search

mjl- / mox

modern full-featured open source secure mail server for low-maintenance self-hosted email
https://www.xmox.nl
MIT License
3.38k stars 90 forks source link

Can only send from default/primary domain. DMARC always fails for others. #22

Closed naturalethic closed 1 year ago

naturalethic commented 1 year ago

Additionally, I have received no DMARK reports, are the default mailto: addresses set up internally? Do I have to add them as aliases, or change them in the DNS record?

I noticed the DKIM headers on signed emails reference my default domain, not the domain I sent from, is that possibly the issue?

mjl- commented 1 year ago

The quickstart configures an email address "dmarc-reports@" that accepts DMARC reports. This is the relevant snippet from domains.conf that achieves that:

Domains:
        ueber.net:
                DMARC:
                        Localpart: dmarc-reports
                        Account: mjl
                        Mailbox: DMARC

This causes emails sent to dmarc-reports@ueber.net to be delivered to mailbox DMARC in account mjl. The admin pages show a list of all email addresses that are configured, including the DMARC and TLSRPT addresses.

Other mail servers know they can send reports because of this DNS entry:

$ host -t txt _dmarc.ueber.net
_dmarc.ueber.net descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc-reports@ueber.net!10m"

But not all mail servers will actually send such reports. Mox doesn't send them yet either (it's on the todo list!). I've gotten dmarc reports from google (gmail), fastmail, outlook.com in the past month. Sending an email to any gmail address should result in an incoming DMARC report within 24 hours.

The DKIM header referencing a different domain than what you sent from does not sound good. I've tried a few configuration variants with a default domain and different email addresses, but couldn't reproduce this. Would be good to see some example headers. If you want to, you could forward a message with the wrong headers to me at mechiel@ueber.net and I'll have a look.

If DMARC always fails for domains other than the first, could it be that those other domains don't have DKIM and SPF DNS records? If you added them through the admin web interface, I checked just now and saw you aren't actually shown the DNS records you have to add for those domains, so they are easier to miss. They are similar to the records added for the first domain. It would explain why DMARC would fail. Because DMARC needs only one of SPF and DKIM to pass for a DMARC pass. So if only DKIM weren't working, you should still have seen a DMARC pass due to SPF.

mjl- commented 1 year ago

Your email put me on the right track. The domain in the "smtp mail from" address was used instead of the domain the "message from" header. DMARC verifiers require the domain in the dkim signature to be "aligned" with the "message from" header, so it wasn't passing. I tried reproducing this with thunderbird, but when you set a "custom from" address for a message, it sets it both for the "message from" header and the "smtp mail from", that's why it appeared to work for me. A new test now checks for this.

Could you give this a try? I hope to have a release in less than a week as well if you want to wait for that.

naturalethic commented 1 year ago

Confirmed this is fixed. Thanks!