Persistent authentication failure reports when receiving mails from select domains

[2xsaiko]

I've been getting "authentication failure report" mails which I'm assuming are from OpenDMARC whenever I get mail from a couple domains, twitch.tv being one of them. Here's a snippet from the log:

May  3 19:01:06 polaris postfix/smtpd[24008]: connect from a26-33.smtp-out.us-west-2.amazonses.com[54.240.26.33] 
May  3 19:01:08 polaris postfix/trivial-rewrite[24014]: warning: do not list domain dblsaiko.net in BOTH mydestination and virtual_alias_domains
May  3 19:01:08 polaris postfix/smtpd[24008]: 55ECC7F496: client=a26-33.smtp-out.us-west-2.amazonses.com[54.240.26.33]
May  3 19:01:08 polaris postfix/cleanup[24016]: 55ECC7F496: message-id=<0101017933a0225a-ae39777d-89e5-44b1-9bf5-d6ffdf732b97-000000@us-west-2.amazonses.com>
May  3 19:01:08 polaris opendkim[12366]: 55ECC7F496: message has signatures from twitch.tv, amazonses.com
May  3 19:01:08 polaris opendmarc[1164]: implicit authentication service: polaris.dblsaiko.net
May  3 19:01:08 polaris opendmarc[1164]: 55ECC7F496: SPF(mailfrom): 0101017933a0225a-ae39777d-89e5-44b1-9bf5-d6ffdf732b97-000000@bounce-west.twitch.tv pass
May  3 19:01:08 polaris opendmarc[1164]: 55ECC7F496: twitch.tv fail
May  3 19:01:08 polaris postfix/qmgr[23708]: 55ECC7F496: from=<0101017933a0225a-ae39777d-89e5-44b1-9bf5-d6ffdf732b97-000000@bounce-west.twitch.tv>, size=32286, nrcpt=1 (queue active)
May  3 19:01:08 polaris postfix/pickup[23559]: EC58D7F7C3: uid=999 from=<milter>
May  3 19:01:08 polaris postfix/trivial-rewrite[24014]: warning: do not list domain dblsaiko.net in BOTH mydestination and virtual_alias_domains
May  3 19:01:08 polaris opendmarc[1164]: ignoring connection from localhost

And here's the relevant snippet from the headers of the received mail:

DMARC-Filter: OpenDMARC Filter v1.3.2 polaris.dblsaiko.net 55ECC7F496
Authentication-Results: polaris.dblsaiko.net; dmarc=fail (p=reject dis=none) header.from=twitch.tv
Authentication-Results: polaris.dblsaiko.net; spf=pass smtp.mailfrom=0101017933a0225a-ae39777d-89e5-44b1-9bf5-d6ffdf732b97-000000@bounce-west.twitch.tv
Authentication-Results: polaris.dblsaiko.net;
    dkim=permerror (0-bit key) header.d=twitch.tv header.i=@twitch.tv header.b=YEQRyIsG;
    dkim=permerror (0-bit key) header.d=amazonses.com header.i=@amazonses.com header.b=Y5dp/Uay;
    dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=dh6r6vaod6penm5x6ufsnymrqcq2rt3a; d=twitch.tv; t=1620068803;
    h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date;
    bh=0jqSmDrLyRf63r3gkyhYUTzryqDLuDiMt5HB0Vwm0Yo=;
    b=YEQRyIsGlqiXP3iLxEETZdiFrK4q6P+MZZcYZX7VXzLeLwDeaoSgWYU77YS/opBA
    lKhlCliW9JL2aIeYdp8aI0Bpk0eSTvgjhgD3VUjwLwZCznRLRr2bhpqpAO/K9Sx/3bH
    WN16fKoKFsVYO34SbMJzCPODMdm6JlmgAVWkgU/U=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=7v7vs6w47njt4pimodk5mmttbegzsi6n; d=amazonses.com; t=1620068803;
    h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date:Feedback-ID;
    bh=0jqSmDrLyRf63r3gkyhYUTzryqDLuDiMt5HB0Vwm0Yo=;
    b=Y5dp/Uay0hVHAZC7FPXww0MAK281VD+bvPIWbwJ7uqTSSdjzdjDvt4ZpQ/brWQvW
    sofSG6yNXk1I9RZB5DXDWTarzUkDU67KilflPs/YaEJB9jx6BkndU5w/V+O8bkpCGGA
    Rbn52P87xAo7q4Abk8YKBQ1H92g6igPckyMFg+D4=

I have no idea if this is a problem with the configuration of my mailserver, the configuration of twitch.tv (and also others like steampowered.com) mailservers (which I kinda doubt) or a bug in OpenDMARC (or in some other component).

[jcapo]

Fixes a lot of failures for very non-compliant mail.

lmtp_line_length_limit = 32000
smtp_line_length_limit = 32000

I routinely see 4K line lengths and some times longer.

May 4 14:02:42 mx1 scanner[80639]: (1620151362-80639-23) LINE_LENGTH: 23732 @. May 4 14:19:39 mx1 sqanner[551]: (1620152379-551-16) LINE_LENGTH: 32000 @. May 4 14:19:39 mx1 scanner[551]: (1620152379-551-16) LINE_LENGTH: 30428 @. May 4 14:19:39 mx1 scanner[551]: (1620152379-551-16) LINE_LENGTH: 32000 @. May 4 14:19:39 mx1 scanner[551]: (1620152379-551-16) LINE_LENGTH: 30930 @.***

John Capo Tuffmail.com

On 2021-05-04 13:29, 2xsaiko wrote:

I've been getting "authentication failure report" mails which I'm assuming are from OpenDMARC whenever I get mail from a couple domains, twitch.tv being one of them. Here's a snippet from the log:

May 3 19:01:06 polaris postfix/smtpd[24008]: connect from a26-33.smtp-out.us-west-2.amazonses.com[54.240.26.33] May 3 19:01:08 polaris postfix/trivial-rewrite[24014]: warning: do not list domain dblsaiko.net in BOTH mydestination and virtual_alias_domains May 3 19:01:08 polaris postfix/smtpd[24008]: 55ECC7F496: client=a26-33.smtp-out.us-west-2.amazonses.com[54.240.26.33] May 3 19:01:08 polaris postfix/cleanup[24016]: 55ECC7F496: @.> May 3 19:01:08 polaris opendkim[12366]: 55ECC7F496: message has signatures from twitch.tv, amazonses.com May 3 19:01:08 polaris opendmarc[1164]: implicit authentication service: polaris.dblsaiko.net May 3 19:01:08 polaris opendmarc[1164]: 55ECC7F496: SPF(mailfrom): @. pass May 3 19:01:08 polaris opendmarc[1164]: 55ECC7F496: twitch.tv fail May 3 19:01:08 polaris postfix/qmgr[23708]: 55ECC7F496: @.***>, size=32286, nrcpt=1 (queue active) May 3 19:01:08 polaris postfix/pickup[23559]: EC58D7F7C3: uid=999 from= May 3 19:01:08 polaris postfix/trivial-rewrite[24014]: warning: do not list domain dblsaiko.net in BOTH mydestination and virtual_alias_domains May 3 19:01:08 polaris opendmarc[1164]: ignoring connection from localhost

And here's the relevant snippet from the headers of the received mail:

DMARC-Filter: OpenDMARC Filter v1.3.2 polaris.dblsaiko.net 55ECC7F496 Authentication-Results: polaris.dblsaiko.net; dmarc=fail (p=reject dis=none) header.from=twitch.tv Authentication-Results: polaris.dblsaiko.net; spf=pass @. Authentication-Results: polaris.dblsaiko.net; dkim=permerror (0-bit key) header.d=twitch.tv @. header.b=YEQRyIsG; dkim=permerror (0-bit key) header.d=amazonses.com @.*** header.b=Y5dp/Uay; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=dh6r6vaod6penm5x6ufsnymrqcq2rt3a; d=twitch.tv; t=1620068803;

h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date; bh=0jqSmDrLyRf63r3gkyhYUTzryqDLuDiMt5HB0Vwm0Yo=; b=YEQRyIsGlqiXP3iLxEETZdiFrK4q6P+MZZcYZX7VXzLeLwDeaoSgWYU77YS/opBA

lKhlCliW9JL2aIeYdp8aI0Bpk0eSTvgjhgD3VUjwLwZCznRLRr2bhpqpAO/K9Sx/3bH WN16fKoKFsVYO34SbMJzCPODMdm6JlmgAVWkgU/U= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=7v7vs6w47njt4pimodk5mmttbegzsi6n; d=amazonses.com; t=1620068803;

h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date:Feedback-ID; bh=0jqSmDrLyRf63r3gkyhYUTzryqDLuDiMt5HB0Vwm0Yo=; b=Y5dp/Uay0hVHAZC7FPXww0MAK281VD+bvPIWbwJ7uqTSSdjzdjDvt4ZpQ/brWQvW

sofSG6yNXk1I9RZB5DXDWTarzUkDU67KilflPs/YaEJB9jx6BkndU5w/V+O8bkpCGGA Rbn52P87xAo7q4Abk8YKBQ1H92g6igPckyMFg+D4=

I have no idea if this is a problem with the configuration of my mailserver, the configuration of twitch.tv (and also others like steampowered.com) mailservers (which I kinda doubt) or a bug in OpenDMARC (or in some other component).

-- You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub [1], or unsubscribe [2].

Links:

[1] https://github.com/trusteddomainproject/OpenDMARC/issues/166 [2] https://github.com/notifications/unsubscribe-auth/AD6QPMIRXNM2OWCB2P4G2LTTMAVGXANCNFSM44DEC7WQ

[2xsaiko]

Fixes a lot of failures for very non-compliant mail.

lmtp_line_length_limit = 32000
smtp_line_length_limit = 32000

I'll try those and see if it improves it, thanks!

[Swallowtail23]

smtp_line_length_limit is for outbound postfix configuration... http://www.postfix.org/postconf.5.html#smtp_line_length_limit

[jcapo]

On Tue, May 4, 2021 19:50, Swallowtail23 wrote:

smtp_line_length_limit is for outbound postfix configuration... http://www.postfix.org/postconf.5.html#smtp_line_length_limit

We use SMTP and LMTP to deliver further down the chain.

Maybe its the LMTP setting that fixes the long line issues here. Its been years since that config was added.

There is no smtpd_line_length_limit option.

John

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/trusteddomainproject/OpenDMARC/issues/166#issuecomment-832326835

[2xsaiko]

I guess I should have checked what they actually do first, huh? Thanks.

I don't think this problem is related to mail content line lengths, it's a DMARC verification issue, which doesn't have anything to do with that, does it?

[jcapo]

On 2021-05-05 05:41, 2xsaiko wrote:

I guess I should have checked what they actually do first, huh?

Sorry for the noise. My issue was that forwarding broke DKIM due to Postfix on the forwarding servers "fixing" long lines. Allowing line lines on all Postfix instances solved that problem.

Note to self, don't post when the sun is below the yard arm.

JOhn

[2xsaiko]

My issue was that forwarding broke DKIM due to Postfix on the forwarding servers "fixing" long lines. Allowing line lines on all Postfix instances solved that problem.

Ah, I see. Yeah, I'm fairly certain that isn't the issue here (also because I just got one of those authentication failures again, while the lmtp_line_length_limit was set to 32000, though I did take out the smtp option)

[2xsaiko]

Hmm, I just found this, which seems to match the problem I have exactly: http://lists.opendkim.org/archive/opendkim/users/2019/03/3820.html

So this might actually be an OpenDKIM issue that's already been fixed in the newer releases (my distro still ships the 2015 release, probably because the newer ones are all beta), I'll try out the newest and see if anything changes.

EDIT: nope, doesn't seem to make a difference, I'll keep an eye on it though

EDIT 2: definitely not OpenDKIM, the same thing happens with it disabled.