search

ValveSoftware / steam-for-linux

Issue tracking for the Steam for Linux beta client
4.21k stars 175 forks source link

Steam guard is broken because of a bad DKIM configuration #8609

Closed illwieckz closed 12 months ago

illwieckz commented 2 years ago

Mail servers are rejecting the mail from steam carrying the validation code to users because the DKIM configuration is broken.

Example with Postfix and OpenDKIM:

May 28 17:59:09 mailserver opendkim[6871]: 4E6B720029: s=smtp d=steampowered.com SSL
May 28 17:59:09 mailserver opendkim[6871]: 4E6B720029: bad signature data

That means users cannot connect to Steam as soon as Steam decides the user has to go through the validation process again.

Note: I know this is the issue list for steam-for-linux, but there is no way to contact Steam if login does not work, and this issue is preventing people to login. Writing to support@steampowered.com automatically responds this e-mail address isn't monitored and one has to submit a support incident on http://help.steampowered.com, but to do that one has to be logged in and then Steam guard has to be working, which is not.

Please forward to the appropriate service.

illwieckz commented 2 years ago

For more details, this issue can be fixed by one being in charge of mail server configuration at Valve or by one being in charge of DNS records at Valve (or both). The root cause of the issue is a mismatch between a key used in the mail server configuration and a key used in the domain name record.

This configuration mismatch between the mail server and the domain name record is telling third-party mail servers (recipient's mail server) they have to reject the Steam guard mail because such key mismatch is telling them that Valve mail servers are currently not designated as a permitted sender for Steam guard mails.

As a side effect, due to this DKIM misconfiguration, Steam guard is currently expected to be currently working only for users having their mail hosted by mail providers not caring about mail sender spoofing and accepting mails pretending to come from Valve while failing at proving it.

TTimo commented 2 years ago

Hello @illwieckz,

Can you be more specific about what is incorrect about the configuration. Steam guard is high volume and obviously working fine for the vast majority of users, maybe there is a configuration problem on your end?

illwieckz commented 2 years ago

Hi @TTimo, nice to see you around!

Here is a dump of a Steam guard mail, sent by Steam: https://dl.illwieckz.net/b/steam/bugs/steam-guard-dkim-validation-error/20220531-000.steam-bad-dkim-mail.eml.xz.b64.txt (compressed with xz and passed through just to fool crawlers looking for mail addresses, I'll delete it one day, I also verified the steam guard code in it is now invalid so I'm a bit safe). To get it I temporarily configured the mail server to store it on a local account without doing more.

One can get my mail sample this way. This is a mail sent by Steam guard.

wget 'https://dl.illwieckz.net/b/steam/bugs/steam-guard-dkim-validation-error/20220531-000.steam-bad-dkim-mail.eml.xz.b64.txt'
wget 'https://dl.illwieckz.net/b/steam/bugs/steam-guard-dkim-validation-error/20220531-000.steam-bad-dkim-mail.eml.sha512sum'
base64 -d < '20220531-000.steam-bad-dkim-mail.eml.xz.b64.txt' | xz -d > '20220531-000.steam-bad-dkim-mail.eml'
sha512sum -c '20220531-000.steam-bad-dkim-mail.eml.sha512sum'

One can check the DKIM validity of the mail using the dkimverify tool (provided by dkimpy-milter package on Ubuntu):

dkimverify < '20220531-000.steam-bad-dkim-mail.eml'
signature verification failed

Some mail providers would just mark this mail as spam (as GMail), some others will reject it entirely (as Yahoo). Valve can expect users having GMail addresses to receive their Steam guard mail in their spam folder (Edit: and sometime rejected), while all users having Yahoo addresses will never get their mail. DKIM is a standard created by Yahoo for checking mail sender authenticity and prevent spoofing. Yahoo is very strict on DKIM and rejects every mail that fails DKIM validation. On its side, GMail displays to the user a large orange banner saying it failed to verify the mail comes from steampowered.com.

Gmail DKIM SPAM

Edit: I updated the way to check my mail sample.

illwieckz commented 2 years ago

Here it is what happens if I tell my mail server to store the mail on a local account and not reject it if DKIM validation fails.

May 31 19:06:14 mailserver postfix/smtpd[25884]: table hash:/etc/postfix/smtpd_sender_login_maps(0,lock|fold_fix|utf8_request) has changed -- restarting
May 31 19:06:14 mailserver postfix/smtpd[25893]: connect from smtp-02-tuk1.steampowered.com[208.64.202.47]
May 31 19:06:15 mailserver postfix/smtpd[25893]: Anonymous TLS connection established from smtp-02-tuk1.steampowered.com[208.64.202.47]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 31 19:06:15 mailserver postfix/smtpd[25893]: ABAFF20029: client=smtp-02-tuk1.steampowered.com[208.64.202.47]
May 31 19:06:15 mailserver postfix/cleanup[25895]: ABAFF20029: message-id=<E1nw5Jt-000CV9-Ar@smtp-02-tuk1.steampowered.com>
May 31 19:06:16 mailserver opendkim[6871]: ABAFF20029: s=smtp d=steampowered.com SSL 
May 31 19:06:16 mailserver opendkim[6871]: ABAFF20029: bad signature data
May 31 19:06:16 mailserver postfix/qmgr[30118]: ABAFF20029: from=<noreply@steampowered.com>, size=38964, nrcpt=1 (queue active)
May 31 19:06:16 mailserver spamd[16893]: spamd: connection from ::1 [::1]:58328 to port 783, fd 5
May 31 19:06:16 mailserver spamd[16893]: spamd: setuid to debian-spamd succeeded
May 31 19:06:16 mailserver spamd[16893]: spamd: processing message <E1nw5Jt-000CV9-Ar@smtp-02-tuk1.steampowered.com> for debian-spamd:105
May 31 19:06:16 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a7-66.akam.net
May 31 19:06:16 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a24-64.akam.net
May 31 19:06:16 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a9-66.akam.net
May 31 19:06:16 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a22-67.akam.net
May 31 19:06:16 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a1-194.akam.net
May 31 19:06:16 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a2-64.akam.net
May 31 19:06:16 mailserver postfix/smtpd[25893]: disconnect from smtp-02-tuk1.steampowered.com[208.64.202.47] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 31 19:06:16 mailserver spamd[16893]: spamd: clean message (-1.8/5.0) for debian-spamd:105 in 0.4 seconds, 38325 bytes.
May 31 19:06:16 mailserver spamd[16893]: spamd: result: . -1 - BAYES_00,DKIM_SIGNED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,T_DKIM_INVALID,URIBL_BLOCKED scantime=0.4,size=38325,user=debian-spamd,uid=105,required_score=5.0,rhost=::1,raddr=::1,rport=58328,mid=<E1nw5Jt-000CV9-Ar@smtp-02-tuk1.steampowered.com>,bayes=0.000000,autolearn=no autolearn_force=no
May 31 19:06:16 mailserver postfix/pipe[25896]: ABAFF20029: to=<root@mailserver>, orig_to=<xxxxxxxx@illwieckz.net>, relay=spamassassin, delay=0.71, delays=0.31/0.01/0/0.39, dsn=2.0.0, status=sent (delivered via spamassassin service)
May 31 19:06:16 mailserver postfix/qmgr[30118]: ABAFF20029: removed
May 31 19:06:16 mailserver postfix/pickup[25772]: 62342202EA: uid=105 from=<noreply@steampowered.com>
May 31 19:06:16 mailserver postfix/cleanup[25895]: 62342202EA: message-id=<E1nw5Jt-000CV9-Ar@smtp-02-tuk1.steampowered.com>
May 31 19:06:16 mailserver opendkim[6871]: 62342202EA: s=smtp d=steampowered.com SSL 
May 31 19:06:16 mailserver opendkim[6871]: 62342202EA: bad signature data
May 31 19:06:16 mailserver postfix/qmgr[30118]: 62342202EA: from=<noreply@steampowered.com>, size=39578, nrcpt=1 (queue active)
May 31 19:06:16 mailserver spamd[15239]: prefork: child states: II
May 31 19:06:16 mailserver postfix/local[25900]: 62342202EA: to=<root@mailserver>, relay=local, delay=0.07, delays=0.02/0.05/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
May 31 19:06:16 mailserver postfix/qmgr[30118]: 62342202EA: removed

Here it is what happens if I relay the mail to GMail, it is delivered but GMail is permissive and doesn't reject it and store the mail in the spam folder. You may expect all users with GMail addresses to receive their validation mail but GMail would store it in their SPAM folder.

May 31 19:24:46 mailserver postfix/smtpd[25947]: connect from smtp-46.steampowered.com[208.64.202.46]
May 31 19:24:47 mailserver postfix/smtpd[25947]: Anonymous TLS connection established from smtp-46.steampowered.com[208.64.202.46]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 31 19:24:47 mailserver postfix/smtpd[25947]: 5FF6A20029: client=smtp-46.steampowered.com[208.64.202.46]
May 31 19:24:47 mailserver postfix/cleanup[25951]: 5FF6A20029: message-id=<E1nw5bo-0004j3-Ro@smtp-04-tuk1.steampowered.com>
May 31 19:24:47 mailserver opendkim[6871]: 5FF6A20029: s=smtp d=steampowered.com SSL
May 31 19:24:47 mailserver opendkim[6871]: 5FF6A20029: bad signature data
May 31 19:24:48 mailserver postfix/qmgr[30118]: 5FF6A20029: from=<noreply@steampowered.com>, size=38983, nrcpt=1 (queue active)
May 31 19:24:48 mailserver postfix/smtpd[25947]: disconnect from smtp-46.steampowered.com[208.64.202.46] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 31 19:24:50 mailserver spamd[16893]: spamd: connection from ::1 [::1]:58344 to port 783, fd 5
May 31 19:24:50 mailserver spamd[16893]: spamd: setuid to debian-spamd succeeded
May 31 19:24:53 mailserver spamd[16893]: spamd: processing message <E1nw5bo-0004j3-Ro@smtp-04-tuk1.steampowered.com> for debian-spamd:105
May 31 19:24:56 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a7-66.akam.net
May 31 19:24:56 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a24-64.akam.net
May 31 19:24:56 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a9-66.akam.net
May 31 19:24:56 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a22-67.akam.net
May 31 19:24:56 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a1-194.akam.net
May 31 19:24:56 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a2-64.akam.net
May 31 19:25:01 mailserver spamd[16893]: spamd: clean message (-1.8/5.0) for debian-spamd:105 in 12.5 seconds, 38343 bytes.
May 31 19:25:01 mailserver spamd[16893]: spamd: result: . -1 - BAYES_00,DKIM_SIGNED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,T_DKIM_INVALID,URIBL_BLOCKED scantime=12.5,size=38343,user=debian-spamd,uid=105,required_score=5.0,rhost=::1,raddr=::1,rport=58344,mid=<E1nw5bo-0004j3-Ro@smtp-04-tuk1.steampowered.com>,bayes=0.000000,autolearn=no autolearn_force=no
May 31 19:25:01 mailserver postfix/pipe[25952]: 5FF6A20029: to=<xxxxxxxx@gmail.com>, orig_to=<xxxxxxxx@illwieckz.net>, relay=spamassassin, delay=14, delays=0.65/0.03/0/13, dsn=2.0.0, status=sent (delivered via spamassassin service)
May 31 19:25:01 mailserver postfix/qmgr[30118]: 5FF6A20029: removed
May 31 19:25:01 mailserver postfix/pickup[25941]: 6C7DD202FC: uid=105 from=<noreply@steampowered.com>
May 31 19:25:01 mailserver postfix/cleanup[25951]: 6C7DD202FC: message-id=<E1nw5bo-0004j3-Ro@smtp-04-tuk1.steampowered.com>
May 31 19:25:01 mailserver opendkim[6871]: 6C7DD202FC: s=smtp d=steampowered.com SSL
May 31 19:25:01 mailserver opendkim[6871]: 6C7DD202FC: bad signature data
May 31 19:25:01 mailserver postfix/qmgr[30118]: 6C7DD202FC: from=<noreply@steampowered.com>, size=39597, nrcpt=1 (queue active)
May 31 19:25:01 mailserver postfix/smtp[25956]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[66.102.1.27]:25: TLSv1.2 with cipher ECDHE-ECDSA-CHACHA20-POLY1305 (256/256 bits)
May 31 19:25:02 mailserver postfix/smtp[25956]: 6C7DD202FC: to=<xxxxxxxx@gmail.com>, relay=gmail-smtp-in.l.google.com[66.102.1.27]:25, delay=0.58, delays=0.07/0.04/0.19/0.28, dsn=2.0.0, status=sent (250 2.0.0 OK  1654017902 g14-20020adff40e000000b0020ffd38e8cfsi11814690wro.284 - gsmtp)
May 31 19:25:02 mailserver postfix/qmgr[30118]: 6C7DD202FC: removed
May 31 19:25:02 mailserver spamd[15239]: prefork: child states: II

Here it is what happens if I relay the mail to Yahoo, Yahoo rejects it. Yahoo is known to be very strict on DKIM. The message isn't delivered to the user at all. You may expect all users with Yahoo addresses to never receive their validation mail.

May 31 19:00:58 mailserver postfix/smtpd[25863]: connect from smtp-01-tuk1.steampowered.com[208.64.202.37]
May 31 19:00:59 mailserver postfix/smtpd[25863]: Anonymous TLS connection established from smtp-01-tuk1.steampowered.com[208.64.202.37]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 31 19:00:59 mailserver postfix/smtpd[25863]: 7451820029: client=smtp-01-tuk1.steampowered.com[208.64.202.37]
May 31 19:00:59 mailserver postfix/cleanup[25867]: 7451820029: message-id=<E1nw5Em-0003lb-Up@smtp-01-tuk1.steampowered.com>
May 31 19:01:00 mailserver opendkim[6871]: 7451820029: s=smtp d=steampowered.com SSL
May 31 19:01:00 mailserver opendkim[6871]: 7451820029: bad signature data
May 31 19:01:00 mailserver postfix/qmgr[30118]: 7451820029: from=<noreply@steampowered.com>, size=38964, nrcpt=1 (queue active)
May 31 19:01:00 mailserver spamd[16893]: spamd: connection from ::1 [::1]:58322 to port 783, fd 5
May 31 19:01:00 mailserver spamd[16893]: spamd: setuid to debian-spamd succeeded
May 31 19:01:00 mailserver spamd[16893]: spamd: processing message <E1nw5Em-0003lb-Up@smtp-01-tuk1.steampowered.com> for debian-spamd:105
May 31 19:01:00 mailserver postfix/smtpd[25863]: disconnect from smtp-01-tuk1.steampowered.com[208.64.202.37] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 31 19:01:00 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a7-66.akam.net
May 31 19:01:00 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a24-64.akam.net
May 31 19:01:00 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a9-66.akam.net
May 31 19:01:00 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a22-67.akam.net
May 31 19:01:00 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a1-194.akam.net
May 31 19:01:00 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a2-64.akam.net
May 31 19:01:01 mailserver spamd[16893]: spamd: clean message (-1.8/5.0) for debian-spamd:105 in 0.9 seconds, 38325 bytes.
May 31 19:01:01 mailserver spamd[16893]: spamd: result: . -1 - BAYES_00,DKIM_SIGNED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,T_DKIM_INVALID,URIBL_BLOCKED scantime=0.9,size=38325,user=debian-spamd,uid=105,required_score=5.0,rhost=::1,raddr=::1,rport=58322,mid=<E1nw5Em-0003lb-Up@smtp-01-tuk1.steampowered.com>,bayes=0.000000,autolearn=no autolearn_force=no
May 31 19:01:01 mailserver postfix/pipe[25868]: 7451820029: to=<xxxxxxxx@yahoo.fr>, orig_to=<xxxxxxxx@illwieckz.net>, relay=spamassassin, delay=1.8, delays=0.88/0.01/0/0.91, dsn=2.0.0, status=sent (delivered via spamassassin service)
May 31 19:01:01 mailserver postfix/qmgr[30118]: 7451820029: removed
May 31 19:01:01 mailserver postfix/pickup[25772]: 4126F202EA: uid=105 from=<noreply@steampowered.com>
May 31 19:01:01 mailserver postfix/cleanup[25867]: 4126F202EA: message-id=<E1nw5Em-0003lb-Up@smtp-01-tuk1.steampowered.com>
May 31 19:01:01 mailserver opendkim[6871]: 4126F202EA: s=smtp d=steampowered.com SSL
May 31 19:01:01 mailserver opendkim[6871]: 4126F202EA: bad signature data
May 31 19:01:01 mailserver postfix/qmgr[30118]: 4126F202EA: from=<noreply@steampowered.com>, size=39578, nrcpt=1 (queue active)
May 31 19:01:01 mailserver spamd[15239]: prefork: child states: II
May 31 19:01:01 mailserver postfix/smtp[25872]: Untrusted TLS connection established to mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May 31 19:01:01 mailserver postfix/smtp[25872]: 4126F202EA: to=<xxxxxxxx@yahoo.fr>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25, delay=0.6, delays=0.02/0.03/0.19/0.35, dsn=5.7.9, status=bounced (host mx-eu.mail.am0.yahoodns.net[188.125.72.74] said: 554 5.7.9 Message not accepted for policy reasons. See https://postmaster.yahooinc.com/error-codes (in reply to end of DATA command))
May 31 19:01:01 mailserver postfix/cleanup[25867]: D9D05200B3: message-id=<20220531170101.D9D05200B3@xxxxxxxx>
May 31 19:01:01 mailserver postfix/bounce[25873]: 4126F202EA: sender non-delivery notification: D9D05200B3
May 31 19:01:01 mailserver postfix/qmgr[30118]: D9D05200B3: from=<>, size=41599, nrcpt=1 (queue active)
May 31 19:01:01 mailserver postfix/qmgr[30118]: 4126F202EA: removed
May 31 19:01:03 mailserver postfix/smtp[25872]: Untrusted TLS connection established to smtp.steampowered.com[208.64.202.36]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 31 19:01:04 mailserver postfix/smtp[25872]: D9D05200B3: to=<noreply@steampowered.com>, relay=smtp.steampowered.com[208.64.202.36]:25, delay=3.1, delays=0.01/0.01/2.1/0.94, dsn=5.0.0, status=bounced (host smtp.steampowered.com[208.64.202.36] said: 550 No verifiable sender address in message headers (in reply to end of DATA command))
May 31 19:01:04 mailserver postfix/qmgr[30118]: D9D05200B3: removed

Here that's Yahoo who says the Steam guard mail failed to validate DKIM:

status=bounced (host smtp.steampowered.com[208.64.202.36] said: 550 No verifiable sender address in message headers (in reply to end of DATA command))

illwieckz commented 2 years ago

After I told GMail the mail was legit, I tried again to get a new mail and now GMail rejected the new mail because SPF validation failed.

May 31 19:53:10 mailserver postfix/smtpd[25996]: connect from smtp-04-tuk1.steampowered.com[208.64.202.43]
May 31 19:53:11 mailserver postfix/smtpd[25996]: Anonymous TLS connection established from smtp-04-tuk1.steampowered.com[208.64.202.43]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 31 19:53:12 mailserver postfix/smtpd[25996]: 01A1020029: client=smtp-04-tuk1.steampowered.com[208.64.202.43]
May 31 19:53:12 mailserver postfix/cleanup[25997]: 01A1020029: message-id=<E1nw63K-0004dz-AK@smtp-04-tuk1.steampowered.com>
May 31 19:53:12 mailserver opendkim[6871]: 01A1020029: s=smtp d=steampowered.com SSL 
May 31 19:53:12 mailserver opendkim[6871]: 01A1020029: bad signature data
May 31 19:53:12 mailserver postfix/qmgr[30118]: 01A1020029: from=<noreply@steampowered.com>, size=38978, nrcpt=1 (queue active)
May 31 19:53:12 mailserver spamd[16893]: spamd: connection from ::1 [::1]:58366 to port 783, fd 5
May 31 19:53:12 mailserver spamd[16893]: spamd: setuid to debian-spamd succeeded
May 31 19:53:12 mailserver spamd[16893]: spamd: processing message <E1nw63K-0004dz-AK@smtp-04-tuk1.steampowered.com> for debian-spamd:105
May 31 19:53:12 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a7-66.akam.net
May 31 19:53:12 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a24-64.akam.net
May 31 19:53:12 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a9-66.akam.net
May 31 19:53:12 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a22-67.akam.net
May 31 19:53:12 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a1-194.akam.net
May 31 19:53:12 mailserver spamd[16893]: dns: new_dns_packet: domain is utf8 flagged: a2-64.akam.net
May 31 19:53:12 mailserver postfix/smtpd[25996]: disconnect from smtp-04-tuk1.steampowered.com[208.64.202.43] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
May 31 19:53:12 mailserver spamd[16893]: spamd: clean message (-1.8/5.0) for debian-spamd:105 in 0.3 seconds, 38339 bytes.
May 31 19:53:12 mailserver spamd[16893]: spamd: result: . -1 - BAYES_00,DKIM_SIGNED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,T_DKIM_INVALID,URIBL_BLOCKED scantime=0.3,size=38339,user=debian-spamd,uid=105,required_score=5.0,rhost=::1,raddr=::1,rport=58366,mid=<E1nw63K-0004dz-AK@smtp-04-tuk1.steampowered.com>,bayes=0.000000,autolearn=no autolearn_force=no
May 31 19:53:12 mailserver postfix/pipe[25998]: 01A1020029: to=<xxxxxxxx@gmail.com>, orig_to=<xxxxxxxx@illwieckz.net>, relay=spamassassin, delay=0.61, delays=0.31/0.01/0/0.29, dsn=2.0.0, status=sent (delivered via spamassassin service)
May 31 19:53:12 mailserver postfix/qmgr[30118]: 01A1020029: removed
May 31 19:53:12 mailserver postfix/pickup[25941]: 9585B202FC: uid=105 from=<noreply@steampowered.com>
May 31 19:53:12 mailserver postfix/cleanup[25997]: 9585B202FC: message-id=<E1nw63K-0004dz-AK@smtp-04-tuk1.steampowered.com>
May 31 19:53:12 mailserver opendkim[6871]: 9585B202FC: s=smtp d=steampowered.com SSL 
May 31 19:53:12 mailserver opendkim[6871]: 9585B202FC: bad signature data
May 31 19:53:12 mailserver postfix/qmgr[30118]: 9585B202FC: from=<noreply@steampowered.com>, size=39592, nrcpt=1 (queue active)
May 31 19:53:12 mailserver spamd[15239]: prefork: child states: II
May 31 19:53:12 mailserver postfix/smtp[26003]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[66.102.1.26]:25: TLSv1.2 with cipher ECDHE-ECDSA-CHACHA20-POLY1305 (256/256 bits)
May 31 19:53:13 mailserver postfix/smtp[26003]: 9585B202FC: to=<xxxxxxxx@gmail.com>, relay=gmail-smtp-in.l.google.com[66.102.1.26]:25, delay=0.47, delays=0.02/0.11/0.05/0.28, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[66.102.1.26] said: 550-5.7.26 This message fails to pass SPF checks for an SPF record with a hard 550-5.7.26 fail policy (-all). To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26  https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. t8-20020a05600001c800b0020ae77c9e7dsi11525882wrx.1033 - gsmtp (in reply to end of DATA command))
May 31 19:53:13 mailserver postfix/cleanup[25997]: 14D7A200B8: message-id=<20220531175313.14D7A200B8@xxxxxxxx>
May 31 19:53:13 mailserver postfix/qmgr[30118]: 14D7A200B8: from=<>, size=42236, nrcpt=1 (queue active)
May 31 19:53:13 mailserver postfix/bounce[26004]: 9585B202FC: sender non-delivery notification: 14D7A200B8
May 31 19:53:13 mailserver postfix/qmgr[30118]: 9585B202FC: removed
May 31 19:53:14 mailserver postfix/smtp[26003]: Untrusted TLS connection established to smtp.steampowered.com[208.64.202.36]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 31 19:53:15 mailserver postfix/smtp[26003]: 14D7A200B8: to=<noreply@steampowered.com>, relay=smtp.steampowered.com[208.64.202.36]:25, delay=2.5, delays=0/0/1.7/0.78, dsn=5.0.0, status=bounced (host smtp.steampowered.com[208.64.202.36] said: 550 No verifiable sender address in message headers (in reply to end of DATA command))
May 31 19:53:15 mailserver postfix/qmgr[30118]: 14D7A200B8: removed

Here that's GMail who says the Steam guard mail failed to validate SPF:

This message fails to pass SPF checks for an SPF record with a hard 550-5.7.26 fail policy (-all). To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information.

TTimo commented 2 years ago

@illwieckz : howdy!

fwiw I use gmail and my steam guard codes come in just fine, they don't go in spam, and their DKIM and SPF are all correct (per gmal -> view source).

does dkimverify have a verbose option, to provide more details on why it's rejecting the signature? maybe you have incomplete or outdated certificate chains? is this still reproducible or it might have been a one off thing?

illwieckz commented 12 months ago

The DKIM misconfiguration seems to have been fixed since the time I reported the problem.

What I got at the time of the report:

$ dkimverify < 20220531-000.steam-bad-dkim-mail.eml
signature verification failed

What I get today:

$ dkimverify < 20230911-000.steam-good-dkim-email.eml
signature ok

Note that at the time I also tried to redirect to Yahoo and Yahoo silently dropped all Steam Guards emails (from user point of view). This was very bad.

I consider the bug fixed, but that was definitely a misconfiguration on Steam side (either on mail server configuration, either on DNS records). The bug was reproducible for months, maybe for a complete year.

At the time using third-party online DKIM checkers also told me the DKIM signature was bad, it was just not only on my end.

illwieckz commented 12 months ago

Here is a log of a special mbox I created to workaround the DKIM error issue, the date of the first mail to fail is not the date of the beginning of the misconfiguration, it's the date of the time I created this special mbox to receive Steam Guards mail to workaround any DKIM delivery issue. The misconfiguration was already there since many months when I created this mbox.

From noreply@steampowered.com  Tue May 31 19:06:16 2022 : signature verification failed
From noreply@steampowered.com  Tue May 31 19:20:03 2022 : signature verification failed
From noreply@steampowered.com  Tue May 31 20:09:51 2022 : signature verification failed
From noreply@steampowered.com  Tue May 31 21:19:33 2022 : signature verification failed
From noreply@steampowered.com  Sat Jun 25 00:37:58 2022 : signature ok
From noreply@steampowered.com  Tue Jul  5 23:16:24 2022 : signature ok
From noreply@steampowered.com  Sat Sep 10 12:41:31 2022 : signature verification failed
From noreply@steampowered.com  Sat Sep 10 12:46:16 2022 : signature ok
From noreply@steampowered.com  Tue Sep 13 15:50:15 2022 : signature ok
From noreply@steampowered.com  Wed Sep 14 15:17:51 2022 : signature verification failed
From noreply@steampowered.com  Fri Oct  7 04:34:59 2022 : signature verification failed
From noreply@steampowered.com  Fri Oct  7 04:49:54 2022 : signature ok
From noreply@steampowered.com  Mon Oct 10 17:30:32 2022 : signature ok
From noreply@steampowered.com  Fri Nov 25 18:44:26 2022 : signature ok
From noreply@steampowered.com  Sat Dec 24 18:36:14 2022 : signature ok
From noreply@steampowered.com  Wed Dec 28 20:51:48 2022 : signature ok
From noreply@steampowered.com  Mon Jan  2 08:40:37 2023 : signature ok
From noreply@steampowered.com  Wed Jan  4 07:40:36 2023 : signature ok
From noreply@steampowered.com  Wed Jan  4 08:30:53 2023 : signature ok
From noreply@steampowered.com  Wed Jan  4 08:35:59 2023 : signature ok
From noreply@steampowered.com  Wed Jan  4 08:36:12 2023 : signature ok
From noreply@steampowered.com  Thu Jan  5 21:02:43 2023 : signature ok
From noreply@steampowered.com  Thu Jan  5 21:04:52 2023 : signature ok
From noreply@steampowered.com  Mon Feb 20 22:25:49 2023 : signature ok
From noreply@steampowered.com  Mon Feb 20 22:28:03 2023 : signature ok
From noreply@steampowered.com  Tue Feb 21 00:04:55 2023 : signature ok
From noreply@steampowered.com  Mon Mar 20 22:47:52 2023 : signature ok
From noreply@steampowered.com  Wed Mar 22 09:35:22 2023 : signature ok
From noreply@steampowered.com  Wed Mar 22 09:37:22 2023 : signature ok
From noreply@steampowered.com  Tue Jul  4 01:52:29 2023 : signature ok
From noreply@steampowered.com  Sat Aug 12 19:26:15 2023 : signature ok
From noreply@steampowered.com  Mon Sep 11 16:40:11 2023 : signature ok

The last time I got a email with bad DKIM signature was in October 2022. Between July and October 2022 there has been some mails with good DKIM signatures and some with bad DKIM signatures, meaning some people would have wrongly believed it was working since they received some emails.

This log shows the DKIM misconfiguration ran for at least 6 months (from May to October 2022), but as I said, it May is only the beginning of that log, the DKIM misconfiguration was already there since months when the log started.

It's possible that at the time, some mail servers were properly configured, and some not, meaning the DKIM signature would have been good or bad given the mail server that was used for each given mail.

I would not be surprised if only some people from some geographical region would have suffered the DKIM misconfiguration if Steam uses per-region servers, meaning some people would have never experienced the issue themselves while others suffered from it for months.

illwieckz commented 12 months ago

I confirm that now GMail doesn't mark Steam Guards email as spam anymore, does not report any error and says DKIM validation succeeded.

GMail wrote in mail headers:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@steampowered.com header.s=smtp header.b=DJACneXc

I also confirm that now Yahoo doesn't reject anymore Steam Guards email (and does not flag them as spam). Yahoo is more strict than GMail on DKIM failure and unlike GMail that may accept DKIM-failed emails but flag them as spam, Yahoo would not accept the mail at all if there was a DKIM error.

Yahoo wrote in mail headers:

Authentication-Results: atlas-production.v2-mail-prod1-ir2.omega.yahoo.com;
 dkim=pass header.i=@steampowered.com header.s=smtp;
illwieckz commented 12 months ago

Here is a log on my own Postfix:

Sep 11 16:39:59 fomalhaut opendkim[6337]: B0E06202CC: DKIM verification successful
Sep 11 16:39:59 fomalhaut opendkim[6337]: B0E06202CC: s=smtp d=steampowered.com a=rsa-sha256 SSL 
Sep 11 16:40:11 fomalhaut opendkim[6337]: BB94A202E3: DKIM verification successful
Sep 11 16:40:11 fomalhaut opendkim[6337]: BB94A202E3: s=smtp d=steampowered.com a=rsa-sha256 SSL 
Sep 11 17:43:12 fomalhaut opendkim[7208]: E5BBC202EA: DKIM verification successful
Sep 11 17:43:12 fomalhaut opendkim[7208]: E5BBC202EA: s=smtp d=steampowered.com a=rsa-sha256 SSL 
Sep 11 17:43:16 fomalhaut opendkim[7208]: 4E642202EA: DKIM verification successful
Sep 11 17:43:16 fomalhaut opendkim[7208]: 4E642202EA: s=smtp d=steampowered.com a=rsa-sha256 SSL

Everything is now properly validated by OpenDKIM.

No configuration change was done on my side, the behavior change can only be caused by either a configuration change on Steam mail server side or on Steam DNS side.