2KM;
       spf=pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) smtp.mailfrom=xxxxx@example.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <xxxxx@example.com>
Received: from mail.morpheu5.net (mail.morpheu5.net. [79.137.83.28])
        by mx.google.com with ESMTPS id p67-v6si2567899wmd.147.2018.10.31.08.01.43
        for <xxxxx@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 31 Oct 2018 08:01:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) client-ip=79.137.83.28;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@example.com header.s=mail header.b=pixIC2KM;
       spf=pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) smtp.mailfrom=xxxxx@example.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com

which, if I read it correctly, tells me that

  • my SPF policy is OK (example.com designates mail.morpheu5.net as permitted sender),
  • my DKIM signature is valid (sign that OpenDKIM is working fine), and
  • my DMARC record is valid and the two previous checks passed.

Further down, if I inspect the headers generated by my own MTA, I see the following

DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 8E8CE100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=mail; t=1540998102; bh=j1p26NHBiJxaCqvB8/JaswqiQuHCsG+QNIkoIUc8B+0=; h=From:Subject:Date:To:From; b=pixIC2KMsLYpq4KQn4gRIJ4wr3Tle+Iaq08lSVdIz82nrKDybFhOivpIrmtpKSXND
     rS4MPn7aNRV2D2KJPqG6Ru2tFAJEaBviC/7BNs2x3mIGlIxv5OzvD2EIvrJSJ8FA9U
     1Uf9YTdWgSF4FdytLD21Jus6dYt4evDc3ZZujvIU=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 8E8CE100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
                                           ^^^^^^^^^^- WHAT?!

That in itself is confusing, because it seems that OpenDMARC is running even for outgoing mail (remember, I sent this message from xxxxx@example.com to xxxxx@gmail.com). This however could be because of how I'm running the milter. This is the relevant bit in postfix's main.cf:

smtpd_milters =     inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
                    ^- SpamAssassin                  ^- OpenDMARC        ^- OpenDKIM

I'm open to suggestions on this.

What is really driving me insane, though, is that OpenDMARC is failing pretty much everything that comes in through the door. This is a message I sent from another domain (that I have set up in a similar way to example.com)

Return-Path: <xxxxx@example.com>
Delivered-To: yyyyy@unijobs.it
Received: from mail.morpheu5.net ([172.18.0.14])
    by 6c01c2ccb641 with LMTP
    id t10hEf7J2Vu3BQAAl2tFQA
    (envelope-from <xxxxx@example.com>)
    for <yyyyy@unijobs.it>; Wed, 31 Oct 2018 15:27:58 +0000
Received: from porto.home (host109-154-219-15.range109-154.btcentralplus.com [109.154.219.15])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.morpheu5.net (Postfix) with ESMTPSA id E0A22100B2EB
    for <yyyyy@unijobs.it>; Wed, 31 Oct 2018 15:27:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net E0A22100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=mail; t=1540999678;
    bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
    h=From:Subject:Date:To:From;
    b=ulFaGLYp8hoosllX0rs+byXALUScldP5Of4Sf9/GxuuEqkz5VpCwPHib0TCXQNyqG
     yGqzlgBUoKB2SB0vRqbDW6vb+1UyG971DVeC0WfuRvoe7lKFLFmzD+V25rht/83TKv
     GFhIX2JMMobnw+wS++/6rS/l93/NLlTysiKECSfo=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net E0A22100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
From: "example.com" <xxxxx@example.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: 
Message-Id: <D3CC846F-19E8-4554-9990-1753D4E738E3@example.com>
Date: Wed, 31 Oct 2018 15:27:57 +0000
To: yyyyy@unijobs.it

They are both served by the same postfix install, so draw your own conclusions. The only thing I see in the logs is a very laconic

Oct 31 15:27:58 bd85f6a3b2b6 opendmarc[20]: E0A22100B2EB: example.com fail

So I figured I must have screwed up something while delivering the message. I then sent one from my gmail.com address and lo and behold

Return-Path: <zzzzz@gmail.com>
Delivered-To: xxxxx@example.com
Received: from mail.morpheu5.net ([172.18.0.14])
    by 6c01c2ccb641 with LMTP
    id 3P0+CTjL2Vu7BQAAl2tFQA
    (envelope-from <zzzzz@gmail.com>)
    for <xxxxx@example.com>; Wed, 31 Oct 2018 15:33:12 +0000
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (No client certificate requested)
    by mail.morpheu5.net (Postfix) with ESMTPS id 63728100B2EB
    for <xxxxx@example.com>; Wed, 31 Oct 2018 15:33:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net;
    dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Yrnjbum2"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=gmail.com
Received: by mail-lf1-f51.google.com with SMTP id p86so9773378lfg.5
        for <xxxxx@example.com>; Wed, 31 Oct 2018 08:33:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
        b=Yrnjbum25r6EczXzozeQERktfI7380FH3ETaRQ574kjKWdI+gtL337nVsPH34hnkyy
         YZ3XuVBCyKpz2ulXqF6G9ipsk9Hh6cK6P/BGNO9fs1WRrz9U8BImKhiqJBTdv4J+K4Rq
         grpn4buL1q3lRqunfJzSPaTww0DnYPWR89ICeMiyIYGbNYA4uTBQhQm0GUQRMJz6J1Bm
         4FGL9dL2/sgexlOGga3AeP1dHyPoLag9FN2Vbr/nJThqml8BcC4kPdVb1iH4FZoNaTSh
         s4CeTREvW6XLEAVgSz5Q3DgFLR0V4iCuqYxKkkHDYNi1If/agXkbRBigRP6+HUsTw7mM
         8O7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
        b=MPBwgFcsvJZ9gZbD0n0kfYMKpaHDQ3SkU30o5qVqs9Zwaqu3bTubSDkB+HCHsq8P8A
         6BZN3WARiL9zi9sdxKmvHYBvrf043htR1/jFEr6+1Wr5eO2ULZmKIxdKl609YffDmzM8
         vXXNzIw8pNYvEcaKUW04APzyEG5iEA9B5hrik4ivD9EWC0LHGuVf5jZuFT0LsKuWwydP
         n30LqX6Wra8XjSnbejgeD/m53xDWQpYckArRm6VA7+XqH1W7xnKgxc4MBmeX7gqYQrvV
         nmXMJyJAVtjiW9PXKDIE0SpP9XXryLn3FsguDCCwb46FS3rLJWW7i9SYSDKDb4N6iY3r
         NXUA==
X-Gm-Message-State: AGRZ1gIHySs3xex2WNMp2GByh7QqSOszi85+983Juw7ZJnOEDB28/jma
    iM0XrZTH6QjHeJajn8Zxx3UmFTkgAJ1MdBldxKeKiQ==
X-Google-Smtp-Source: AJdET5dvhrIXWjNNjZ2g5C7dSnHwXF95xuK/26l2o3C8fhT2r034Pos5Z776NyKi6JQvIAXpGCEkKe/WjOMaWWllzCM=
X-Received: by 2002:a19:13cc:: with SMTP id 73mr1902315lft.79.1540999989833;
 Wed, 31 Oct 2018 08:33:09 -0700 (PDT)
MIME-Version: 1.0
From: Andrea Franceschini <zzzzz@gmail.com>
Date: Wed, 31 Oct 2018 15:32:32 +0000
Message-ID: <CACY09wpao6XSxkjzNXytTJ3Z3SCrpnhQkUjoWHJzYd8sS23jmA@mail.gmail.com>
Subject: 
To: xxxxx@example.com
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=2.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
    DKIM_VALID_AU,DNS_FROM_AHBL_RHSBL,FREEMAIL_FROM,UNPARSEABLE_RELAY,
    URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 226c07f01f2b

and this is what shows up in the logs

Oct 31 15:33:12 bd85f6a3b2b6 opendmarc[20]: 63728100B2EB: gmail.com fail

Please also note that SpamAssassin computed a bunch of DKIM scores for this message, while this did not happen before, so... time for more config files!

OpenDKIM to begin with

PidFile             /var/run/opendkim/opendkim.pid
Mode                sv
Syslog              yes
SyslogSuccess       yes
LogWhy              yes
UserID              opendkim:opendkim
Socket              inet:8891@localhost
Umask               002
SendReports         yes
SoftwareHeader      yes
Canonicalization    relaxed/relaxed
Selector            default
MinimumKeyBits      1024
KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts       refile:/etc/opendkim/TrustedHosts
OversignHeaders     From
QueryCache          yes
AutoRestart         Yes

KeyTable seems OK to me

mail._domainkey.unijobs.it unijobs.it:mail:/etc/opendkim/keys/unijobs.it/dkim-private.pem
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/dkim-private.pem

I also have wildcard signing

*@unijobs.it mail._domainkey.unijobs.it
*@example.com mail._domainkey.example.com

and these as trusted hosts

127.0.0.1
::1
172.17.0.0/16
172.18.0.0/16

OpenDMARC is configured like this

AuthservID      mail.morpheu5.net
HistoryFile     /var/spool/opendmarc/opendmarc.dat
IgnoreHosts     /etc/opendmarc/ignore.hosts
RejectFailures  false
Socket          inet:8893@localhost
SoftwareHeader  true
Syslog          true
UMask           007
UserID          opendmarc:mail

With the following in ignore.hosts

localhost
172.17.0.0/16
172.18.0.0/16

So... why does OpenDMARC fails pretty much everything that comes through the door?

EDIT I ran opendmarc -t on one of these messages and the worst that happens is

opendmarc: mlfi_connect() returned SMFIS_ACCEPT

if I run it with the my custom config file, and

opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: message: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: message: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 3: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 8: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 13: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 14: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 15: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 16: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 23: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 24: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 26: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 27: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 28: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 29: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 30: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 31: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 34: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 35: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 37: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 38: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; dmarc=fail (p=none dis=none) header.from=example.com'
opendmarc: message: mlfi_eom() returned SMFIS_ACCEPT
opendmarc: mlfi_close() returned SMFIS_CONTINUE

if I don't specify my custom config file (which is in a weird location because reasons).

EDIT Gmail now passes SPF, DKIM, and eventually opendmarc gives it a pass. Not sure what happened.

EDIT Follow-up: What is wrong with this e-mail which is failing SPF(mailfrom) and DMARC?

Morpheu5
  • 259
  • 4
  • 18

4 Answers4

4

I also had this issue recently. In my case I managed to resolve it by adding the following to /etc/opendmarc.conf:

IgnoreAuthenticatedClients true

man opendmarc.conf has this to say about it:

IgnoreAuthenticatedClients (Boolean)
   If set, causes mail from authenticated clients (i.e., those that used SMTP AUTH) to be
   ignored by the filter.  The  default  is "false".

which is exactly what I wanted. I only allow external connections to the SMTP via secure connections. Now opendmarc leaves my outgoing email alone.

Tommiie
  • 5,547
  • 2
  • 11
  • 45
Jonas Kalderstam
  • 141
  • 3
2

Try change main.cf

smtpd_milters =     inet:mopsmailer_spamassassin:784 inet:localhost:8891 inet:localhost:8893
non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8891 inet:localhost:8893

OpenDKIM check first! Next is OpenDMARC check...

RalfFriedl
  • 3,008
  • 4
  • 12
  • 17
Martin
  • 21
  • 2
0

So external verifications of Your DMARC (spf, dkim) is OK. (You can check with https://dmarcian.com/dmarc-inspector/?domain=example.com )

Internal ckeck failing on every message passing.

It could be that the line in the config

AuthservID mail.morpheu5.net

does not resolve correctly. Try setting the string "HOSTNAME" instead. Then it will use the function gethostname() (This is a wild guess)

What about the ignorehosts file, maybe You should add 127.0.0.1 as well (which is default if nothing is specified) , and not just localhost.

Update: Try removing the DMARC milters from

main.cf: non_smtpd_milters xxxxx

Ingvar J
  • 481
  • 2
  • 7
  • see alos [this post] (https://serverfault.com/questions/923526/why-is-opendmarc-using-my-the-recipients-configuration-for-incoming-mail) – Ingvar J Nov 05 '18 at 09:52
  • Thanks for your answer! I added `127.0.0.1` to the ignored hosts (though I had `localhost` in there, so that should have been the same). No effect. I also tried setting `AuthservID` to `HOSTNAME` (and `TrustedAuthservID` too, just in case). No effect again. I should also say that, if I enable the SPF check performed by opendmarc itself, that also fails. – Morpheu5 Nov 05 '18 at 10:25
  • that was my 50 cent for the moment... – Ingvar J Nov 05 '18 at 12:27
  • other than what You already tested ... `TrustedAuthservIDs mail.morpheu5.net.` – Ingvar J Nov 05 '18 at 12:33
  • The thing that annoys me greatly is that I can't seem to get any useful debug messages or any kind of information on what exactly is failing. I kind-of got the sense that a hint may be contained in the `Authentication-Results` headers, but they are hard as hell to read… – Morpheu5 Nov 05 '18 at 12:35
  • Just a silly question: does your mail host use an internal DNS, where the DKIM/SPF/DMARC entries are not available? Or is it another DNS related issue rather than opendmarc config – Ingvar J Nov 05 '18 at 13:53
  • I'm the mail host, as far as I can tell (I set up my own Postfix/Dovecot cabal). I also control the DNS records, and they are all set up correctly, otherwise I'd be failing tests when, for example, sending to a Gmail address, instead I get all passes. You can check one of my domains (the others are configured more or less the same, save for the signing keys) for example `unijobs.it` (dkim at `mail._domainkey.unijobs.it`, dmarc record at `_dmarc.unijobs.it`). – Morpheu5 Nov 05 '18 at 13:59
  • 1
    I just send an e-mail to info@unijobs.it Can you copy the maillog when the DMARC is evaluated? (return to the same sender as in the email) – Ingvar J Nov 05 '18 at 14:53
-1

I know it's late but it is failing because of what you see in this line:

Received: from mail.morpheu5.net ([172.18.0.14]) by 6c01c2ccb641 with LMTP

Specifically the by 6c01c2ccb641 with LMTP

If you can match it so that 6c01c2ccb641 also shows up as mail.morpheu5.net , it will work just fine.

jonny5556
  • 1
  • No that happens after checking. You have to read headers bottom to top. Problem that dmarc fails is probably because of wrong order (before dkim) and bad spf results (so to say missing SPF test result). Opendmarc needs at least one if them to succeed. – EOhm Oct 20 '19 at 18:13