trusteddomainproject / OpenDMARC

This is the Trusted Domain Project's impementation of the DMARC protocol libary and mail filter, called OpenDMARC. A "milter" connects to unix-based mailers (originally, sendmail, but now many) and provides a standard filtering API.
Other
101 stars 54 forks source link

OpenDMARC rejects a supposedly valid message #265

Closed mariuszpgit closed 1 month ago

mariuszpgit commented 2 months ago

Hi, this project is great and protect many users, so I hope will be developed.

I think dmarc should be valid, spf and dkim are valid, header from = help.dell.com. On gmail and by checking https://toolbox.googleapps.com/apps/messageheader/ message is valid.

OS: alpine 3.20.2

Some used opendmarc.

SPFIgnoreResults true
SPFSelfValidate true
PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
RequiredHeaders true
RejectFailures true

Mail logs:

# Connection
connect from smtp07-ia5-sp4.mta.salesforce.com[13.110.78.182]
Anonymous TLS connection established from smtp07-ia5-sp4.mta.salesforce.com[13.110.78.182]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256
# polciy-spf
postfix/policy-spf[1567245]: Policy action=PREPEND Received-SPF: pass (ndrj0iqr9snzm0cw.23eegq9sxv4i44z1.3qk5q.0b-gampeak.na165.bnc.salesforce.com: Sender is authorized to use 'technical_support=help.dell.com__24g8dwmm5ov9gq61@ndrj0iqr9snzm0cw.23eegq9sxv4i44z1.3qk5q.0b-gampeak.na165.bnc.salesforce.com' in 'mfrom' identity (mechanism 'include:_spf.salesforce.com' matched)) receiver=mailgw.domain.com; identity=mailfrom; envelope-from="technical_support=help.dell.com__24g8dwmm5ov9gq61@ndrj0iqr9snzm0cw.23eegq9sxv4i44z1.3qk5q.0b-gampeak.na165.bnc.salesforce.com"; helo=smtp07-ia5-sp4.mta.salesforce.com; client-ip=13.110.78.182

Mail proceed

# opendkim
opendkim[548848]: 4WtvtH3HzDz1mM: failed to parse Authentication-Results: header field
opendkim[548848]: 4WtvtH3HzDz1mM: DKIM verification successful
# opendmarc
opendmarc[65243]: 4WtvtH3HzDz1mM ignoring Authentication-Results at 1 from mailgw.domain.com
opendmarc[65243]: 4WtvtH3HzDz1mM: SPF(mailfrom): ndrj0iqr9snzm0cw.23eegq9sxv4i44z1.3qk5q.0b-gampeak.na165.bnc.salesforce.com pass
4WtvtH3HzDz1mM: help.dell.com fail
# reject
opendmarc[65243]: 4WtvtH3HzDz1mM: milter-reject: END-OF-MESSAGE from smtp07-ia5-sp4.mta.salesforce.com[13.110.78.182]: 5.7.1 rejected by DMARC policy for help.dell.com; from=<technical_support=help.dell.com__24g8dwmm5ov9gq61@ndrj0iqr9snzm0cw.23eegq9sxv4i44z1.3qk5q.0b-gampeak.na165.bnc.salesforce.com> to=<user@domain.com> proto=ESMTP helo=<smtp07-ia5-sp4.mta.salesforce.com>

DNS records:

# help.dell.com TXT record
help.dell.com.          600     IN      TXT     "v=spf1 include:_spf.salesforce.com ~all"
_dmarc.help.dell.com.   600     IN      TXT     "v=DMARC1; p=reject; fo=1; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com"
# _spf.salesforce.com TXT record
_spf.salesforce.com.    3600    IN      TXT     "v=spf1 exists:%{i}._spf.mta.salesforce.com -all"
_dmarc.mta.salesforce.com. 298  IN      CNAME   _dmarc.report.salesforce.com.
_dmarc.report.salesforce.com. 3600 IN   TXT     "v=DMARC1;p=none;fo=1;ruf=mailto:d@ruf.agari.com;rua=mailto:d@rua.agari.com"
# checking ip address ( %{i}._spf.mta.salesforce.com ) exist
13.110.78.182._spf.mta.salesforce.com. 85539 IN A 127.0.0.9

opendmarc.dat

  job 4WtvtH3HzDz1mM
  reporter mailgw.domain.com
  received 1724827223
  ipaddr 13.110.78.182
  from help.dell.com
  mfrom ndrj0iqr9snzm0cw.23eegq9sxv4i44z1.3qk5q.0b-gampeak.na165.bnc.salesforce.com
  spf 0 # (0 = pass, 2 = fail, 6 = none, -1 = not evaluated)
  pdomain help.dell.com
  policy 16 # 16 = reject
  rua mailto:dmarc_rua@emaildefense.proofpoint.com
  pct 100
  adkim 114 # 114 = relaxed
  aspf 114 # 114 = relaxed
  p 114
  sp 0
  align_dkim 5 # (4 = yes, 5 = no)
  align_spf 5 # (4 = yes, 5 = no)
  arc 7 # always 7?
  arc_policy 2 json:[]
  action 0

Headers mail from some personal gmail where message passed, I hidden recipient

Delivered-To: test@gmail.com
Received: by 2002:a17:906:5619:b0:a77:e0ec:c51e with SMTP id f25csp1308300ejq;
        Wed, 28 Aug 2024 23:09:19 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFeHAFlORXFyHzx2cKGXga8SCUeCuFY6n+GaMv56WpQAGDyJtJMTZtUEqkhnNHNAqTD1oxc
X-Received: by 2002:a05:6214:3d99:b0:6b5:2f57:1a63 with SMTP id 6a1803df08f44-6c341e40333mr7250936d6.21.1724911758801;
        Wed, 28 Aug 2024 23:09:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1724911758; cv=none;
        d=google.com; s=arc-20160816;
        b=RbBtoFdM/4SowjxATEmzm43znecnRvDE3TSg945AdVjGluKEjiTgM+2QEIUPg+MKWi
         hSGJTV35TMcVEy/Ld3UimzBm4BKBmqFZfMXVzjswydTKENnShJzJr/Fowi11gWJWFvjW
         ssu2RNuIoEX+fBYMniIpkAHhwhx84D9TKZslNbctI696NecwVWrt9+nM1hUG3Jmf3jhq
         LIJOFicEdwCBpVC0M7R31hEFU4huVgAz1RGO5KdzkXJLMd9cbHMUvcuxk0Y64D4fY7do
         coPAwQlk+U3ppv3IhS8iJ+/JPXci+bxyp6fmj52IFczH73sHQq7SKc6zCrBvQ8rH7+D0
         O05A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:subject:references:in-reply-to:message-id:to:from:date
         :dkim-signature;
        bh=CfF1ouKL9vQLnYODFJso54jjGR+6d5lWEuVJkidvVPI=;
        fh=UfM7XCb5Xaq9jgKDtrYG4I402TcXavbbouY7nENkIy4=;
        b=J0Qj+24v4RoPPLBQCWuwNN7gwDLWnk7t3kBfsI+8LugCL6jS1LqmqoBDJuglCamom9
         DoB2Sw9qw0FITTVW6oqOEpLqr6YQnZeiG6t0B5/JDFHwcbbFQTFjOoaDEeNTnnbrhCb7
         22AhRVF7gayqQSm9kylcKYOLMWDCWppmnE/yqcYvNrKFi+M3PscxiI8uTS3wti/G6+d6
         2taZRSntu1jQT6Z/biSy7GUvmHY41yUzibmj0s2sORPwgA+qf9gsRF35bSRga+VnlnYh
         XZSqnjXXmJBKtsl/s0gsBPVLetKHMP9xWxBNKm+HBRdRANYkyKo0EJxhvjyOGBMU60Vn
         hKmg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@help.dell.com header.s=help-prod-a header.b=NrbUkJ8i;
       spf=pass (google.com: domain of technical_support=help.dell.com__2z4zbc6y4nlabdpo@qjl9d8c7as1s335z.xl26z7pxgz0qe850.9cdw2.0b-gampeak.na165.bnc.salesforce.com designates 13.110.78.190 as permitted sender) smtp.mailfrom="technical_support=help.dell.com__2z4zbc6y4nlabdpo@qjl9d8c7as1s335z.xl26z7pxgz0qe850.9cdw2.0b-gampeak.na165.bnc.salesforce.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=help.dell.com
Return-Path: <technical_support=help.dell.com__2z4zbc6y4nlabdpo@qjl9d8c7as1s335z.xl26z7pxgz0qe850.9cdw2.0b-gampeak.na165.bnc.salesforce.com>
Received: from smtp15-ia5-sp4.mta.salesforce.com (smtp15-ia5-sp4.mta.salesforce.com. [13.110.78.190])
        by mx.google.com with ESMTPS id 6a1803df08f44-6c340ca4b13si7058656d6.330.2024.08.28.23.09.18
        for <test@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 28 Aug 2024 23:09:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of technical_support=help.dell.com__2z4zbc6y4nlabdpo@qjl9d8c7as1s335z.xl26z7pxgz0qe850.9cdw2.0b-gampeak.na165.bnc.salesforce.com designates 13.110.78.190 as permitted sender) client-ip=13.110.78.190;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@help.dell.com header.s=help-prod-a header.b=NrbUkJ8i;
       spf=pass (google.com: domain of technical_support=help.dell.com__2z4zbc6y4nlabdpo@qjl9d8c7as1s335z.xl26z7pxgz0qe850.9cdw2.0b-gampeak.na165.bnc.salesforce.com designates 13.110.78.190 as permitted sender) smtp.mailfrom="technical_support=help.dell.com__2z4zbc6y4nlabdpo@qjl9d8c7as1s335z.xl26z7pxgz0qe850.9cdw2.0b-gampeak.na165.bnc.salesforce.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=help.dell.com
Return-Path: <technical_support=help.dell.com__2z4zbc6y4nlabdpo@qjl9d8c7as1s335z.xl26z7pxgz0qe850.9cdw2.0b-gampeak.na165.bnc.salesforce.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=help.dell.com;
    s=help-prod-a; t=1724911758;
    bh=CfF1ouKL9vQLnYODFJso54jjGR+6d5lWEuVJkidvVPI=;
    h=Date:From:To:Subject:MIME-Version:Content-Type;
    b=NrbUkJ8ivY378XqJBYIZlTHK/BBCR7BMCVNEGvcpQ6Jc27aXcYLxGeDwevMh8i7mg
     zad/EZDENZMbGFOKvT9QHuhK0YtuNMqHqwS0bDC2KXf9iwa4OyLHX+1PvEeEeDgKEb
     F1StYZo7/yK/atXCqPjM+lrvXTfaGypKpMYOSkvU=
Authentication-Results:  mx3-ia5-sp4.mta.salesforce.com x-tls.subject="/C=US/ST=California/L=San Francisco/O=salesforce.com, inc./OU=0:app;1:ia5;2:ia5-sp4;3:na165;4:prod/CN=na165-app2-9-ia5.ops.sfdc.net"; auth=pass (cipher=ECDHE-RSA-AES256-GCM-SHA384)
Received: from [10.183.203.167] ([10.183.203.167:40054] helo=na165-app2-9-ia5.ops.sfdc.net)
    by mx3-ia5-sp4.mta.salesforce.com (envelope-from <technical_support=help.dell.com__2z4zbc6y4nlabdpo@qjl9d8c7as1s335z.xl26z7pxgz0qe850.9cdw2.0b-gampeak.na165.bnc.salesforce.com>)
    (ecelerity 4.7.0.20111 r(msys-ecelerity:tags/4.7.0-ga^0)) with ESMTPS (cipher=ECDHE-RSA-AES256-GCM-SHA384
    subject="/C=US/ST=California/L=San Francisco/O=salesforce.com, inc./OU=0:app;1:ia5;2:ia5-sp4;3:na165;4:prod/CN=na165-app2-9-ia5.ops.sfdc.net") 
    id 5C/DB-05911-E8010D66; Thu, 29 Aug 2024 06:09:18 +0000
Date: Thu, 29 Aug 2024 06:09:18 +0000 (GMT)
From: Dell Tech Support <technical_support@help.dell.com>
To: "test@gmail.com" <test@gmail.com>
Message-ID: <wnbtV000000000000000000000000000000000000000000000SIYUFG00cKRXJivwTB65DquEwtdwoA@sfdc.net>
In-Reply-To: <XZNRB000000000000000000000000000000000000000000000SIXCKN005HFLS0bBR32HAyMwYWuq-Q@sfdc.net>
References: <KiuCy000000000000000000000000000000000000000000000SIXBUL00bHJY4Rn4RLGSetNJtfdJsg@sfdc.net>
 <XZNRB000000000000000000000000000000000000000000000SIXCKN005HFLS0bBR32HAyMwYWuq-Q@sfdc.net>
Subject: Dell [ thread::45aCik-_KXcoTSuH6j0:: ]
MIME-Version: 1.0
Content-Type: multipart/alternative; 
    boundary="----=_Part_4221_140678527.1724911758418"
X-SFDC-LK: 00D0b000000GaMp
X-SFDC-User: 0056P0000011gft
X-Sender: postmaster@salesforce.com
X-mail_abuse_inquiries: http://www.salesforce.com/company/abuse.jsp
X-SFDC-TLS-NoRelay: 1
X-SFDC-Binding: 1WrIRBV94myi25uB
X-SFDC-EmailCategory: quickActionEmail
X-SFDC-EntityId: 5006P00000Kxc0i
X-SFDC-Interface: internal

Test opendmarc whole source delivered to gmail

opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 4: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 5: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 7: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 15: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 27: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 31: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 32: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 37: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 38: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 42: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 43: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 50: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 51: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 56: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 57: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 58: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 59: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 60: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 61: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 63: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 64: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 65: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 67: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 68: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 69: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 70: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 71: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 72: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 73: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 74: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /root/test_email.eml: line 75: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; dmarc=fail (p=reject dis=none) header.from=help.dell.com'
opendmarc: /root/test_email.eml: mlfi_eom() returned SMFIS_CONTINUE
opendmarc: mlfi_close() returned SMFIS_CONTINUE

and opendkim

opendkim: using default configfile /etc/opendkim/opendkim.conf
opendkim: mlfi_connect() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: mlfi_envfrom() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: mlfi_envrcpt() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 1: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 2: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 4: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 5: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 7: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 15: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 27: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 31: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 32: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 37: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 38: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 42: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 43: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 50: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 51: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 56: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 57: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 58: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 59: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 60: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 61: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 63: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 64: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 65: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 67: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 68: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 69: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 70: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 71: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 72: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 73: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 74: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: line 75: mlfi_header() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: mlfi_eoh() returned SMFIS_CONTINUE
opendkim: /root/test_email.eml: mlfi_body() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j;
        dkim=pass (1024-bit key; unprotected) header.d=help.dell.com header.i=@help.dell.com header.a=rsa-sha256 header.s=help-prod-a header.b=NrbUkJ8i'
opendkim: /root/test_email.eml: mlfi_eom() returned SMFIS_ACCEPT
opendkim: /root/test_email.eml: verification (s=help-prod-a, d=help.dell.com, 1024-bit key) succeeded
opendkim: mlfi_close() returned SMFIS_CONTINUE
futatuki commented 2 months ago

Your opendmarc.dat said that RFC5322.from domain is not aligned with Authentication Identifier (smtp.envfrom for SPF, signing domain for DKIM) (RFC 7489 .3.1 Alignment), so both of the reslut of SPF and DKIM was not taken for DMARC check.

mariuszpgit commented 1 month ago

Yes, OpenDMARC result from opendmarc.dat for spf and dkim are not aligned.

In the headers are:

Mail from domain: "help.dell.com"
Mail from field: "Dell Tech Support <technical_support@help.dell.com>"
DKIM domain-level identifier d=: "help.dell.com"

They all match, so should be in alignment as described in RFC 7489?

futatuki commented 1 month ago

In the headers are:

Mail from domain: "help.dell.com"
Mail from field: "Dell Tech Support <technical_support@help.dell.com>"
DKIM domain-level identifier d=: "help.dell.com"

They all match, so should be in alignment as described in RFC 7489?

Yes, so if it is also from the message rejected, OpenDMARC was missed the DKIM results.

And then looking your opendmarc.dat again, there is no line start with "dkim ". Also, I overlooked the line below in your "Mail proceed" log:

...
# opendmarc
opendmarc[65243]: 4WtvtH3HzDz1mM ignoring Authentication-Results at 1 from mailgw.domain.com
...

So I guess the ignored line above was Authentication-Results: header inserted by opendkim milter (, or the result of opendkim milter was not passed to opendmarc milter).

mariuszpgit commented 1 month ago

@futatuki thank you, my mistake in AuthservID setting.

Interesting, if I add in OpenDKIM

AuthservIDWithJobId yes

Authentication header is

Authentication-Results: mailgw.domain.com/4WxSjJ71XGz2T5;

and also ignored in mail logs:

opendmarc: 4WxSjJ71XGz2T5: ignoring Authentication-Results at 1 from mailgw.domain.com/4WxSjJ71XGz2T5

Case close.