search

freelawproject / courtlistener

A fully-searchable and accessible archive of court data including growing repositories of opinions, oral arguments, judges, judicial financial records, and federal filings.
https://www.courtlistener.com
Other
544 stars 150 forks source link

Contact Form is not DMARC Compliant; Rejecting mail #332

Closed brianwc closed 8 years ago

brianwc commented 9 years ago

When Yahoo! and a few others changed their DMARC policies last year it also broke web forms all over the internet. If someone types their yahoo.com email address into the CL contact form, then since we deliver it to courtlistener email addresses hosted by Google, Google respects Yahoo's DMARC policy and rejects the mail because it did not actually originate from yahoo.com. Same goes for Comcast and AOL email addresses. So, we've been silently (from our perspective) rejecting many contacts. The sender gets an undelivered mail message, but would have to be persistent to figure out how to tell us about it. There are apparently a few settings we can tweak in our form that will fix this.

Relevant details are here: http://www.fastsecurecontactform.com/yahoo-com-dmarc-policy

Example Undelivered Mail Returned to Sender response (with email addresses snipped): Subject: Undelivered Mail Returned to Sender

----- Forwarded Message -----

This is the mail system at host courtlistener.com.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

               The mail system

host ALT2.aspmx.l.google.com[173.194.219.27] said: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 http://support.google.com/mail/answer/2451690to learn about DMARC 550 5.7.1 initiative. y62si3351501yhc.175 - gsmtp (in reply to end of DATA command)

mlissner commented 9 years ago

Interesting. Never heard of DMARC before. I can't tell from my quick read of this whether this is something we need to do on our Google Apps configuration for CourtListener or whether this is something Yahoo! and AOL need to do to their servers.

Another thing I don't understand is that the Google document on this topic says:

A message must fail both SPF and DKIM checks to also fail DMARC

Which is weird because our SPF and DKIM should be configured properly...I thought.

Where did we get the failure message above? I don't understand what's happening here, but I can dig in further if I need to.

saizai commented 9 years ago

Note that both your SPF & DKIM can get broken by, among other things, mailing lists; Outlook used through other services (eg gmail); and other remailers.

Which is why I downgraded from p=reject for DMARC. There's just no way to fix these issues w/ 3rd party entities munging my email content and breaking both the SPF and DKIM.

brianwc commented 9 years ago

@mlissner A Yahoo email user just reported (by tracking down my home phone number) that her messages are continually bounced by this form.

saizai commented 9 years ago

_dmarc.courtlistener.com doesn't appear to be set.

You probably want it to have a TXT record of this sort:

v=DMARC1; fo=1; p=none; rua=mailto:dmarca@courtlistener.com; ruf=mailto: dmarcf@courtlistener.com

p=none because mailing lists, remailers, Outlook, Yahoo, and gods know what else will fuck up your SPF source & DKIM sig, thereby causing unavoidable DKIM failure.

mlissner commented 9 years ago

If this is just a DNS thing, @brianwc, can you put in the needed record?

mlissner commented 9 years ago

When we get to this, we should try sending an email to: https://www.mail-tester.com/

mlissner commented 9 years ago

So, Google flipped a switch and now we can't even send ourselves messages from the contact form. This is officially very broken. Here's a first test: https://www.mail-tester.com/web-Ys1fvC

I'm researching what we need to do to make DMARC work.

mlissner commented 9 years ago

OK, lots of DNS work to fix this, @brianwc. I can do all of this, but I need access to DNS.

There are four pieces to this puzzle:

  1. MX Records
  2. DKIM
  3. SPF
  4. DMARC

MX Records

This seems like a really good time to move the MX records over to Google. The config for that is:

screenshot from 2015-10-30 13 38 53

(Sorry, can't copy/paste from it for some reason.)

Once this is done, Google will be hosting email for freelawproject.org.

DKIM

For CourtListener

For our current CourtListener email to work properly, we need a TXT record named google._domainkey with the value:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvikwBi1z6LLa7I+uT7idU6nXquk+TjpllhXtPc42WqMuUbVKIjSroBPgfv7CmDjTwu8UPa3OBwPhefPDkSkZ5iAU8FsemYkpeJZHrfpW/G4pxunLBmA68mHo+Lf0e2QkPXNxLuifHtHgAqXDSYy/iciNXBxo54jlqUG1LwOMivwIDAQAB

Once that's done, I need to check the dashboard to make sure it's working. This will make it so CourtListener mail from Google will work (i.e., our personal addresses).

Alas, mail from the server needs a second DNS entry to match the key that's set up there (see here for more info on setting up opendkim and postfix). The TXT entry should be named mail._domainkey.courtlistener.com. (with the period) and have a value of:

v=DKIM1; k=rsa; p=AAAAB3NzaC1yc2EAAAADAQABAAAAgQDJLct3k+/zD7Pd48qUJj0Z88dEop5Gl7U94SFHHBqU0dvQEaGpyNkYD693ytpK4+THC0O2cAcB+DPgGIhBTSbCUEvmqf+iyTdvTuWAZKWBMmnVFEAQsl4rTDHHD5Zd+O2Zk8txztXHKdm/zAfG6YlSLpwmvvw33Mr6P9qXSXK9/w==

CourtListener has been signing email with its private key (`/etc/mail/dkim.key), but I think it didn't have the DNS record to match (one testing tool indicated that we do have this set up, but I'm pretty sure we don't). Since the public key seems to have disappeared, I generated it from the private key using:

sudo ssh-keygen -y -f dkim.key

DKIM is pretty much the worst. Let's move on.

For Free Law Project

Google mail servers

We need a TXT record named google._domainkey with the value:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCL+LSZlNoEJOURS+xH8LRyf2bGER0cH7QOYrHhGPS+731WwSxhJY5zUh2Pgzus4cgAz22ffc2b6QfQd4KTt+w/Pr4DGB0i3DoABgSPhdAuWT/LBSHMgysRefLkPFw4qiSlKosKM775XZLIMergv9OlUf+Ju2O1J1A2+qhQiaAsDwIDAQAB

Once that's done, I need to check the dashboard to make sure it's working.

For mail.freelawproject.org

I checked what was here by using:

dig mail.freelawproject.org any

But SPF, DKIM, and DMARC are not configured. I believe this means that a lot of your mail won't go through, especially since Google is going DMARC strict next year. I'll provide notes for these as I find them. For DKIM, the best guide I've found is Digital Ocean's, though we haven't followed it word for word at CourtListener.

SPF

CourtListener

Done!

Free Law Project

Google Mail needs an TXT record with the following content:

v=spf1 include:_spf.google.com ~all

mail.freelawproject.org does not have an SPF record. I'm not sure what it should be, but CourtListener has one with a possible example of multiple values. I'm not sure how subdomains are handled either. I do know that it's not a matter of simply adding a second SPF record for mail.flp.org -- Only one SPF record is allowed per domain.

Digital Ocean has an article on SPF records that might be helpful. The info above is from Google's Documentation.

DMARC

DMARC seems to be a layer on top of SPF and DKIM. If both are working, you're ready to do this too. If this is done with broken DKIM or SPF, your mail will summarily stop. Since mail.flp.org isn't set up, we're about to have issues (more on this in a sec).

CourtListener

From Google's Documentation, create a TXT record named _dmarc.courtlistener.com. with the value:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@freelawproject.org

Note that rua does use flp.org. I'm trying to wind down CL.com email. dmarc-reports@flp.org is an alias to admin@flp.org, which in turn forwards all mail to both of us.

Free Law Project

For Google servers, the same process as above can be completed, creating a TXT record named _dmarc.courtlistener.com. with the value:

v=DMARC1; p=none; rua=mailto:dmarc-reports@freelawproject.org; aspf=r

Note, however, that p=none and that aspf=r. This says, in essence, to ignore failures of DKIM and of SPF (p=none), and to allow mail from subdomains (aspf=r). This is not a good way to have this set up, and it will undoubtedly cause us headaches similar to this one later. If you can get SPF and DKIM working for mail.flp.org, then the correct way to set up DMARC for flp.org is:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@freelawproject.org; aspf=r

The best place to learn about DMARC is from the RFC, of course. If you want to deploy this slowly, Google has some notes on how to do so, but I think we should go for it, monitoring the reports that come in to dmarc-reports@flp.org.

Reverse PTR Records

For CL and FLP, this is currently set to 64-201-244-226.static.paxio.net., which is more or less OK, but if we can change it to courtlistener.com. or to freelawproject.org, that'd be better. We'd need Paxio to make the change though.

Tests

There are three testing tools I know. Might as well use 'em all:

  1. Send an email to a Google account and then use "View Original" to see the headers that Google added.
  2. Send an email to check-auth@verifier.port25.com and in reply you'll get a big diagnostic email.
  3. Go to https://www.mail-tester.com/, get an address to send to, and use that.

UGH!

brianwc commented 9 years ago

I think I made all the above changes for FLP & mail.flp (should take until at least 10:33 PST to propagate). CL mail works presently. Let's not break both at the same time. Once you confirm FLP mail is working, I'll fiddle with CL, but it already has most of what is described above. Here's the existing mail-related bits of CL's DNS record: 

mail.courtlistener.com. IN      CNAME   ghs.google.com.
CourtListener.com.      IN      MX      1 ALT1.ASPMX.L.GOOGLE.COM.
courtListener.com.      IN      MX      1 aspmx.l.google.com.
CourtListener.com.      IN      MX      1 ASPMX2.GOOGLEMAIL.COM.
courtlistener.com.      IN      MX      1 ALT2.ASPMX.L.GOOGLE.COM.
_domainkey.courtlistener.com.   IN      TXT "o=~\; r=mike@courtlistener.com"
mail._domainkey.courtlistener.com.    IN      TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJLct3k+/zD7Pd48qUJj0Z88dEop5Gl7U94SFHHBqU0dvQEaGpyNkYD693ytpK4+THC0O2cAcB+DPgGIhBTSbCUEvmqf+iyTdvTuWAZKWBMmnVFEAQsl4rTDHHD5Zd+O2Zk8txztXHKdm/zAfG6YlSLpwmvvw33Mr6P9qXSXK9/wIDAQAB"
courtlistener.com.  IN  TXT "v=spf1 a mx ptr mx:alt1.aspmx.l.google.com mx:alt2.aspmx.l.google.com mx:aspmx.l.google.com mx:aspmx2.googlemail.com mx:courtlistener.com ?all"
mlissner commented 8 years ago

Agree - doing one at a time is smart!

So, I can only test flp.org, not mail.flp.org, and it looks pretty good. DKIM and SPF are all set according to the best test site I've found (10/10). But I'm totally confused because I can't for the life of me find the DKIM record using dig. I don't know why this is working, and that makes me scared that we're missing some important detail?

Anyway, if this is indeed all set, and if mail.flp.org also has working SPF and DKIM, I believe the DMARC we need is:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@freelawproject.org; aspf=r

I found a DMARC testing site we can use too.

CourtListener

For CourtListener, the testing website currently reports:

Your email will never see the light of an inbox (1.7/10)

And it has bats flying around. Spooky, but appropriate for today, I suppose. Anyway, SPF is failing because:

Maximum void DNS look-ups limit (2) exceeded

Which I think is because our record has stuff from Google that's changed? I think it should be:

v=spf1 a include:_spf.google.com ~all

This translates to:

DKIM seems to somehow be working for both Google mail and from the server. Do we have both keys set up? Again, I can't find these DNS records?

DMARC needs love, natch -- it's where this whole thing started:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@freelawproject.org
mlissner commented 8 years ago

We still have the work to do in the above comment, but I left Thunderbird open just in case, and my old inbox at maricopa.sharealike is still getting emails. I think they're mostly from inside the network, like from lists.flp.org and from mail.flp.org. Some other emailers were just slow to update their DNS (spammers and such), so I thought the internally-sent emails would eventually stop, but I'm beginning to suspect there's something amiss.

mlissner commented 8 years ago

So, got another email to maricopa.flp.org from lists.flp.org, so something is definitely amiss there.

mlissner commented 8 years ago

Just got another email with:

I apologize if you received this twice. I received an undeliverable email notification when I used the Court Listener Contact Us.

We really need to address this once we get the FLP server back online. @brianwc, if you can give me the permissions needed, I'll be happy to get this done.

brianwc commented 8 years ago

DMARC testing site now reports 8.8/10, dinging us mainly for the paxio rdns issue that is out of our hands and because my test email didn't contain an html version.

mlissner commented 8 years ago

This looks about right to me too. Thanks for wrapping this up.