search

liuch / dmarc-srg

A php parser, viewer and summary report generator for incoming DMARC reports.
GNU General Public License v3.0
218 stars 32 forks source link

Please add RUF support #26

Closed ReVoLt112 closed 5 months ago

ReVoLt112 commented 2 years ago

Feature request:

As title says: Please add RUF Support! I love your tool!

liuch commented 2 years ago

Hello, ReVoLt112 I'm a little confused. Do mail servers send out such reports now? I haven't received any RUF report yet. I thought that sending such reports was the exception rather than the rule.

liuch commented 2 years ago

And thank you for your attention to my project!

geekasylum commented 1 year ago

OpenDMARC is one package that supports sending these reports, but Im not sure that they require any processing. There is little there beyond the originating IP address, From: address, and the reported failed DMARC domain.

For my small mail server, I simply point my domain's RUF= to postmaster, and also BCC postmaster with any Failure Reports that OpenDMARC generates for other domains, just to keep an eye on them.

There is certainly no XML attachment etc, that I have seen, however I am a tiny MTA by general standards, so dont decide based on my feedback. I only wished to confirm that indeed, some mail servers do send these out.

liuch commented 1 year ago

Thank you, @geekasylum !

williamdes commented 1 year ago

Hello, ReVoLt112 I'm a little confused. Do mail servers send out such reports now? I haven't received any RUF report yet. I thought that sending such reports was the exception rather than the rule.

You can have some if you post emails into Debian mailing lists or something Debian packaging related. Most probably because I sent an email to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031114#43 and it got forwarded to a mailing list

Anyway, here is an example. But RUF reports are pretty rare.

Return-Path: <opendmarc@disroot.org>
Delivered-To: xxx+ruf-xxxx.xxx@datacenters.network
Received: from dc4.servers.datacenters.network
    by dc4.servers.datacenters.network with LMTP
    id sPIbGXFX6WPADwAA3BZZyA
    (envelope-from <opendmarc@disroot.org>)
    for <xxx+ruf-xxxx.xxx@datacenters.network>; Sun, 12 Feb 2023 21:17:37 +0000
Received: from localhost (localhost [127.0.0.1])
    by dc4.servers.datacenters.network (Postfix) with ESMTP id 63D3B4521D
    for <xxx+ruf-xxxx.xxx@datacenters.network>; Sun, 12 Feb 2023 21:17:37 +0000 (UTC)
X-Virus-Scanned: Yes
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-9999 required=6.31
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
    SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: dc4.servers.datacenters.network (amavisd-new);
    dkim=pass (2048-bit key) header.d=disroot.org
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=178.21.23.139; helo=knopi.disroot.org; envelope-from=opendmarc@disroot.org; receiver=<UNKNOWN> 
Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (2048 bits))
    (No client certificate requested)
    by dc4.servers.datacenters.network (Postfix) with ESMTPS id 535425033F
    for <xxx+ruf-xxxx.xxx@datacenters.network>; Sun, 12 Feb 2023 21:17:19 +0000 (UTC)
Received: by disroot.org (Postfix, from userid 121)
    id 2779C4141B; Sun, 12 Feb 2023 22:21:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail;
    t=1676236868; bh=+oab3VApCV5KHW+wuYRugjyw2ilLYj446KAtpDsw0S8=;
    h=From:To:Date:Subject;
    b=GUNKzUyJFQkP+ATi8g0+VGy3MiSFGSwS6ivNKkSX/alahAgBUxz6IUiNa/vq6MtLD
     IkpnDl+8hhGsUDkVjhZY3QyoETeVwKJoAdMwKNE6Cww3GV5NIkNB9C8H/wypclIuOz
     vnV696VHZ8Bc1mI4L4mhneH/8BvZ9SAXsKjB/9Cz/EnDDsTsI+ZRHHrzIldnpQICtn
     /FlgzbxIMmM7wflAbGWsYARqVcbi1gefwdfnr1YM7wdfkBSAVwqckD+zCFYXsUVlAX
     PpPnzXjl3krLtNbfUfavozf0WhAw1mlrY+7RrSqIgd0QbLd6HImq6oLw4UuU/DAj1i
     h9QZ81W+fFzwg==
From: OpenDMARC Filter <opendmarc@disroot.org>
To: xxx+ruf-xxxx.xxx@datacenters.network
Date: Sun, 12 Feb 2023 22:21:08 +0100 (CET)
Subject: FW: [Pkg-javascript-devel] Bug#1031114: fwd
MIME-Version: 1.0
Content-Type: multipart/report;
    report-type=feedback-report;
    boundary="disroot.org:12D3E4129B"
Message-Id: <20230212212108.2779C4141B@disroot.org>

--disroot.org:12D3E4129B
Content-Type: text/plain

This is an authentication failure report for an email message received from IP
185.73.44.171 on Sun, 12 Feb 2023 22:21:08 +0100 (CET).

--disroot.org:12D3E4129B
Content-Type: message/feedback-report

Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.4.0
Auth-Failure: dmarc
Authentication-Results: OpenDMARC; dmarc=fail header.from=wdes.fr
Original-Envelope-Id: 12D3E4129B
Original-Mail-From: pkg-javascript-devel-bounces+shirish12=disroot.org@alioth-lists.debian.net
Source-IP: 185.73.44.171 (alioth-lists-01.debian.net)
Reported-Domain: wdes.fr

--disroot.org:12D3E4129B
Content-Type: text/rfc822-headers

Authentication-Results: disroot.org;
    dkim=fail reason="signature verification failed" (4096-bit key; unprotected) header.d=wdes.fr header.i=@wdes.fr header.a=rsa-sha256 header.s=mail header.b=cXABK64c;
    dkim-atps=neutral
Received: from localhost ([::1] helo=alioth-lists-01.debian.net)
    by alioth-lists-01.debian.net with esmtp (Exim 4.92)
    (envelope-from <pkg-javascript-devel-bounces+shirish12=disroot.org@alioth-lists.debian.net>)
    id 1pRJmV-0006IR-JG
    for shirish12@disroot.org; Sun, 12 Feb 2023 21:21:07 +0000
Received: from buxtehude.debian.org ([2607:f8f0:614:1::1274:39])
 by alioth-lists-01.debian.net with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <debbugs@buxtehude.debian.org>) id 1pRJmT-0006G5-Dm
 for pkg-javascript-devel@lists.alioth.debian.org;
 Sun, 12 Feb 2023 21:21:05 +0000
Received: from debbugs by buxtehude.debian.org with local (Exim 4.94.2)
 (envelope-from <debbugs@buxtehude.debian.org>)
 id 1pRJmR-002hkX-BG; Sun, 12 Feb 2023 21:21:03 +0000
X-Loop: owner@bugs.debian.org
Resent-From: William Desportes <williamdes@wdes.fr>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Debian Javascript Maintainers
 <pkg-javascript-devel@lists.alioth.debian.org>
X-Loop: owner@bugs.debian.org
Resent-Date: Sun, 12 Feb 2023 21:21:02 +0000
Resent-Message-ID: <handler.1031114.B1031114.1676236586642446@bugs.debian.org>
X-Debian-PR-Message: followup 1031114
X-Debian-PR-Package: src:jquery-timepicker
X-Debian-PR-Keywords: bookworm sid
References: <BMAZPR.SEFFVU5TGZIQ2@queued.net> <67XXPR.TW15AOYHKCMI3@queued.net>
X-Debian-PR-Source: jquery-timepicker
Received: via spool by 1031114-submit@bugs.debian.org
 id=B1031114.1676236586642446
 (code B ref 1031114); Sun, 12 Feb 2023 21:21:02 +0000
Received: (at 1031114) by bugs.debian.org; 12 Feb 2023 21:16:26 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
 (2021-04-09) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=4.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MURPHY_DRUGS_REL8,ONEWORD,
 SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no
 version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 16; hammy, 81; neutral, 32; spammy, 1.
 spammytokens:0.946-+--H*r:bugs.debian.org
 hammytokens:0.000-+--backports, 0.000-+--debian's, 0.000-+--debians,
 0.000-+--backport, 0.000-+--HAuthentication-Results:4096-bit
Received: from dc4.servers.datacenters.network ([185.171.202.122]:11129)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.94.2) (envelope-from <williamdes@wdes.fr>)
 id 1pRJhy-002h7m-L3
 for 1031114@bugs.debian.org; Sun, 12 Feb 2023 21:16:26 +0000
X-Virus-Scanned: Yes
Authentication-Results: dc4.servers.datacenters.network (amavisd-new);
 dkim=pass (4096-bit key) header.d=wdes.fr
Date: Sun, 12 Feb 2023 22:16:18 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wdes.fr; s=mail;
 t=1676236350; bh=cLO/QFqTl29gATIuAig8rmdBlfx1xEMSJC+A+v61Q84=;
 h=From:To:Subject:In-Reply-To:References;
 b=cXABK64c70nJsRrjsNxT+lIsJjwn9d7J9UM3nl4SswnZJSGemDCITuUNqw2FCHBj4
 wgqfaG/P8vxrMITjTq/Q9meE0NjP+L1X1PENcuut2g4PwuwgGjnVPVxd+Q4JgCbMpF
 ka4vEazjLZd+99uciWKMwclF1iMiknEybNga2CS2nPYr0ZXe9/DU+beut7PQnjxXNr
 p5dlic6NZ7yqNczJYCqZNRzcrgcSoCeeE7dwr9mCN4JBpKX1gJ1O0dKZS8rjfpSoZ8
 9CqF1NAVMbrOqKvD8ToXBxQHopBAS8ARek6NnRu1Ls6V8pxFXveIgDqPbtgAe/OBYZ
 z88phhWrJWRPDnN4Clz7RWb3vDesBGRTTCRQwiXhyT+nRLoHcJamccCKuL/Acutl5w
 WBmgGtrGpDt9hMlj2/V4jmyvxEtbNpPDENitNErkIu+PsUNG7K+mjUfqGcrcZP3/mH
 oWBBxPMTJ3vzYUC28QHsVkeCR20o4stXlRhGfoJN+Eu2o+WL1oTQTirIj6QOXqGBj7
 s8G8FNdnPnExW5NPHXtDwjQVPFbBHg4553srKacl6nmDzfgkRv40JjVKTGJ3MR6Hbn
 0H3+Z+Z9XY/yZMNcMYy75609YrRQRQ0mm9q9cBCNo8++IEiX0ycOb7wQqV4q/2bbGz
 bTBk51pO88I0EzvPe7t04O/c=
From: William Desportes <williamdes@wdes.fr>
To: Andres Salomon <dilinger@queued.net>, 1031114@bugs.debian.org
In-Reply-To: <BMAZPR.SEFFVU5TGZIQ2@queued.net>
Message-ID: <15334981-3D75-45BB-90F4-58FC1AC54E4F@wdes.fr>
Mime-Version: 1.0
Received-SPF: pass client-ip=2607:f8f0:614:1::1274:39;
 envelope-from=debbugs@buxtehude.debian.org; helo=buxtehude.debian.org
x-debian-approved: yes
Subject: [Pkg-javascript-devel] Bug#1031114: fwd
X-BeenThere: pkg-javascript-devel@alioth-lists.debian.net
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: pkg-javascript main list
 <pkg-javascript-devel.alioth-lists.debian.net>
List-Unsubscribe: <https://alioth-lists.debian.net/cgi-bin/mailman/options/pkg-javascript-devel>,
 <mailto:pkg-javascript-devel-request@alioth-lists.debian.net?subject=unsubscribe>
List-Archive: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/>
List-Post: <mailto:pkg-javascript-devel@alioth-lists.debian.net>
List-Help: <mailto:pkg-javascript-devel-request@alioth-lists.debian.net?subject=help>
List-Subscribe: <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel>,
 <mailto:pkg-javascript-devel-request@alioth-lists.debian.net?subject=subscribe>
Reply-To: William Desportes <williamdes@wdes.fr>, 1031114@bugs.debian.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pkg-javascript-devel-bounces+shirish12=disroot.org@alioth-lists.debian.net
Sender: "Pkg-javascript-devel"
 <pkg-javascript-devel-bounces+shirish12=disroot.org@alioth-lists.debian.net>

--disroot.org:12D3E4129B--
geekasylum commented 1 year ago

That seems to be generated by OpenDMARC, as I mentioned earlier. I dont mean to state the obvious, but for anyone unfamiliar with OpenDMARC, the relevent bit is the "Content-Type: message/feedback-report" section (the failure report), and the plain text immediately above it (pre-amble). The rest seems to be headers from the RUF email sent by OpenDMARC (above) and the attached original (below), having passed through amavisd-new and SpamAssassin.

Essentially, my understanding is that all OpenDMARC does in this case is to read the "Authentication-Results" headers added by a pre-processor such as OpenDKIM, or in this case, amavisd-new, and then optionally emails the RUF report if any of those checks failed. (In addition to its other job of sending out the daily DMARC alignment reports).

Again, appologies if this is obvious, but having recently set up another mail server (with OpenDMARC), its familiar to me, and it felt like the RUF example above, may have been buried in amongst all of those headers.

liuch commented 5 months ago

I don't plan on implementing this in the near future. Sorry.