1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • dmarc=fail: sendmail, spf, dkim and opendmarc

    From Wolfgang Agnes@21:1/5 to All on Tue Nov 12 14:56:12 2024
    I've been able to see my spf, dkim and opendmarc policy working with
    SMTPs that are not my own. My problem has been with the filters on my
    own system. Even though my SMTP seems to add the SPF header and the
    DKIM headers, it seems that opendmarc on my system never seems satisfied
    and so it seems to always fail every message I send out. I describe my
    entire system further below, but I think I should begin with the
    symptoms first. I appreciate any help on this. Thanks!

    (*) A test message sent to a remote site

    %swaks --to someone@remote.site --from me@antartida.xyz \
    --auth CRAM-MD5 --auth-user me \
    --header-X-Test "test email" \
    --server antartida.xyz
    Password: <secret>
    === Trying antartida.xyz:25...
    === Connected to antartida.xyz.
    <- 220 antartida.xyz ESMTP Sendmail 8.18.1/8.18.1; Tue, 12 Nov 2024 14:34:50 -0300 (-03)
    EHLO antartida.xyz
    <- 250-antartida.xyz Hello mx.antartida.xyz [195.88.57.140], pleased to meet you
    <- 250-ENHANCEDSTATUSCODES
    <- 250-PIPELINING
    <- 250-8BITMIME
    <- 250-SIZE
    <- 250-DSN
    <- 250-ETRN
    <- 250-AUTH DIGEST-MD5 CRAM-MD5
    <- 250-STARTTLS
    <- 250-DELIVERBY
    <- 250 HELP
    AUTH CRAM-MD5
    <- 334 PDIxNTE2NjU4MTUuMzM3OTc0NUBhbnRhcnRpZGEueHl6Pg==
    ZGJhc3RvcyAyOGMzNzcyN2IzZWYxNDgzNDc1MzhmYTM4MjI1MjQyNQ==
    <- 235 2.0.0 OK Authenticated
    MAIL FROM:<me@antartida.xyz>
    <- 250 2.1.0 <me@antartida.xyz>... Sender ok
    RCPT TO:<someone@remote.site>
    <- 250 2.1.5 <someone@.remote.site>... Recipient ok
    DATA
    <- 354 End data with <CR><LF>.<CR><LF>
    Date: Tue, 12 Nov 2024 14:34:47 -0300
    To: someone@remote.site
    From: me@antartida.xyz
    Subject: test Tue, 12 Nov 2024 14:34:47 -0300
    Message-Id: <20241112143447.077593@antartida.xyz>
    X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
    X-Test: test email

    This is a test mailing


    .
    <- 250 2.0.0 4ACHYoGx077594 Message accepted for delivery
    QUIT
    <- 221 2.0.0 antartida.xyz closing connection
    === Connection closed with remote host.

    (*) The local maillog

    This is long because I had LogLevel=15. You'll see below that opendmarc
    adds the authentication-results header with a failure, but the spf and
    dkim headers appear to be correct. I show these two relevant log lines
    first and then I show the entire set of log lines in case it's useful.

    --8<-------------------------------------------------------->8---
    Nov 12 14:34:51 antartida opendmarc[53126]: 4ACHYoGx077594:
    antartida.xyz fail

    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter
    (opendmarc) insert (1): header: Authentication-Results: antartida.xyz; dmarc=fail (p=reject dis=none) header.from=antartida.xyz --8<-------------------------------------------------------->8---

    Now the entire SMTP session:

    Nov 12 14:34:50 antartida sm-mta[77594]: NOQUEUE: connect from mx.antartida.xyz [195.88.57.140]
    Nov 12 14:34:50 antartida sm-mta[77594]: AUTH: available mech=SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256 SCRAM-SHA-224 SCRAM-SHA-1 DIGEST-MD5 OTP CRAM-MD5 NTLM ANONYMOUS, allowed mech=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (spfmilter): init success to negotiate
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (dkim-filter): init success to negotiate
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (opendmarc): init success to negotiate
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: connect to filters
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=connect, continue
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=connect, continue
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=connect, continue
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 220 antartida.xyz ESMTP Sendmail 8.18.1/8.18.1; Tue, 12 Nov 2024 14:34:50 -0300 (-03)
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- EHLO antartida.xyz Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=helo, continue
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=helo, continue
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-antartida.xyz Hello mx.antartida.xyz [195.88.57.140], pleased to meet you
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-ENHANCEDSTATUSCODES
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-PIPELINING
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-8BITMIME
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-SIZE
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-DSN
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-ETRN
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-AUTH DIGEST-MD5 CRAM-MD5
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-STARTTLS
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-DELIVERBY
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 HELP
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- AUTH CRAM-MD5
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 334 PDIxNTE2NjU4MTUuMzM3OTc0NUBhbnRhcnRpZGEueHl6Pg==
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 235 2.0.0 OK Authenticated
    Nov 12 14:34:50 antartida sm-mta[77594]: AUTH=server, relay=mx.antartida.xyz [195.88.57.140], authid=me, mech=CRAM-MD5, bits=0
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- MAIL FROM:<me@antartida.xyz>
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: sender: <me@antartida.xyz>
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=mail, continue
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=mail, continue
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=mail, continue
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.1.0 <me@antartida.xyz>... Sender ok
    Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- RCPT TO:<someone@remote.site>
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: rcpts: <someone@remote.site>
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=rcpt, continue
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=rcpt, continue
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=rcpt, continue
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.1.5 <someone@remote.site>... Recipient ok
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: <-- DATA
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 354 End data with <CR><LF>.<CR><LF>
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: from=<me@antartida.xyz>, size=287, class=0, nrcpts=1, msgid=<20241112143447.077593@antartida.xyz>, proto=ESMTPA, daemon=IPv4, relay=mx.antartida.xyz [195.88.57.140]
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=header, continue
    Nov 12 14:34:51 antartida syslogd: last message repeated 6 times
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=eoh, continue
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (spfmilter) insert (0): header: Received-SPF: pass (antartida.xyz: authenticated connection) receiver=antartida.xyz; client-ip=195.88.57.140; helo=antartida.xyz; envelope-from=me@antartida.
    xyz; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.11;
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=header, continue
    Nov 12 14:34:51 antartida syslogd: last message repeated 7 times
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=eoh, continue
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=body, continue
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (dkim-filter) insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antartida.xyz;\n\ts=default; t=1731432891;\n\tbh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=;\n\th=
    Date:To:From:Subject;\n\tb=IDOMq8KnwMb7bgpeMGJOuiW/i9PbmFi9UE4df2u07P6agEeuGAbzepdq9tUmYc5w8\n\t gv5J9u2x8iALPN/6TEzVuDLBhhLfO8XCpWcuK+i5fLKKajo5cpGNVkoMI0cB36zCO3\n\t AwH/wK5f2K8YOgUbQbHYZQBLDdneC1Cp45wYmK0o=
    Nov 12 14:34:51 antartida opendkim[35443]: 4ACHYoGx077594: DKIM-Signature field added (s=default, d=antartida.xyz)
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=header, continue
    Nov 12 14:34:51 antartida syslogd: last message repeated 8 times
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=eoh, continue
    Nov 12 14:34:51 antartida opendmarc[53126]: 4ACHYoGx077594: antartida.xyz fail Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (opendmarc) insert (1): header: Authentication-Results: antartida.xyz; dmarc=fail (p=reject dis=none) header.from=antartida.xyz
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter accept: message Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.0.0 4ACHYoGx077594 Message accepted for delivery
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoH0077594: <-- QUIT
    Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoH0077594: --- 221 2.0.0 antartida.xyz closing connection
    Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: --- 050 <someone@remote.site>... Connecting to aspmx.l.google.com. via esmtp...
    Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: makeconnection (aspmx.l.google.com. [IPv6:2607:f8b0:400c:c36:0:0:0:1b].25 (28)) failed: No route to host
    Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: SMTP outgoing connect on mx.antartida.xyz
    Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS: CRLFile missing
    Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, init=1
    Nov 12 14:34:51 antartida sm-mta[77596]: tls_clt_features=(null), relay=aspmx.l.google.com [74.125.139.26]
    Nov 12 14:34:51 antartida sm-mta[77596]: tls_clt_features=empty, stat=0, relay=aspmx.l.google.com [74.125.139.26]
    Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, start=ok
    Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, info: fds=8/5, err=2 Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS: TLS cert verify: depth=2 /C=US/O=Google Trust Services LLC/CN=GTS Root R1, state=0, reason=unable to get issuer certificate
    Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, get_verify: 2 get_peer: 0x37afc4c39780
    Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
    Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, cert-subject=/CN=mx.google.com, cert-issuer=/C=US/O=Google+20Trust+20Services/CN=WR2, verifymsg=unable to get issuer certificate
    Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=read, info: fds=8/5, err=2 Nov 12 14:34:52 antartida syslogd: last message repeated 4 times
    Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: --- 050 <someone@remote.site>... Sent (OK 1731432897 ada2fe7eead31-4aaa7bac85asi3247497137.420 - gsmtp)
    Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: to=<someone@remote.site>, ctladdr=<me@antartida.xyz> (1003/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30287, relay=aspmx.l.google.com. [74.125.139.26], dsn=2.0.0, stat=Sent (OK
    1731432897 ada2fe7eead31-4aaa7bac85asi3247497137.420 - gsmtp)
    Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: done; delay=00:00:01, ntries=1
    Nov 12 14:34:52 antartida sm-mta[77596]: NOQUEUE: --- 050 Closing connection to aspmx.l.google.com.
    Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=read, info: fds=8/5, err=2 Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, SSL_shutdown failed: -1

    (*) What opendmarc notices

    You'll see in my opendmarc configuration below that I'm using a
    history.txt file for debugging purposes. In history.txt, relative to
    the test message above, I find in history.txt:

    job 4ACHYoGx077594
    reporter antartida.xyz
    received 1731432891
    ipaddr 195.88.57.140
    from antartida.xyz
    mfrom antartida.xyz
    spf 3
    pdomain antartida.xyz
    policy 16
    rua mailto:postmaster@antartida.xyz
    pct 100
    adkim 115
    aspf 115
    p 114
    sp 0
    align_dkim 5
    align_spf 5
    arc 7
    arc_policy 2 json:[]
    action 2

    The meaning of these numbers can be found in the OpenDMARC source code.
    For example,

    https://raw.githubusercontent.com/trusteddomainproject/OpenDMARC/refs/heads/master/opendmarc/README

    says that align_dkim and align_spf of 5 means that there's no alignment
    between mailfrom and the spf and dkim headers. I didn't expect that
    because the domain antartida.xyz seems to be the only domain involved
    here. But I ask myself---is OpenDMARC seeing the same headers as I do
    when I look at the final message?

    Before I had installed the spfmilter, that value ``spf 3'' was ``spf
    -1'' and -1 means the spf header was not even evaluated. (It's what the
    README at the URL above says.) Now that the spf header really is
    present, it says 3 but the README doesn't say what 3 means.

    I provide the information below in case it's useful at all.

    --8<-------------------------------------------------------->8--- --8<-------------------------------------------------------->8---

    (*) My policies (in the DNS records)

    %host -t txt antartida.xyz
    antartida.xyz descriptive text "v=spf1 a mx ip4:195.88.57.140 -all"

    %host -t txt default._domainkey.antartida.xyz
    default._domainkey.antartida.xyz descriptive text "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9yjHh4+28QGxMOXOVIxQM5kpESx1ILsdtVRwqwVEmnNozOgPdx8N42iHPlpvYALsDdHxX/sY6AYurdZCgtRSlnieoCFu2eeA7KczpO8o8evpqzUqEUnxH7YIFbi4ZqP+
    FMocNal4WCPWr5XLdsyQ7mQacVb3L/AxUOIyUvclPnQIDAQAB"

    %host -t txt _dmarc.antartida.xyz
    _dmarc.antartida.xyz descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:postmaster@antartida.xyz;"

    (*) My system

    On a FreeBSD, I installed spfmilter-2.001_2, opendkim and opendmarc with Sendmail 8.18.1. The milter sendmail.mc-configuration looks like this:

    INPUT_MAIL_FILTER(`spfmilter',`S=unix:/var/run/spfmilter.sock') INPUT_MAIL_FILTER(`dkim-filter', `S=inet:8891@localhost', F=T, T=R:2m) INPUT_MAIL_FILTER(`opendmarc', `S=inet:8893@localhost')

    The command-line arguments for spfmilter are

    /usr/local/libexec/spfmilter \
    --user mailnull \
    unix:/var/run/spfmilter.sock

    For opendkim:

    /usr/local/sbin/opendkim -l -u mailnull:mailnull \
    -P /var/run/opendkim/opendkim.pid \
    -x /usr/local/etc/mail/opendkim.conf

    For opendmarc:

    /usr/local/sbin/opendmarc -l -P /var/run/opendmarc/pid \
    -c /usr/local/etc/mail/opendmarc.conf \
    -p inet:8893@localhost \
    -u mailnull:mailnull

    (*) OpenDKIM configuration

    AutoRestart Yes
    AutoRestartRate 10/1h
    UMask 002
    Syslog yes
    SyslogSuccess Yes
    LogWhy Yes

    Canonicalization relaxed/simple

    ExternalIgnoreList refile:/etc/mail/dkim/TrustedHosts
    InternalHosts refile:/etc/mail/dkim/TrustedHosts
    KeyTable refile:/etc/mail/dkim/KeyTable
    SigningTable refile:/etc/mail/dkim/SigningTable

    Mode sv
    PidFile /var/run/opendkim/opendkim.pid
    SignatureAlgorithm rsa-sha256

    UserID mailnull:mailnull

    Socket inet:8891@127.0.0.1

    Domain antartida.xyz
    Selector default

    (*) OpenDMARC configuration:

    %grep -v '^#' opendmarc.conf | grep -v '^$'
    AuthservID antartida.xyz
    HistoryFile /var/run/opendmarc/history.txt
    RecordAllMessages true

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Tue Nov 12 20:45:07 2024
    On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:

    This is long because I had LogLevel=15. You'll see below that
    opendmarc adds the authentication-results header with a failure, but
    the spf and dkim headers appear to be correct. I show these two
    relevant log lines first and then I show the entire set of log lines
    in case it's useful.

    If you send outgoing mail, neither SPF nor DMARC must be checked
    because they fail by design in this situation.
    DKIM needs to sign it, as it does.

    You need to configure the dmarc milter not to check if the mail is
    being submitted from your clients (e.g. because they use auth or come
    from your own IP ranges).
    Sadly, I cannot tell you how to configure it to do that, I had the same
    problem and I am currently not using any SPF nor dmarc milters.

    The opendkim milter doesn't check DKIM if authentication is being used
    or a the mail comes from whitelisted IP ranges. I dunno if opendmarc
    has the same options.

    --
    kind regards
    Marco

    Send spam to 1731419772muell@cartoonies.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Wolfgang Agnes@21:1/5 to Marco Moock on Tue Nov 12 21:58:15 2024
    Marco Moock <mm+usenet-es@dorfdsl.de> writes:

    On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:

    This is long because I had LogLevel=15. You'll see below that
    opendmarc adds the authentication-results header with a failure, but
    the spf and dkim headers appear to be correct. I show these two
    relevant log lines first and then I show the entire set of log lines
    in case it's useful.

    If you send outgoing mail, neither SPF nor DMARC must be checked
    because they fail by design in this situation.

    Can you elaborate? I thought I could have authenticated users trying to
    spoof mail. For instance, my domain may be antartida.xyz, but some authenticated user could try to use, say, presidency.antartida.xyz or
    something like that.

    You need to configure the dmarc milter not to check if the mail is
    being submitted from your clients (e.g. because they use auth or come
    from your own IP ranges).
    Sadly, I cannot tell you how to configure it to do that, I had the same problem and I am currently not using any SPF nor dmarc milters.

    Thanks! We've got IgnoreAuthenticatedClients, which eliminates ``the problem''. With this option enabled, OpenDMARC now only says it
    acccepts the message---no questions asked.

    --8<-------------------------------------------------------->8---
    Nov 12 21:49:02 antartida sm-mta[81837]: 4AD0n2v0081837: milter=opendmarc, action=mail, accepted
    --8<-------------------------------------------------------->8---

    ## IgnoreAuthenticatedClients { true | false }
    ## default "false"
    ##
    ## If set, causes mail from authenticated clients (i.e., those that used
    ## SMTP AUTH) to be ignored by the filter.
    #
    IgnoreAuthenticatedClients true

    (*) Other options

    In the same spirit, there's also IgnoreHosts and IgnoreMailFrom.

    ## IgnoreHosts path
    ## default (internal)
    ##
    ## Specifies the path to a file that contains a list of hostnames, IP
    ## addresses, and/or CIDR expressions identifying hosts whose SMTP
    ## connections are to be ignored by the filter. If not specified, defaults
    ## to "127.0.0.1" only.
    #
    # IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts

    ## IgnoreMailFrom domain[,...]
    ## default (none)
    ##
    ## Gives a list of domain names whose mail (based on the From: domain) is to ## be ignored by the filter. The list should be comma-separated. Matching
    ## against this list is case-insensitive. The default is an empty list,
    ## meaning no mail is ignored.
    #
    # IgnoreMailFrom example.com

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Wed Nov 13 17:09:40 2024
    On 12.11.2024 um 21:58 Uhr Wolfgang Agnes wrote:

    Marco Moock <mm+usenet-es@dorfdsl.de> writes:

    On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:

    This is long because I had LogLevel=15. You'll see below that
    opendmarc adds the authentication-results header with a failure,
    but the spf and dkim headers appear to be correct. I show these
    two relevant log lines first and then I show the entire set of log
    lines in case it's useful.

    If you send outgoing mail, neither SPF nor DMARC must be checked
    because they fail by design in this situation.

    Can you elaborate?

    The SPF record of a domain includes IP addresses of the outgoing mail
    servers. Your users have other IP addresses from anywhere in the world.
    They use authentication to proof their identity. Maybe there are
    milters to map such an identity to an email address, so address forging
    can be prevented.

    SPF doesn't work for that.

    DMARC needs DKIM and SPF to work and is intended for incoming mail. As
    there is no Authentication-Results SPF header when mail is being
    submitted, DMARC makes no sense here. If there is already a DKIM
    signature, it could verify the policy, but that makes no sense in that situation.

    You need to configure the dmarc milter not to check if the mail is
    being submitted from your clients (e.g. because they use auth or
    come from your own IP ranges).
    Sadly, I cannot tell you how to configure it to do that, I had the
    same problem and I am currently not using any SPF nor dmarc
    milters.

    Thanks! We've got IgnoreAuthenticatedClients, which eliminates ``the problem''. With this option enabled, OpenDMARC now only says it
    acccepts the message---no questions asked.

    Thanks!
    I was searching for that and didn't find it.



    --
    kind regards
    Marco

    Send spam to 1731445095muell@cartoonies.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)