I posted about a dmarc problem and i think to found a real bug in opendmarc
Opendmarc reads opendkim results from header and initially i have not verified it, If i dont make a verify, opendkim can only use spf results to validate, but in header i have no spf results
So i put SPFSelfValidate true In opendkim directives to instruct opendkim to do spf check itself
But i found a lot of messages that have spf pass into spamassassin check and fail in opendkim spf check
Analizyng those messages it seems that SPFSelfValidate true make a spf verification that fail when they have to resolve INCLUDES into txt record,
This is an example :
Received: from mailX12.eud.schneider-electric.com (mailx12.eud.schneider-electric.com [159.215.248.166])
Authentication-Results: EFA42.gruppocomet.it; dmarc=fail (p=quarantine dis=none) header.from=it.schneider-electric.com
Authentication-Results: EFA42.gruppocomet.it; spf=fail smtp.mailfrom=IT-NO-BO-AreaAmministrativa@it.schneider-electric.com
-0.15 SPF_PASS SPF: sender matches SPF record
"v=spf1 include:it.schneider-electric.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2050.outbound.protection.outlook.com [40.107.244.50])
Authentication-Results: EFA42.gruppocomet.it; dmarc=pass (p=reject dis=none) header.from=ra.rockwell.com
Authentication-Results: EFA42.gruppocomet.it; spf=fail smtp.mailfrom=PPrymas@ra.rockwell.com
-0.15 SPF_PASS SPF: sender matches SPF record
v=spf1 include:ra.rockwell.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:_netblocks.eloqua.com include:spf.messagelabs.com include:spf.protection.outlook.com -all
Probably we need to resolve bug in opendkim spf test OR better we need to add spf test that put results into header, mailscanner can do this or it runs after dmarc ?
Better can be done by postfix
i suggest to put latest opendkim in next efa install
SPF of DMARC problem
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: SPF of DMARC problem
another solution can be to make postfix generate header with spf check
dnf install pypolicyd-spf
but install fails :
file /usr/bin/spfquery from install of python3-pyspf-2.0.14-8.el8.noarch conflicts with file from package perl-Mail-SPF-Query-1.999.1-1.eFa.el8.noarch
dnf install pypolicyd-spf
but install fails :
file /usr/bin/spfquery from install of python3-pyspf-2.0.14-8.el8.noarch conflicts with file from package perl-Mail-SPF-Query-1.999.1-1.eFa.el8.noarch
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SPF of DMARC problem
I can probably make a package for eFa of pypolicyd-spf for everyone.
Long story short perl-Mail-SPF-Query was needed in eFa because the stock perl-Mail-SPF for whatever reason is missing this submodule. pypolicyd-spf probably has the same module bundled in it.
Long story short perl-Mail-SPF-Query was needed in eFa because the stock perl-Mail-SPF for whatever reason is missing this submodule. pypolicyd-spf probably has the same module bundled in it.
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: SPF of DMARC problem
These are my DMARC spamassassin rules with a workaround for this problem
When dmarc pass i give a bonus
When dmarc fail i check spf that comes from spamassassin before give a real fail, if it pass i assume that it dont fail
header SA_DMARC_NONE Authentication-Results =~ /gruppocomet\.it.+dmarc=none/
describe SA_DMARC_NONE DMARC none
score SA_DMARC_NONE 0.10
header SA_DMARC_PASS Authentication-Results =~ /gruppocomet\.it.+dmarc=pass/
describe SA_DMARC_PASS DMARC check pass
score SA_DMARC_PASS -0.10
header __SA_DMARC_T_FAIL Authentication-Results =~ /gruppocomet\.it.+dmarc=fail/
header __SA_DMARC_D_QUARANTINE Authentication-Results =~ /gruppocomet\.it.+p=quarantine/
header __SA_DMARC_D_REJECT Authentication-Results =~ /gruppocomet\.it.+p=reject/
meta SA_DMARC_PASS_QUARANTINE ( SA_DMARC_PASS && __SA_DMARC_D_QUARANTINE )
describe SA_DMARC_PASS_QUARANTINE DMARC check pass, sender want Quarantine
score SA_DMARC_PASS_QUARANTINE -0.30
meta SA_DMARC_PASS_REJECT ( SA_DMARC_PASS && __SA_DMARC_D_REJECT )
describe SA_DMARC_PASS_REJECT DMARC check pass, sender want Reject
score SA_DMARC_PASS_REJECT -0.60
# Sometimes dmarc fails cacause it have a bug that desnt recognize particular spf with includes
# so we check also that there is not an spf pass by spamassassin to give a real fail
meta SA_DMARC_FAIL ( __SA_DMARC_T_FAIL && ! SPF_PASS )
describe SA_DMARC_FAIL DMARC check fail (with spamassassin Spf not pass)
score SA_DMARC_FAIL 0.20
meta SA_DMARC_FAIL_QUARANTINE ( SA_DMARC_FAIL && __SA_DMARC_D_QUARANTINE )
describe SA_DMARC_FAIL_QUARANTINE DMARC check failed, sender want Quarantine
score SA_DMARC_FAIL_QUARANTINE 0.50
meta SA_DMARC_FAIL_REJECT ( SA_DMARC_FAIL && __SA_DMARC_D_REJECT )
describe SA_DMARC_FAIL_REJECT DMARC check failed, sender want Reject
score SA_DMARC_FAIL_REJECT 1.00
When dmarc pass i give a bonus
When dmarc fail i check spf that comes from spamassassin before give a real fail, if it pass i assume that it dont fail
header SA_DMARC_NONE Authentication-Results =~ /gruppocomet\.it.+dmarc=none/
describe SA_DMARC_NONE DMARC none
score SA_DMARC_NONE 0.10
header SA_DMARC_PASS Authentication-Results =~ /gruppocomet\.it.+dmarc=pass/
describe SA_DMARC_PASS DMARC check pass
score SA_DMARC_PASS -0.10
header __SA_DMARC_T_FAIL Authentication-Results =~ /gruppocomet\.it.+dmarc=fail/
header __SA_DMARC_D_QUARANTINE Authentication-Results =~ /gruppocomet\.it.+p=quarantine/
header __SA_DMARC_D_REJECT Authentication-Results =~ /gruppocomet\.it.+p=reject/
meta SA_DMARC_PASS_QUARANTINE ( SA_DMARC_PASS && __SA_DMARC_D_QUARANTINE )
describe SA_DMARC_PASS_QUARANTINE DMARC check pass, sender want Quarantine
score SA_DMARC_PASS_QUARANTINE -0.30
meta SA_DMARC_PASS_REJECT ( SA_DMARC_PASS && __SA_DMARC_D_REJECT )
describe SA_DMARC_PASS_REJECT DMARC check pass, sender want Reject
score SA_DMARC_PASS_REJECT -0.60
# Sometimes dmarc fails cacause it have a bug that desnt recognize particular spf with includes
# so we check also that there is not an spf pass by spamassassin to give a real fail
meta SA_DMARC_FAIL ( __SA_DMARC_T_FAIL && ! SPF_PASS )
describe SA_DMARC_FAIL DMARC check fail (with spamassassin Spf not pass)
score SA_DMARC_FAIL 0.20
meta SA_DMARC_FAIL_QUARANTINE ( SA_DMARC_FAIL && __SA_DMARC_D_QUARANTINE )
describe SA_DMARC_FAIL_QUARANTINE DMARC check failed, sender want Quarantine
score SA_DMARC_FAIL_QUARANTINE 0.50
meta SA_DMARC_FAIL_REJECT ( SA_DMARC_FAIL && __SA_DMARC_D_REJECT )
describe SA_DMARC_FAIL_REJECT DMARC check failed, sender want Reject
score SA_DMARC_FAIL_REJECT 1.00