Why is my opendmarc failing pretty much everything that comes through?
Solution 1
I also had this issue recently. In my case I managed to resolve it by adding the following to /etc/opendmarc.conf
:
IgnoreAuthenticatedClients true
man opendmarc.conf
has this to say about it:
IgnoreAuthenticatedClients (Boolean)
If set, causes mail from authenticated clients (i.e., those that used SMTP AUTH) to be
ignored by the filter. The default is "false".
which is exactly what I wanted. I only allow external connections to the SMTP via secure connections. Now opendmarc leaves my outgoing email alone.
Solution 2
Try change main.cf
smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8891 inet:localhost:8893
non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8891 inet:localhost:8893
OpenDKIM check first! Next is OpenDMARC check...
Related videos on Youtube
Morpheu5
Updated on September 18, 2022Comments
-
Morpheu5 almost 2 years
I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is
example.com
which has the following entries in its DNS zone:example.com. 600 IN MX 1 mail.morpheu5.net. example.com. 600 IN TXT "v=spf1 a mx -all" _dmarc.example.com. 600 IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; ri=86400" mail._domainkey.example.com. 600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSYXmE/aXew9wcS9dCZFYrPetCRC9rW3vVYRQo980JbC6pXbAkqnUd7ncWkUaQZgF2HKzrspUMklRN35rB1b9iHX3dHnf/gvxSURZPYcKT1DenFt+Vhplv2IuWCNWRSqTuXTXlVOnf+TwWLZayKNq62mCqU09sasP9kHXO5lyIbwIDAQAB"
mail.morpheu5.net
is the local host/domain/thing for my postfix, and I'm managingexample.com
as a virtual domain. I'm running OpenDKIM and OpenDMARC as milters -- SpamAssassin too, but that's working alright.OpenDKIM is working fine, all the messages get signed correctly and Gmail even shows the little "Signed by: example.com" and confirmation of standard encryption (TLS). In fact, if I inspect the original message, in Gmail, I get the following:
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass [email protected] header.s=mail header.b=pixIC2KM; spf=pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) [email protected]; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com Return-Path: <[email protected]> Received: from mail.morpheu5.net (mail.morpheu5.net. [79.137.83.28]) by mx.google.com with ESMTPS id p67-v6si2567899wmd.147.2018.10.31.08.01.43 for <[email protected]> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Oct 2018 08:01:43 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) client-ip=79.137.83.28; Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=mail header.b=pixIC2KM; spf=pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) [email protected]; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
which, if I read it correctly, tells me that
- my SPF policy is OK (example.com designates mail.morpheu5.net as permitted sender),
- my DKIM signature is valid (sign that OpenDKIM is working fine), and
- my DMARC record is valid and the two previous checks passed.
Further down, if I inspect the headers generated by my own MTA, I see the following
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 8E8CE100B2EB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=mail; t=1540998102; bh=j1p26NHBiJxaCqvB8/JaswqiQuHCsG+QNIkoIUc8B+0=; h=From:Subject:Date:To:From; b=pixIC2KMsLYpq4KQn4gRIJ4wr3Tle+Iaq08lSVdIz82nrKDybFhOivpIrmtpKSXND rS4MPn7aNRV2D2KJPqG6Ru2tFAJEaBviC/7BNs2x3mIGlIxv5OzvD2EIvrJSJ8FA9U 1Uf9YTdWgSF4FdytLD21Jus6dYt4evDc3ZZujvIU= DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 8E8CE100B2EB Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com ^^^^^^^^^^- WHAT?!
That in itself is confusing, because it seems that OpenDMARC is running even for outgoing mail (remember, I sent this message from [email protected] to [email protected]). This however could be because of how I'm running the milter. This is the relevant bit in postfix's
main.cf
:smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891 non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891 ^- SpamAssassin ^- OpenDMARC ^- OpenDKIM
I'm open to suggestions on this.
What is really driving me insane, though, is that OpenDMARC is failing pretty much everything that comes in through the door. This is a message I sent from another domain (that I have set up in a similar way to example.com)
Return-Path: <[email protected]> Delivered-To: [email protected] Received: from mail.morpheu5.net ([172.18.0.14]) by 6c01c2ccb641 with LMTP id t10hEf7J2Vu3BQAAl2tFQA (envelope-from <[email protected]>) for <[email protected]>; Wed, 31 Oct 2018 15:27:58 +0000 Received: from porto.home (host109-154-219-15.range109-154.btcentralplus.com [109.154.219.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.morpheu5.net (Postfix) with ESMTPSA id E0A22100B2EB for <[email protected]>; Wed, 31 Oct 2018 15:27:57 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net E0A22100B2EB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=mail; t=1540999678; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; h=From:Subject:Date:To:From; b=ulFaGLYp8hoosllX0rs+byXALUScldP5Of4Sf9/GxuuEqkz5VpCwPHib0TCXQNyqG yGqzlgBUoKB2SB0vRqbDW6vb+1UyG971DVeC0WfuRvoe7lKFLFmzD+V25rht/83TKv GFhIX2JMMobnw+wS++/6rS/l93/NLlTysiKECSfo= DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net E0A22100B2EB Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com From: "example.com" <[email protected]> Content-Type: text/plain Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Message-Id: <[email protected]> Date: Wed, 31 Oct 2018 15:27:57 +0000 To: [email protected]
They are both served by the same postfix install, so draw your own conclusions. The only thing I see in the logs is a very laconic
Oct 31 15:27:58 bd85f6a3b2b6 opendmarc[20]: E0A22100B2EB: example.com fail
So I figured I must have screwed up something while delivering the message. I then sent one from my gmail.com address and lo and behold
Return-Path: <[email protected]> Delivered-To: [email protected] Received: from mail.morpheu5.net ([172.18.0.14]) by 6c01c2ccb641 with LMTP id 3P0+CTjL2Vu7BQAAl2tFQA (envelope-from <[email protected]>) for <[email protected]>; Wed, 31 Oct 2018 15:33:12 +0000 Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.morpheu5.net (Postfix) with ESMTPS id 63728100B2EB for <[email protected]>; Wed, 31 Oct 2018 15:33:11 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 63728100B2EB Authentication-Results: mail.morpheu5.net; dkim=pass (2048-bit key) header.d=gmail.com [email protected] header.b="Yrnjbum2" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 63728100B2EB Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=gmail.com Received: by mail-lf1-f51.google.com with SMTP id p86so9773378lfg.5 for <[email protected]>; Wed, 31 Oct 2018 08:33:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=; b=Yrnjbum25r6EczXzozeQERktfI7380FH3ETaRQ574kjKWdI+gtL337nVsPH34hnkyy YZ3XuVBCyKpz2ulXqF6G9ipsk9Hh6cK6P/BGNO9fs1WRrz9U8BImKhiqJBTdv4J+K4Rq grpn4buL1q3lRqunfJzSPaTww0DnYPWR89ICeMiyIYGbNYA4uTBQhQm0GUQRMJz6J1Bm 4FGL9dL2/sgexlOGga3AeP1dHyPoLag9FN2Vbr/nJThqml8BcC4kPdVb1iH4FZoNaTSh s4CeTREvW6XLEAVgSz5Q3DgFLR0V4iCuqYxKkkHDYNi1If/agXkbRBigRP6+HUsTw7mM 8O7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=; b=MPBwgFcsvJZ9gZbD0n0kfYMKpaHDQ3SkU30o5qVqs9Zwaqu3bTubSDkB+HCHsq8P8A 6BZN3WARiL9zi9sdxKmvHYBvrf043htR1/jFEr6+1Wr5eO2ULZmKIxdKl609YffDmzM8 vXXNzIw8pNYvEcaKUW04APzyEG5iEA9B5hrik4ivD9EWC0LHGuVf5jZuFT0LsKuWwydP n30LqX6Wra8XjSnbejgeD/m53xDWQpYckArRm6VA7+XqH1W7xnKgxc4MBmeX7gqYQrvV nmXMJyJAVtjiW9PXKDIE0SpP9XXryLn3FsguDCCwb46FS3rLJWW7i9SYSDKDb4N6iY3r NXUA== X-Gm-Message-State: AGRZ1gIHySs3xex2WNMp2GByh7QqSOszi85+983Juw7ZJnOEDB28/jma iM0XrZTH6QjHeJajn8Zxx3UmFTkgAJ1MdBldxKeKiQ== X-Google-Smtp-Source: AJdET5dvhrIXWjNNjZ2g5C7dSnHwXF95xuK/26l2o3C8fhT2r034Pos5Z776NyKi6JQvIAXpGCEkKe/WjOMaWWllzCM= X-Received: by 2002:a19:13cc:: with SMTP id 73mr1902315lft.79.1540999989833; Wed, 31 Oct 2018 08:33:09 -0700 (PDT) MIME-Version: 1.0 From: Andrea Franceschini <[email protected]> Date: Wed, 31 Oct 2018 15:32:32 +0000 Message-ID: <CACY09wpao6XSxkjzNXytTJ3Z3SCrpnhQkUjoWHJzYd8sS23jmA@mail.gmail.com> Subject: To: [email protected] Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=2.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DNS_FROM_AHBL_RHSBL,FREEMAIL_FROM,UNPARSEABLE_RELAY, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 226c07f01f2b
and this is what shows up in the logs
Oct 31 15:33:12 bd85f6a3b2b6 opendmarc[20]: 63728100B2EB: gmail.com fail
Please also note that SpamAssassin computed a bunch of DKIM scores for this message, while this did not happen before, so... time for more config files!
OpenDKIM to begin with
PidFile /var/run/opendkim/opendkim.pid Mode sv Syslog yes SyslogSuccess yes LogWhy yes UserID opendkim:opendkim Socket inet:8891@localhost Umask 002 SendReports yes SoftwareHeader yes Canonicalization relaxed/relaxed Selector default MinimumKeyBits 1024 KeyTable /etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts OversignHeaders From QueryCache yes AutoRestart Yes
KeyTable seems OK to me
mail._domainkey.unijobs.it unijobs.it:mail:/etc/opendkim/keys/unijobs.it/dkim-private.pem mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/dkim-private.pem
I also have wildcard signing
*@unijobs.it mail._domainkey.unijobs.it *@example.com mail._domainkey.example.com
and these as trusted hosts
127.0.0.1 ::1 172.17.0.0/16 172.18.0.0/16
OpenDMARC is configured like this
AuthservID mail.morpheu5.net HistoryFile /var/spool/opendmarc/opendmarc.dat IgnoreHosts /etc/opendmarc/ignore.hosts RejectFailures false Socket inet:8893@localhost SoftwareHeader true Syslog true UMask 007 UserID opendmarc:mail
With the following in
ignore.hosts
localhost 172.17.0.0/16 172.18.0.0/16
So... why does OpenDMARC fails pretty much everything that comes through the door?
EDIT I ran
opendmarc -t
on one of these messages and the worst that happens isopendmarc: mlfi_connect() returned SMFIS_ACCEPT
if I run it with the my custom config file, and
opendmarc: mlfi_connect() returned SMFIS_CONTINUE opendmarc: mlfi_helo() returned SMFIS_CONTINUE opendmarc: message: mlfi_envfrom() returned SMFIS_CONTINUE opendmarc: message: line 1: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 2: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 3: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 8: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 13: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 14: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 15: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 16: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 23: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 24: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 26: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 27: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 28: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 29: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 30: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 31: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 34: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 35: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 37: mlfi_header() returned SMFIS_CONTINUE opendmarc: message: line 38: mlfi_header() returned SMFIS_CONTINUE ### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; dmarc=fail (p=none dis=none) header.from=example.com' opendmarc: message: mlfi_eom() returned SMFIS_ACCEPT opendmarc: mlfi_close() returned SMFIS_CONTINUE
if I don't specify my custom config file (which is in a weird location because reasons).
EDIT Gmail now passes SPF, DKIM, and eventually opendmarc gives it a pass. Not sure what happened.
EDIT Follow-up: What is wrong with this e-mail which is failing SPF(mailfrom) and DMARC?
-
Ingvar J over 5 yearssee alos [this post] (serverfault.com/questions/923526/…)
-
Morpheu5 over 5 yearsThanks for your answer! I added
127.0.0.1
to the ignored hosts (though I hadlocalhost
in there, so that should have been the same). No effect. I also tried settingAuthservID
toHOSTNAME
(andTrustedAuthservID
too, just in case). No effect again. I should also say that, if I enable the SPF check performed by opendmarc itself, that also fails. -
Ingvar J over 5 yearsthat was my 50 cent for the moment...
-
Ingvar J over 5 yearsother than what You already tested ...
TrustedAuthservIDs mail.morpheu5.net.
-
Morpheu5 over 5 yearsThe thing that annoys me greatly is that I can't seem to get any useful debug messages or any kind of information on what exactly is failing. I kind-of got the sense that a hint may be contained in the
Authentication-Results
headers, but they are hard as hell to read… -
Ingvar J over 5 yearsJust a silly question: does your mail host use an internal DNS, where the DKIM/SPF/DMARC entries are not available? Or is it another DNS related issue rather than opendmarc config
-
Morpheu5 over 5 yearsI'm the mail host, as far as I can tell (I set up my own Postfix/Dovecot cabal). I also control the DNS records, and they are all set up correctly, otherwise I'd be failing tests when, for example, sending to a Gmail address, instead I get all passes. You can check one of my domains (the others are configured more or less the same, save for the signing keys) for example
unijobs.it
(dkim atmail._domainkey.unijobs.it
, dmarc record at_dmarc.unijobs.it
). -
Ingvar J over 5 yearsI just send an e-mail to [email protected] Can you copy the maillog when the DMARC is evaluated? (return to the same sender as in the email)
-
Morpheu5 over 5 yearsTried that too, didn't work, thanks for your suggestion though.
-
EOhm over 4 yearsNo that happens after checking. You have to read headers bottom to top. Problem that dmarc fails is probably because of wrong order (before dkim) and bad spf results (so to say missing SPF test result). Opendmarc needs at least one if them to succeed.