• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved dmarc check on internal mail

P

Peter

New Pleskian
Hey Guys,

Since I enabled DMARC check for incomming mail I have a little problem.
Wwhen I send a mail from [email protected] to itself the mail somehow fails both SPK and DKIM check in DMARC.
When I send the mail to an external server everything works. Any suggestions how to solve this?
Here is a snip from the log where the mail fails:

Apr 28 10:42:27 h2562520 postfix/qmgr[19261]: 5A3131404020B: from=<[email protected]>, size=2902, nrcpt=1 (queue active)
Apr 28 10:42:27 h2562520 postfix-local[30647]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Apr 28 10:42:27 h2562520 spamassassin[30648]: Starting the spamassassin filter...
Apr 28 10:42:27 h2562520 spamd[17794]: spamd: connection from hihost.de [::1]:50478 to port 783, fd 6
Apr 28 10:42:27 h2562520 spamd[17794]: spamd: using default config for [email protected]: /var/qmail/mailnames/hihost.de/admin/.spamassassin/user_prefs
Apr 28 10:42:27 h2562520 spamd[17794]: spamd: processing message <[email protected]> for [email protected]:30
Apr 28 10:42:28 h2562520 spamd[17794]: spamd: clean message (-1.0/7.0) for [email protected]:30 in 0.4 seconds, 3336 bytes.
Apr 28 10:42:28 h2562520 spamd[17794]: spamd: result: . 0 - ALL_TRUSTED,HTML_MESSAGE,MIME_HTML_MOSTLY,T_DKIM_INVALID scantime=0.4,size=3336,[email protected],uid=30,required_score=7.0,rhost=hihost.de,raddr=::1,rport=50478,mid=<[email protected]>,autolearn=ham autolearn_force=no
Apr 28 10:42:28 h2562520 dmarc[30650]: Starting the dmarc filter...
Apr 28 10:42:28 h2562520 dmarc[30650]: SPF record was not found in Authentication-Results:
Apr 28 10:42:28 h2562520 dmarc[30650]: DKIM record was not found in Authentication-Results:
Apr 28 10:42:28 h2562520 spamd[15654]: prefork: child states: I
Apr 28 10:42:28 h2562520 dmarc[30650]: DMARC: REJECT message for [email protected]
 
Hi Peter,

could you pls. check your "/etc/resolv.conf" for possible misconfigurations ?
 
Hi,
Could you show email headers?

Check also the output of commands:
dig @85.214.7.22 hihost.de TXT
dig @81.169.163.106 hihost.de TXT
 
Hi Peter,

just to explain this currently behaviour on your server:

Currently, you use nameservers from your hosting - provider, which is a sort of standart configuration, because in most cases they install your server with the help of templates.
Pls. consider to adjust/modify your "resolv.conf" with additional "reliable" nameservers, as the ones from Google for example:


Example resolv.conf:
Code: 
nameserver 8.8.8.8
nameserver 8.8.4.4

nameserver XXX.XXX.XXX.XXX <= FIRST NAMESERVER from your HOSTING - PROVIDER
nameserver XXX.XXX.XXX.XXX <= SECOND NAMESERVER from your HOSTING - PROVIDER

nameserver XXX.XXX.XXX.XXX <= YOUR OWN IP - if you installed a nameserver on your server

options rotate
options timeout:3
 
Not easy to find the rejected mail, any suggestions where to look for them?

This is the header when I send it to an external Server:

Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on v29107.1blu.de
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=7.0 tests=HTML_MESSAGE,MIME_HTML_MOSTLY,
RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD,SPF_PASS,T_DKIM_INVALID autolearn=ham
autolearn_force=no version=3.4.0
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from mail.hihost.de (mail.hihost.de [81.169.134.108])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by www.hochrhein-informatik.de (Postfix) with ESMTPS id 8D750A0
for <[email protected]>; Fri, 28 Apr 2017 11:39:04 +0200 (CEST)
Authentication-Results: v29107.1blu.de;
dkim=pass [email protected];
dmarc=pass (p=REJECT sp=REJECT) d=hihost.de; header.from=hihost.de;
spf=pass (sender IP is 81.169.134.108) [email protected] smtp.helo=mail.hihost.de
Received-SPF: pass (v29107.1blu.de: domain of hihost.de designates 81.169.134.108 as permitted sender) client-ip=81.169.134.108; [email protected]; helo=mail.hihost.de;
Received: from PeterPC (p549F0659.dip0.t-ipconnect.de [84.159.6.89])
by mail.hihost.de (Postfix) with ESMTPSA id 238CC14040765
for <[email protected]>; Fri, 28 Apr 2017 11:39:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hihost.de;
s=default; t=1493372343;
bh=AH+tvPJZbRVGh4ZS8i2eVmsLB6bHAwmB2k22oMASS64=; l=2467;
h=From:To:Subject;
b=aZAdImvgnxUs8w4T9LiZdA0RyOW9z43zG2lSNR6lVmrnF+rko2xYS6GD1c6uc1WNW
lxOT1DC/daumZUV4CVQqHt6eGvkM7t0McQ8AvPyLlPQnsV8f5PFs03lHGQ2MZaz9Pg
wKcOFqxaaqH8bLn7jWDZQf4s6L+Mh+ulrkGZt2TE=
From: "Admin Hihost.de" <[email protected]>
To: <[email protected]>
Subject: TEST
Date: Fri, 28 Apr 2017 11:39:01 +0200
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0033_01D2C014.08EACC10"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdLAA0TCAd0wohA5TjuHzlN00J+EGQ==
Content-Language: de
X-PPP-Message-ID: <[email protected]>
X-PPP-Vhost: hihost.de



Here is dig output:

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @85.214.7.22 hihost.de TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62259
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hihost.de. IN TXT

;; ANSWER SECTION:
hihost.de. 86400 IN TXT "v=spf1 +a +mx -all +a:hihost.de"

;; Query time: 3 msec
;; SERVER: 85.214.7.22#53(85.214.7.22)
;; WHEN: Fri Apr 28 11:29:22 CEST 2017
;; MSG SIZE rcvd: 71


; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @81.169.163.106 hihost.de TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54459
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hihost.de. IN TXT

;; ANSWER SECTION:
hihost.de. 86400 IN TXT "v=spf1 +a +mx -all +a:hihost.de"

;; Query time: 36 msec
;; SERVER: 81.169.163.106#53(81.169.163.106)
;; WHEN: Fri Apr 28 11:30:11 CEST 2017
;; MSG SIZE rcvd: 71
 
Hi Peter,

Peter said:
v=spf1 +a +mx -all +a:hihost.de
Click to expand...
Pls. note as well, that "-all" is not only very strict ( I recommend "~all", because if for any reason, your entries don't match, they still won't be rejected! ), it is as well the END of the entry.

Pls. correct the entry to:
Code: 
v=spf1 +a +a:YOUR-CURRENT-HOSTNAME +mx ~all
"YOUR-CURRENT-HOSTNAME" should match the entries at "/etc/hostname"
 
Hey thanks for you suggestion,
although I do not think that the SPF check ist the problem, I changed my setting accordingly. But the behavior is the same, internal mail get rejected. The mail arrive just fine when turn off the new feature "Enable DMARC to check incoming mail".

So I am thinking that the mailserver does not include DKIM and SPF in internal mail headers, but the DMARC does check internal mail headers. Maybe something like this ...
 
Hi Peter,

in fact, localhost = 127.0.0.1 is handled as "blocked" when "URIBL_BLOCKED" is triggered.

... which brings us back to the DMARC - entry:

Code: 
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected]!10m; ruf=mailto:[email protected]; rf=afrf; pct=100; ri=86400; fo=1;


We really need your eMail - headers for further investigations... all other suggestions and conclusions are simply guessings. :)
 
Hi Peter,

pls. have a look at "Home > Tools & Settings > Mail Server Settings > (tab) Mail Queue" and investigate, if the eMail is listed there. A click onto it should open a new window with the headers.
 
AYamshanov said:
I think you can temporarily disable DMARC and get email headers from a mailbox.
Click to expand...

Could have thought of this myselft, thanks :)

Authentication-Results: h2562520.stratoserver.net;
dkim=pass [email protected]
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
h2562520.stratoserver.net
X-Spam-Level:
X-Spam-Status: No, score=-1.0 required=7.0 tests=ALL_TRUSTED,HTML_MESSAGE,
MIME_HTML_MOSTLY,TVD_SPACE_RATIO,T_DKIM_INVALID autolearn=ham
autolearn_force=no version=3.4.0
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from PeterPC (p549F0659.dip0.t-ipconnect.de [84.159.6.89])
by mail.hihost.de (Postfix) with ESMTPSA id 7C807140407BA
for <[email protected]>; Fri, 28 Apr 2017 13:56:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hihost.de;
s=default; t=1493380599;
bh=yb6JUncgSycyp/wM5a1JtGxRRF7D5OBmXSoB+v8rlyc=; l=2501;
h=From:To:Subject;
b=arAXFg1tgHTzIZA0tLh8jKL6f0Zh+Hz7qEF2PHFSfjtiR7lDGATFdiRHZ6hHAifen
gry/yE+ZmtFedjO35YlDCXXJEAyJUkqjDDW3263NCzNT9hz9354JXj1N0FhbRma6kL
BpHaISOjdL8DB1uZ5hPlkDQNIToWwXDBoKRiOKao=
From: "Admin Hihost.de" <[email protected]>
To: <[email protected]>
Subject: TEST
Date: Fri, 28 Apr 2017 13:56:38 +0200
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_005F_01D2C027.4207A320"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdLAFnumKDJlI7DAT9aelcEGJ5wqRg==
Content-Language: de
X-PPP-Message-ID: <[email protected]>
X-PPP-Vhost: hihost.de
 
Hi Peter,

unfortunately, you missed to changed your "hostname" and mails from root, psaadm, etc. ..., will be sent with the defined parameters at "/etc/aliases".

Pls. see for example my suggestions at => #2 to solve your current issue, and consider to add not only your current HOSTNAME ( already suggested above ^^ ) in your SPF - entry, but as well the IPv4.

As you can see in your header:
Peter said:
Authentication-Results: h2562520.stratoserver.net;
Click to expand...
Peter said:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
h2562520.stratoserver.net
Click to expand...
... the entries of your hosting - providers domain "h2562520.stratoserver.net" have been used, but you will investigate, that there are no valid SPF/DKIM - TXT - entries:
=> DNS Lookup for h2562520.stratoserver.net
 
UFHH01 said:
Currently, you use nameservers from your hosting - provider, which is a sort of standart configuration, because in most cases they install your server with the help of templates.
Pls. consider to adjust/modify your "resolv.conf" with additional "reliable" nameservers, as the ones from Google for example:

Example resolv.conf:
Code: 
nameserver 8.8.8.8
nameserver 8.8.4.4
Click to expand...

Actually @UFHH01 I don't recommend that people use Google's free DNS servers before their ISP's as this will break many of the DNS blocklist tests (URIDNSBL) that Spamassassin uses severely limiting its effectiveness. Because there are so many queries coming from these free DNS servers they are blocked by most of the URIDNSBL services.

You can see this in your maillog if you grep for URIBL_BLOCKED

The full spam analysis entry would look like:
Code: 
0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                           See
                           http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                            for more information.
                           [URIs: responsys.net]
 
Hey,

thanks for your time and this solution, I also think the hostname might be the problem. But I dont understand how to fix this problem using the aliases?

Also regarding my STRATO server, it might be possible that I can not change the hostname. Would there be another possibility to tackle the problem without changing the hostname?
 
Hi Peter,

could you explain the problems you might have by modifying the "aliases" - file?
 
UFHH01 said:
Hi Peter,

could you explain the problems you might have by modifying the "aliases" - file?
Click to expand...

I don't understand how setting a mail alias will affect my hostname. Or can I also set a alias for my hostname? Sorry, I'm not a very experienced linux user.
 
Hi Peter,

this won't help for eMails sent local from one domain to the other ( both hosted on your server ), but it will actually help for "root" and other system-user eMails.


To solve your issue for the local delivery from domainA to domainB ( both hosted on the same server ), you still have to change the hostname, or ask your service provider to add the needed DNS entries for SPF/DMARC to their nameservers... ( which they will mostly deny ).
You are as well able to adjust the spamassassin - configuration files, so that not localhost is being used, but I have to search for depending files here, before I can suggest a work-around.


Could you explain, why you think, that you won't be able to change your hostname?
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

I
Question Mail fail
Replies
0
Views
95
ivanes82
I
Novadiei
Issue Weird behaviour of mail
Replies
10
Views
2K
Kaspar
K
K
Issue whitelisted sender still going to junk
Replies
2
Views
2K
Ksech
K
F
Resolved Spamassassin not working (Score always 0.0) Ubuntu 18.04
Replies
1
Views
1K
fliegerhermi
F
T
Issue SpamAssassin is not scanning server-wide
Replies
2
Views
1K
japjay
J
Back
Top