opendmarc.service failed - kills mailscanner?

Bugs in eFa 4
SteveC
Posts: 8
Joined: 16 May 2023 19:16

Re: opendmarc.service failed - kills mailscanner?

Post by SteveC »

New post 'cause the other is getting long.

If helpful, I have the email that caused the above issue. When the eFa server the second time, it was sent to the plain postfix backup server.

I confirmed that flushing the cache to send it from backup to primary causes eFa to crash.

Steve
efa@kalthof.net
Posts: 6
Joined: 16 May 2023 17:42

Re: opendmarc.service failed - kills mailscanner?

Post by efa@kalthof.net »

Here is some more debug info:

May 16 13:22:28 efa postfix/smtpd[4227]: 4QLDNh0K3LzB6HKt: client=mailoutp.awi-potsdam.de[139.75.1.113]
May 16 13:22:28 efa postfix/cleanup[4235]: 4QLDNh0K3LzB6HKt: message-id=<050b7265188649de82b5915b078eba02@awi.de>
May 16 13:22:28 efa opendkim[2623]: 4QLDNh0K3LzB6HKt: mailoutp.awi-potsdam.de [139.75.1.113] not internal
May 16 13:22:28 efa opendkim[2623]: 4QLDNh0K3LzB6HKt: not authenticated
May 16 13:22:28 efa opendkim[2623]: 4QLDNh0K3LzB6HKt: DKIM verification successful
May 16 13:22:28 efa opendmarc[2622]: 4QLDNh0K3LzB6HKt: ignoring invalid ARC-Authentication-Results header "i=1;#012#011smtpd-out;#012#011none"
May 16 13:22:29 efa postfix/cleanup[4235]: 4QLDNh0K3LzB6HKt: milter-reject: END-OF-MESSAGE from mailoutp.awi-potsdam.de[139.75.1.113]: 4.7.1 Service unavailable - try again later; from=<x@awi.de> to=<y@z.net> proto=ESMTP helo=<mailoutp.awi-potsdam.de>

May 15 15:27:26 efa kernel: opendmarc[745]: segfault at 0 ip 00007f32b05d3a84 sp 00007f32ad98e118 error 4 in libbsd.so.0.11.7[7f32b05c7000+14000]
May 15 17:47:26 efa kernel: opendmarc[15643]: segfault at 0 ip 00007f0bd70ada84 sp 00007f0bcefd8118 error 4 in libbsd.so.0.11.7[7f0bd70a1000+14000]
May 16 08:57:27 efa kernel: opendmarc[10935]: segfault at 0 ip 00007fa7dfafaa84 sp 00007fa7cdfd6118 error 4 in libbsd.so.0.11.7[7fa7dfaee000+14000]
May 16 10:07:27 efa kernel: opendmarc[15674]: segfault at 0 ip 00007f9b47aeea84 sp 00007f9b456aa118 error 4 in libbsd.so.0.11.7[7f9b47ae2000+14000]
May 16 11:17:27 efa kernel: opendmarc[12461]: segfault at 0 ip 00007f747f131a84 sp 00007f747cced118 error 4 in libbsd.so.0.11.7[7f747f125000+14000]
May 16 12:27:27 efa kernel: opendmarc[25279]: segfault at 0 ip 00007f6919502a84 sp 00007f69160bc118 error 4 in libbsd.so.0.11.7[7f69194f6000+14000]
May 16 12:44:40 efa kernel: opendmarc[4205]: segfault at 0 ip 00007f35f91bca84 sp 00007f35f6d78118 error 4 in libbsd.so.0.11.7[7f35f91b0000+14000]
May 16 13:22:28 efa kernel: opendmarc[8947]: segfault at 0 ip 00007f4cfb02ca84 sp 00007f4cf8be8118 error 4 in libbsd.so.0.11.7[7f4cfb020000+14000]
May 16 14:47:28 efa kernel: opendmarc[7859]: segfault at 0 ip 00007f854d62ca84 sp 00007f85499e5118 error 4 in libbsd.so.0.11.7[7f854d620000+14000]
May 16 15:12:27 efa kernel: opendmarc[10097]: segfault at 0 ip 00007f40410eaa84 sp 00007f403e4a5118 error 4 in libbsd.so.0.11.7[7f40410de000+14000]
May 16 15:57:27 efa kernel: opendmarc[13646]: segfault at 0 ip 00007f87b58f7a84 sp 00007f87b34b3118 error 4 in libbsd.so.0.11.7[7f87b58eb000+14000]
May 16 17:07:27 efa kernel: opendmarc[16090]: segfault at 0 ip 00007fa06cf11a84 sp 00007fa0696be118 error 4 in libbsd.so.0.11.7[7fa06cf05000+14000]
May 16 17:32:28 efa kernel: opendmarc[8752]: segfault at 0 ip 00007f5ddfb25a84 sp 00007f5dcffda118 error 4 in libbsd.so.0.11.7[7f5ddfb19000+14000]

Thanks

Gerald
SteveC
Posts: 8
Joined: 16 May 2023 19:16

Re: opendmarc.service failed - kills mailscanner?

Post by SteveC »

The is a known issue with opendmarc.

See https://github.com/trusteddomainproject ... issues/236

The fix is to edit the file /usr/lib/systemd/system/opendmarc.service and change the [Service] section to match the below by adding the restart directives.

Code: Select all

[Service]
Type=forking
PIDFile=/run/opendmarc/opendmarc.pid
EnvironmentFile=-/etc/sysconfig/opendmarc
ExecStart=/usr/sbin/opendmarc $OPTIONS
ExecReload=/bin/kill -USR1 $MAINPID
User=opendmarc
Group=opendmarc
Restart=always
RestartSec=3
After editing, run the commands below, and your eFa should not crash when encountering and ARC header it cannot process.

Code: Select all

 systemctl daemon-reload
 service opendmarc restart 
SteveC
Posts: 8
Joined: 16 May 2023 19:16

Re: opendmarc.service failed - kills mailscanner?

Post by SteveC »

Question in case anyone knows.

Before I tried the solution above for a restart of the opendmarc service, I tried adding the opendmarc service to /etc/sysconfig/eFa-Monitor file with the line change

Code: Select all

MonitoredServices=("mysqld=mysqld" "MailScanner=mailscanner" "master=postfix" "httpd=httpd" "clamd=clamd@scan" "unbound=unbound" "dccifd=adcc" "MSMilter=msmilter" "OpenDMARC=opendmarc")
It didn't seem to work, as the service wasn't restarted. Anyone know what I missed?

Steve
efa@kalthof.net
Posts: 6
Joined: 16 May 2023 17:42

Re: opendmarc.service failed - kills mailscanner?

Post by efa@kalthof.net »

Hi there,

to restart the daemon when the service crashes, is not a solution, as mails from awi.de cannot be processed and never reach the destionation.

I tried the ignore.hosts file in /etc/opendmarc to except the awi.de domain from dmarc processing, unforunately the sender ceased to send us mails meanwhile!

Yours

Gerald
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: opendmarc.service failed - kills mailscanner?

Post by bostjanc »

Btw. Awi.de is not even on blacklist if i check with mx toolbox. Whats up with this domain?
SteveC
Posts: 8
Joined: 16 May 2023 19:16

Re: opendmarc.service failed - kills mailscanner?

Post by SteveC »

bostjanc wrote: 18 May 2023 13:15 Btw. Awi.de is not even on blacklist if i check with mx toolbox. Whats up with this domain?
The problem is with the ARC-Seal headers. I don't believe it's intentional.

Steve
efa@kalthof.net
Posts: 6
Joined: 16 May 2023 17:42

Re: opendmarc.service failed - kills mailscanner?

Post by efa@kalthof.net »

It must be the domain name itself which crashes opendmarc. I think it's a weird conicidence.

Can somone of the eFa developers check this with opendmarc development?

It seems that subdomains of awi.de are affected as well.

the dmarc-record seems to be fine


dig _dmarc.awi.de txt

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> _dmarc.awi.de txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19840
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_dmarc.awi.de. IN TXT

;; ANSWER SECTION:
_dmarc.awi.de. 54 IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:dmarc@awi.de"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu May 18 14:14:58 UTC 2023
;; MSG SIZE rcvd: 113
SteveC
Posts: 8
Joined: 16 May 2023 19:16

Re: opendmarc.service failed - kills mailscanner?

Post by SteveC »

Have you tried adding the domains you want email from to the IgnoreMailFrom directive in opendmarc.conf file?

Code: Select all

IgnoreMailFrom awi.de
That may allow mail from the domain to process through the other filters.
efa@kalthof.net
Posts: 6
Joined: 16 May 2023 17:42

Re: opendmarc.service failed - kills mailscanner?

Post by efa@kalthof.net »

As I wrote, I already put the domain awi.de in /etc/opendmarc/ignore.hosts

but this is a workaround, not a fix!

Yours

Gerald
efa@kalthof.net
Posts: 6
Joined: 16 May 2023 17:42

Re: opendmarc.service failed - kills mailscanner?

Post by efa@kalthof.net »

The entry in ignore.hosts did not help really, as they use a bunch of outgoing mailers

I tried IgnoreDomain in /etc/opdndmarc.conf now.

Can anybody file a bug report for opendmarc?

Thanks

Gerald
ajmind
Posts: 69
Joined: 28 Mar 2017 15:26
Location: Eltville, Germany

Re: opendmarc.service failed - kills mailscanner?

Post by ajmind »

We have been also hit with this problem for the first time in June o nour Efa v4 box.

Fortunately the related e-mail comes from one single IP/domain address, so I put it in /etc/opendmarc/ignore.hosts.

Interestingly the domain is also related to a German based company. (teuto.net)

I have seen a patch on the project github page from May 2023:

[url]https://github.com/trusteddomainproject ... issues/242[/url)

But I wonder why this is not implemented in eFa? Unfortunately I am not a coder to do it myself ... :(

Andreas
ajmind
Posts: 69
Joined: 28 Mar 2017 15:26
Location: Eltville, Germany

Re: opendmarc.service failed - kills mailscanner?

Post by ajmind »

We have been also hit with this problem for the first time in June o nour Efa v4 box.

Code: Select all

 opendmarc[2430]: 4W0s5802MNzCVjQy: ignoring invalid ARC-Authentication-Results header "i=1;#012#011mailrelay.teuto.net;#012                             #011none"
Fortunately the related e-mail comes from one single IP/domain address, so I put it in /etc/opendmarc/ignore.hosts.

Interestingly the domain is also related to a German based company. (teuto.net)

I have seen a patch on the project github page from May 2023:

[url]https://github.com/trusteddomainproject ... issues/242[/url)

But I wonder why this is not implemented in eFa? Unfortunately I am not a coder to do it myself ... :(

Andreas
User avatar
shawniverson
Posts: 3757
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: opendmarc.service failed - kills mailscanner?

Post by shawniverson »

ajmind wrote: 03 Jul 2024 13:05 [url]https://github.com/trusteddomainproject ... issues/242[/url)

But I wonder why this is not implemented in eFa? Unfortunately I am not a coder to do it myself ... :(

Andreas
1) eFa uses stock RPM for OpenDMARC from distribution
2) the PR hasn't been merged yet
Post Reply