search

iredmail / iRedAdmin

iRedMail Admin Panel (Open Source Edition)
https://www.iredmail.org/admin_panel.html
GNU General Public License v2.0
77 stars 28 forks source link

Newsletter/ML with mlmmj don't have DKIM signing. #3

Closed Dexus closed 4 years ago

Dexus commented 4 years ago

Hello again, i think everything that is send with the mlmmj in the iRedAdmin-Pro (SQL) should also send DKIM signed. But that is currently not done.

Also the message is using no-reply@localhost.local even after fix the #2 issue - see headers:

Delivered-To: receipt@example.com
Received: by 2002:a6b:b60a:0:0:0:0:0 with SMTP id g10csp2016815iof;
        Sat, 2 May 2020 06:44:30 -0700 (PDT)
X-Google-Smtp-Source: APiQypKQaZZweethc99+PtgLFcoslTHmTYPAcB5flksa9tqd0w/lYEpVmxWJacCzXPf+EOlXScMq
X-Received: by 2002:adf:df04:: with SMTP id y4mr9392290wrl.413.1588427070491;
        Sat, 02 May 2020 06:44:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588427070; cv=none;
        d=google.com; s=arc-20160816;
        b=tPVBoOs/b4QY50Q4FvrDanKk3Btwh6SPkf7NotLxg9M7AoO5h0MO9fV8XA6DDdjCwN
         gUZfWYcWRh3ZaYY7ugo2QioLzp7taYynUlLWaKDVT4Vloabf9/ikssZSJMYeKdTG6Ee9
         rE7p4s4pxPuNcJepKGDpmuK5/7Sb9MLFeb7at6f4mrch2EdBfu6qahd6nItxoDhsizpt
         tjv0DtDIwhqDV9Y2J/Q58LbINNS1rwCO14VQmZ7OZSOqs33Ufa6+vGz/6VGmbreq8Yyo
         7YUkL8Z822556hpY49jXuczq94d35knHxmkquxs5MER+1odmnOP7V0WPBAsAYjekJnQE
         knkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=date:message-id:subject:to:from:mime-version;
        bh=W9copRtJgcenAa7KuZzmxnlUmSB2q5TPIrA/+zNBd+0=;
        b=IrpXRan9l7X0VPpg1dI+qlSyAIe85XOjaj2MX3uBJ7+xyHAEqFiY9AKv5Bhbc4ahkz
         soIC1O1BDW/+6fVJPcGKDsjimiM32/jhNcFFHm5yUlVEp0gZsdOnJeMTc53K2zYND9Mg
         8SJSk6Q6iMQZCBMEoErxXGFO0YY3kyBk9867evlJN4sHQj+psteysQOEIpgvfjQT73n+
         7zxdaLqKHXrtf0/RYgNc9HpuJSCvWAqe5QUexdOwHBJmBLZi7O0F6Prsr9EB8kTJC1Eh
         ENaqtlsijMidnJC/y4ZkBF+KNxfsgFwSpGwvryjQJxONsVk3zrUSKQxqVVQvckHW6dGH
         JuPA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 123.456.789.123 is neither permitted nor denied by best guess record for domain of no-reply@localhost.local) smtp.mailfrom=no-reply@localhost.local;
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=senderdomain.example.com
Return-Path: <no-reply@localhost.local>
Received: from mail.example.com (mail.example.com. [123.456.789.123])
        by mx.google.com with ESMTPS id f11si5248644wrr.209.2020.05.02.06.44.30
        for <receipt@example.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 02 May 2020 06:44:30 -0700 (PDT)
Received-SPF: neutral (google.com: 123.456.789.123 is neither permitted nor denied by best guess record for domain of no-reply@localhost.local) client-ip=123.456.789.123;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 123.456.789.123 is neither permitted nor denied by best guess record for domain of no-reply@localhost.local) smtp.mailfrom=no-reply@localhost.local;
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=senderdomain.example.com
Received: from mail.example.com (localhost [127.0.0.1]) by mail.example.com (Postfix) with ESMTP id 49Dr2P67RPz42Pn for <receipt@example.com>; Sat,
  2 May 2020 13:44:29 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mail.example.com
X-Spam-Flag: NO
X-Spam-Score: 2.128
X-Spam-Level: **
X-Spam-Status: No, score=2.128 tagged_above=2 required=6.2 tests=[FROM_FMBLA_NEWDOM=1.5, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NO_DNS_FOR_FROM=0.379, NO_RELAYS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.example.com ([127.0.0.1]) by mail.example.com (mail.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMybXgnUvC8q for <receipt@example.com>; Sat,
  2 May 2020 13:44:29 +0000 (UTC)
Received: by mail.example.com (Postfix, from userid 2001) id 49Dr2P2HPtz42Pq; Sat,
  2 May 2020 13:44:29 +0000 (UTC)
Content-Type: multipart/alternative; boundary="===============0686849023228782657=="
MIME-Version: 1.0
From: No Reply <newsletter@senderdomain.example.com>
To: receipt@example.com
Subject: Subscription confirm: TSG News
Message-Id: <49Dr2P2HPtz42Pq@mail.example.com>
Date: Sat,
  2 May 2020 13:44:29 +0000 (UTC)

Else your DKIM/DMARC settings will hit and the mail will mark as SPAM. Maybe also the X-Spam-xxx header fields should prevent from sending to outbound, but that should not be the question here.

iredmail commented 4 years ago
  1. Which iRedMail release are you running?
  2. Could you please show us full Postfix log related to this email? especially Amavisd log.
  3. Please check Amavisd config file /etc/amavis/conf.d/50-user, parameter $policy_bank{'MYNETS'}, does it have setting originating => 1, and enable_dkim_signing => 1, like below?
$policy_bank{'MYNETS'} = {
    originating => 1,
    ...
    enable_dkim_signing => 1,
};
Dexus commented 4 years ago

I changed LINE 165 in mlmmj/newsletter.py to qr = iredutils.sendmail(recipients=subscriber, message_text=_msg_string, from_address=mail)

Dexus commented 4 years ago

I use the iRedAdmin-Pro-SQL-4.3 release, fresh installed 3 days ago.

iredmail commented 4 years ago

I changed LINE 165 in mlmmj/newsletter.py to qr = iredutils.sendmail(recipients=subscriber, message_text=_msg_string, from_address=mail)

You're right, we should always specify from_address. Fixed moment ago.

Dexus commented 4 years ago

3. Please check Amavisd config file /etc/amavis/conf.d/50-user, parameter $policy_bank{'MYNETS'}, does it have setting originating => 1, and enable_dkim_signing => 1, like below?

$policy_bank{'MYNETS'} = {
    originating => 1,
    ...
    enable_dkim_signing => 1,
};

is set like this.

iredmail commented 4 years ago

I can reproduce this issue, and here's the fix:

pickup     unix  n       -       n       60      1       pickup
pickup     unix  n       -       n       60      1       pickup
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

Now subscription confirm email (and all emails generated locally without smtp auth) will be signed with proper DKIM.

Dexus commented 4 years ago
  • Could you please show us full Postfix log related to this email? especially Amavisd log.
May  2 13:38:34 mail-nl-100 amavis[1187]: starting. /usr/sbin/amavisd-new at mailserver.example.com amavisd-new-2.11.0 (20160426), Unicode aware, LC_ALL="C", LANG="en_US.UTF-8"
May  2 13:38:35 mail-nl-100 amavis[2027]: Net::Server: Group Not Defined.  Defaulting to EGID '122 122'
May  2 13:38:35 mail-nl-100 amavis[2027]: Net::Server: User Not Defined.  Defaulting to EUID '117'
May  2 13:38:35 mail-nl-100 amavis[2027]: No ext program for   .F, tried: unfreeze, freeze -d, melt, fcat
May  2 13:38:35 mail-nl-100 amavis[2027]: No ext program for   .zoo, tried: zoo, unzoo
May  2 13:38:35 mail-nl-100 amavis[2027]: No decoder for       .F
May  2 13:38:35 mail-nl-100 amavis[2027]: No decoder for       .zoo
May  2 13:38:35 mail-nl-100 amavis[2027]: Using primary internal av scanner code for clamav-socket
May  2 13:38:35 mail-nl-100 amavis[2027]: Found secondary av scanner clamav-clamscan at /usr/bin/clamscan
May  2 13:38:37 mail-nl-100 postfix/postfix-script[2458]: starting the Postfix mail system
May  2 13:38:37 mail-nl-100 postfix/master[2462]: daemon started -- version 3.3.0, configuration /etc/postfix
May  2 13:44:29 mail-nl-100 postfix/pickup[2466]: 49Dr2P2HPtz42Pq: uid=2001 from=<no-reply@localhost.local>
May  2 13:44:29 mail-nl-100 postfix/cleanup[3654]: 49Dr2P2HPtz42Pq: message-id=<49Dr2P2HPtz42Pq@mailserver.example.com>
May  2 13:44:29 mail-nl-100 postfix/qmgr[2467]: 49Dr2P2HPtz42Pq: from=<no-reply@localhost.local>, size=1066, nrcpt=1 (queue active)
May  2 13:44:29 mail-nl-100 postfix/10025/smtpd[3671]: connect from localhost[127.0.0.1]
May  2 13:44:29 mail-nl-100 postfix/10025/smtpd[3671]: 49Dr2P67RPz42Pn: client=localhost[127.0.0.1]
May  2 13:44:29 mail-nl-100 postfix/cleanup[3654]: 49Dr2P67RPz42Pn: message-id=<49Dr2P2HPtz42Pq@mailserver.example.com>
May  2 13:44:29 mail-nl-100 postfix/10025/smtpd[3671]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May  2 13:44:29 mail-nl-100 postfix/qmgr[2467]: 49Dr2P67RPz42Pn: from=<no-reply@localhost.local>, size=1894, nrcpt=1 (queue active)
May  2 13:44:29 mail-nl-100 amavis[2487]: (02487-01) Passed CLEAN {RelayedInbound}, [127.0.0.1] /ESMTP <no-reply@localhost.local> -> <receiver3@gmail.com>, (), Message-ID: <49Dr2P2HPtz42Pq@mailserver.example.com>, mail_id: XMybXgnUvC8q, b: 0Ad-XyqMd, Hits: 2.128, size: 1066, queued_as: 49Dr2P67RPz42Pn, Subject: "Subscription confirm: TSG News", From: <newsletter@senderdomain.example.com>, helo=, Tests: [FROM_FMBLA_NEWDOM=1.5,HEADER_FROM_DIFFERENT_DOMAINS=0.249,NO_DNS_FOR_FROM=0.379,NO_RELAYS=-0.001,URIBL_BLOCKED=0.001], autolearn=no autolearn_force=no, autolearnscore=2.128, 502 ms
May  2 13:44:29 mail-nl-100 postfix/amavis/smtp[3663]: 49Dr2P2HPtz42Pq: to=<receiver3@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.63, delays=0.09/0.02/0.01/0.51, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49Dr2P67RPz42Pn)
May  2 13:44:29 mail-nl-100 postfix/qmgr[2467]: 49Dr2P2HPtz42Pq: removed
May  2 13:44:30 mail-nl-100 postfix/smtp[3676]: Trusted TLS connection established to gmail-smtp-in.l.google.com[64.233.184.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
May  2 13:44:30 mail-nl-100 postfix/smtp[3676]: 49Dr2P67RPz42Pn: to=<receiver3@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.184.26]:25, delay=0.77, delays=0.03/0.03/0.23/0.48, dsn=2.0.0, status=sent (250 2.0.0 OK DMARC:Quarantine 1588427070 f11si5248644wrr.209 - gsmtp)
May  2 13:44:30 mail-nl-100 postfix/qmgr[2467]: 49Dr2P67RPz42Pn: removed
May  2 14:05:30 mail-nl-100 postfix/pickup[2466]: 49DrVf3VJQz42Pr: uid=2001 from=<no-reply@localhost.local>
May  2 14:05:30 mail-nl-100 postfix/cleanup[4215]: 49DrVf3VJQz42Pr: message-id=<49DrVf3VJQz42Pr@mailserver.example.com>
May  2 14:05:30 mail-nl-100 postfix/qmgr[2467]: 49DrVf3VJQz42Pr: from=<no-reply@localhost.local>, size=1071, nrcpt=1 (queue active)
May  2 14:05:31 mail-nl-100 postfix/10025/smtpd[4227]: connect from localhost[127.0.0.1]
May  2 14:05:31 mail-nl-100 postfix/10025/smtpd[4227]: 49DrVg0YS7z42Pq: client=localhost[127.0.0.1]
May  2 14:05:31 mail-nl-100 postfix/cleanup[4215]: 49DrVg0YS7z42Pq: message-id=<49DrVf3VJQz42Pr@mailserver.example.com>
May  2 14:05:31 mail-nl-100 postfix/qmgr[2467]: 49DrVg0YS7z42Pq: from=<no-reply@localhost.local>, size=1909, nrcpt=1 (queue active)
May  2 14:05:31 mail-nl-100 postfix/10025/smtpd[4227]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May  2 14:05:31 mail-nl-100 amavis[2486]: (02486-01) Passed CLEAN {RelayedInbound}, [127.0.0.1] /ESMTP <no-reply@localhost.local> -> <receiver2@gmail.com>, (), Message-ID: <49DrVf3VJQz42Pr@mailserver.example.com>, mail_id: zpFmEJUAWbdv, b: FgGRemqBR, Hits: 2.128, size: 1071, queued_as: 49DrVg0YS7z42Pq, Subject: "Subscription confirm: TSG News", From: <newsletter@senderdomain.example.com>, helo=, Tests: [FROM_FMBLA_NEWDOM=1.5,HEADER_FROM_DIFFERENT_DOMAINS=0.249,NO_DNS_FOR_FROM=0.379,NO_RELAYS=-0.001,URIBL_BLOCKED=0.001], autolearn=no autolearn_force=no, autolearnscore=2.128, 547 ms
May  2 14:05:31 mail-nl-100 postfix/amavis/smtp[4222]: 49DrVf3VJQz42Pr: to=<receiver2@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.69, delays=0.1/0.02/0.03/0.55, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49DrVg0YS7z42Pq)
May  2 14:05:31 mail-nl-100 postfix/qmgr[2467]: 49DrVf3VJQz42Pr: removed
May  2 14:05:31 mail-nl-100 postfix/smtp[4231]: Trusted TLS connection established to gmail-smtp-in.l.google.com[64.233.184.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
May  2 14:05:31 mail-nl-100 postfix/smtp[4231]: 49DrVg0YS7z42Pq: to=<receiver2@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.184.26]:25, delay=0.72, delays=0.02/0.03/0.22/0.45, dsn=2.0.0, status=sent (250 2.0.0 OK DMARC:Quarantine 1588428331 r1si5192228wrx.129 - gsmtp)
May  2 14:05:31 mail-nl-100 postfix/qmgr[2467]: 49DrVg0YS7z42Pq: removed
May  2 14:06:58 mail-nl-100 postfix/pickup[2466]: 49DrXL1txhz42Pr: uid=2001 from=<newsletter@senderdomain.example.com>
May  2 14:06:58 mail-nl-100 postfix/cleanup[4215]: 49DrXL1txhz42Pr: message-id=<49DrXL1txhz42Pr@mailserver.example.com>
May  2 14:06:58 mail-nl-100 postfix/qmgr[2467]: 49DrXL1txhz42Pr: from=<newsletter@senderdomain.example.com>, size=1072, nrcpt=1 (queue active)
May  2 14:06:58 mail-nl-100 postfix/10025/smtpd[4227]: connect from localhost[127.0.0.1]
May  2 14:06:58 mail-nl-100 postfix/10025/smtpd[4227]: 49DrXL3wQXz42Pq: client=localhost[127.0.0.1]
May  2 14:06:58 mail-nl-100 postfix/cleanup[4215]: 49DrXL3wQXz42Pq: message-id=<49DrXL1txhz42Pr@mailserver.example.com>
May  2 14:06:58 mail-nl-100 postfix/qmgr[2467]: 49DrXL3wQXz42Pq: from=<newsletter@senderdomain.example.com>, size=1629, nrcpt=1 (queue active)
May  2 14:06:58 mail-nl-100 postfix/10025/smtpd[4227]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May  2 14:06:58 mail-nl-100 amavis[2487]: (02487-02) Passed CLEAN {RelayedInbound}, [127.0.0.1] /ESMTP <newsletter@senderdomain.example.com> -> <receiver@gmail.com>, (), Message-ID: <49DrXL1txhz42Pr@mailserver.example.com>, mail_id: dsA3NHb7fI4u, b: vzttPRLWD, Hits: 1.5, size: 1072, queued_as: 49DrXL3wQXz42Pq, Subject: "Subscription confirm: TSG News", From: <newsletter@senderdomain.example.com>, helo=, Tests: [FROM_FMBLA_NEWDOM=1.5,NO_RELAYS=-0.001,URIBL_BLOCKED=0.001], autolearn=no autolearn_force=no, autolearnscore=1.5, 271 ms
May  2 14:06:58 mail-nl-100 postfix/amavis/smtp[4222]: 49DrXL1txhz42Pr: to=<receiver@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.33, delays=0.04/0/0.01/0.28, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49DrXL3wQXz42Pq)
May  2 14:06:58 mail-nl-100 postfix/qmgr[2467]: 49DrXL1txhz42Pr: removed
May  2 14:06:58 mail-nl-100 postfix/smtp[4231]: Trusted TLS connection established to gmail-smtp-in.l.google.com[64.233.184.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
May  2 14:06:59 mail-nl-100 postfix/smtp[4231]: 49DrXL3wQXz42Pq: to=<receiver@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.184.26]:25, delay=0.67, delays=0.02/0.01/0.19/0.46, dsn=2.0.0, status=sent (250 2.0.0 OK  1588428419 p9si5408235wre.435 - gsmtp)
May  2 14:06:59 mail-nl-100 postfix/qmgr[2467]: 49DrXL3wQXz42Pq: removed

receiver@gmail.com -> worked but not DKIM signed receiver2@gmail.com -> receiver3@gmail.com > failed because no from_address

Dexus commented 4 years ago

I can reproduce this issue, and here's the fix:

  • In file /etc/postfix/master.cf, find the pickup transport like below:
pickup     unix  n       -       n       60      1       pickup
  • Enable content_filter for it:
pickup     unix  n       -       n       60      1       pickup
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
  • Restart Postfix service.

Now subscription confirm email (and all emails generated locally without smtp auth) will be signed with proper DKIM.

Thank you!

iredmail commented 4 years ago

Fixed in iRedMail moment ago: https://github.com/iredmail/iRedMail/commit/74554496beadc0a3e4a942c09755a77da1de66b4