Issue DMARC issue with forward mail

[Sergio Manzi]

Delivered-To: [email protected]
Received: by 10.28.230.157 with SMTP id e29csp1507400wmi;
        Tue, 13 Mar 2018 19:46:17 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvu1FjLDzdaZq3KSTGomCcP2UODhRljey4D1m98IXdZ7vCNfFRimJ/+zN8zf9hSYptkrZHW
X-Received: by 10.237.51.132 with SMTP id v4mr4789377qtd.72.1520995577471;
        Tue, 13 Mar 2018 19:46:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520995577; cv=none;
        d=google.com; s=arc-20160816;
        b=e52o0zuimehqHVd/W2b0tZ4oRg8+zkMeTC2Qlu34Y6kFz4iWnzgv7IXHbL15QSjh1H
         9f0cKpSYY5hsVTJK2JtoKbQ2B9w5PyPFafEh8JFfQa13Jho0AuHhkP9amoC2ecJRVa02
         kbwIlTIZU+Z//a+CfF8+ZyMvF33aNPMTYggTveG9NGOD7hyQ7birl4oI2JFd7C/uZKB8
         Mabo31VCkHyJeDlIcN1pKQPvQgjc2lFCi0NOGYVGShZgTHdQEg4rhw/zt3yyVeSs5fLS
         F5v45Hk1OiynW7ArfBsIcsRHHAVPXeukEhAQr2AyzhlyfIHgAwwEVLUC34p1mD2C1iYA
         2cJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=references:mime-version:subject:message-id:to:from:date
         :dkim-signature:delivered-to:arc-authentication-results;
        bh=JZeK1lhH02fun7Db7CJiBK6JrHfnW7jY1lt+jD55Nss=;
        b=lXm35kWhxrMXYg7BgCe44aJpNPXog24KpdxCDmmCcSgLrItxn2EIa0qQ8PUwIeKjwk
         ePALaw2IAuK1tbXcq7nqqs2Rxoz18HMUknz+0o+7DleDheqxWM/OdBkB+LAdeWDmjEH3
         uJ/e4cDZyF/5iQMqRvu9tQsvwrtigfJAbul7cqLuu39MfHZaiCy9TvLshTEBJ51hKwsy
         XP1zUl8TGX61HtHtyx2+aK8H4IcBDBZv2wsUE7BgRarGWXqdg0bbZuluLZtEEb73P51H
         XoNlO/723EzvBkTI+7Tg910SqMdBmmmNmujrTYJWuX+FkQfFOslUOQgwZimKk/L53a/h
         MmWg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=s2048 header.b=t72Kw2Zp;
       spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=yahoo.com
Return-Path: <[email protected]>
Received: from ourplesk.example.net ([1.2.3.4])
        by mx.google.com with ESMTP id e21si1219948qkm.470.2018.03.13.19.46.16
        for <[email protected]>;
        Tue, 13 Mar 2018 19:46:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=s2048 header.b=t72Kw2Zp;
       spf=pass (google.com: domain of [email protected] designates 1.2.3.4 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=yahoo.com
Received: by ourplesk.example.net (Postfix, from userid 30)
   id 88F0C4116A5D; Tue, 13 Mar 2018 19:46:16 -0700 (PDT)
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from sonic309-26.consmr.mail.ir2.yahoo.com (sonic309-26.consmr.mail.ir2.yahoo.com [77.238.179.84])
   by ourplesk.example.net (Postfix) with ESMTP id 305B040427C8
   for <[email protected]>; Tue, 13 Mar 2018 19:46:16 -0700 (PDT)
Authentication-Results: ourplesk.example.net;
   dkim=pass [email protected];
        spf=pass (sender IP is 77.238.179.84) [email protected] smtp.helo=sonic309-26.consmr.mail.ir2.yahoo.com
Received-SPF: pass (ourplesk.example.net: domain of yahoo.com designates 77.238.179.84 as permitted sender) client-ip=77.238.179.84; [email protected]; helo=sonic309-26.consmr.mail.ir2.yahoo.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1520995574; bh=JZeK1lhH02fun7Db7CJiBK6JrHfnW7jY1lt+jD55Nss=; h=Date:From:To:Subject:References:From:Subject; b=t72Kw2ZpiDQkqO43Y/rtcVNQsoCQ+O2w31x1kO6ldGxBlwIx95b/g5RwFJl1QbOR0q3eaq1iVPP3RCe/EYvlFmRs0IE7tho18vASc2qH2gwMpN+CbOueZlbYB9QooKGGGN6rln//CHtP8u70h7AOa+v77KSvMl03fz2kalX0JR3b2GhqYcY/UnD5R9ndz9TPix6gx0RD9RMJ86WGHgiLINgKCMROTaZKpUtmZ0Psh2gnlBbAiNi+65rSF0N7AwjMbNAJ7qOFJxCYtctUsRSRVrZOIz7ruX2Lf+UIBuoi+rlZKRq4VIYaFAbA/UlBtHRjv+TBqrAxGoBz+ZfS3pBEzw==
X-YMail-OSG: sFMk92QVM1mfimlreBpSElxasztSIAKzGuS1.Jtcl29Ub2qQRBjNi0r3eBZz6GD
 ZL_FC0lxXa3z3pQAX33QfrFNxjfTNk6XkYuJGerzGrn1tvtCvnmBqpknSdzplbVdM2uH0PsnwAVz
 aNkzpOpBn6XumJZR.u8YWFunBwkhI5EF7cVHgddIvL3jnusDI9MU4Nw5QDIWHUcWwS53CW0GXDPt
 qVBn4xvpte09yUg7HKUJS.QQGf0DAiCaMC7QjjEu1BQNX9XycvRHijA4_OqEPBegF0LVinjX96s8
 6spCsihC_uuGkWwetKrQ0OSEoyThtxrwXz_yWguZrmHGc0NGAvEenc8gAlbRMA4L8r1cg44qQB2U
 WPTPBb2Qc_YIV.ioMblFPUIt4egl6sureT.I_xzVDO8RAOe3PlPs57_Uf_bld_jxB0OS1zqWLWe.
 wp4cpzv6BweedJxaU7Yl_b2VmOEHEWhyy8h_fuFXwLq3ouYjal2dVYd68fFnCGhv27ZbqtZ1nHxk
 H
Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ir2.yahoo.com with HTTP; Wed, 14 Mar 2018 02:46:14 +0000
Date: Wed, 14 Mar 2018 02:46:12 +0000 (UTC)
From: Sergio Manzi <[email protected]>
To: "[email protected]" <[email protected]>
Message-ID: <[email protected]>
Subject: From Yahoo
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----=_Part_43238_243832172.1520995572955"
References: <[email protected]>
X-Mailer: WebService/1.1.11588 YMailNorrin Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0.4 Waterfox/56.0.4

------=_Part_43238_243832172.1520995572955
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

... to GMail

------=_Part_43238_243832172.1520995572955
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div>... to GMail<br></div></div></body></html>
------=_Part_43238_243832172.1520995572955--

 

[Sergio Manzi]

[email protected] is... the forwarder
[email protected] is the target of the local forward (and it got the mail too...)

 

[G J Piper]

[email protected] is... the forwarder
[email protected] is the target of the local forward (and it got the mail too...)

If you send from the Yahoo address to the premiovenezia.it and it forwards to a Gmail account (or vice-versa) does it all work?
Also are premiovenezia.it and premiovenezia.org on the same server with the same IP addy?

 

[G J Piper]

Mar 13 19:46:15 plesk postfix/smtpd[28591]: connect from sonic309-26.consmr.mail.ir2.yahoo.com[77.238.179.84]
Mar 13 19:46:15 plesk postfix/smtpd[28591]: SSL_accept error from sonic309-26.consmr.mail.ir2.yahoo.com[77.238.179.84]: 0
Mar 13 19:46:15 plesk postfix/smtpd[28591]: warning: TLS library problem: 28591:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:
Mar 13 19:46:15 plesk postfix/smtpd[28591]: lost connection after STARTTLS from sonic309-26.consmr.mail.ir2.yahoo.com[77.238.179.84]
Mar 13 19:46:15 plesk postfix/smtpd[28591]: disconnect from sonic309-26.consmr.mail.ir2.yahoo.com[77.238.179.84]
Mar 13 19:46:15 plesk postfix/smtpd[28591]: connect from sonic309-26.consmr.mail.ir2.yahoo.com[77.238.179.84]
Mar 13 19:46:16 plesk postfix/smtpd[28591]: 305B040427C8: client=sonic309-26.consmr.mail.ir2.yahoo.com[77.238.179.84]
Mar 13 19:46:16 plesk postfix/cleanup[28596]: 305B040427C8: message-id=<[email protected]>
Mar 13 19:46:16 plesk check-quota[28597]: Starting the check-quota filter...
Mar 13 19:46:16 plesk /usr/lib64/plesk-9.0/psa-pc-remote[24410]: handlers_stderr: SKIP
Mar 13 19:46:16 plesk /usr/lib64/plesk-9.0/psa-pc-remote[24410]: SKIP during call 'check-quota' handler
Mar 13 19:46:16 plesk spf[28598]: Starting the spf filter...
Mar 13 19:46:16 plesk spf[28598]: SPF result: pass
Mar 13 19:46:16 plesk spf[28598]: SPF status: PASS
Mar 13 19:46:16 plesk /usr/lib64/plesk-9.0/psa-pc-remote[24410]: handlers_stderr: PASS
Mar 13 19:46:16 plesk /usr/lib64/plesk-9.0/psa-pc-remote[24410]: PASS during call 'spf' handler
Mar 13 19:46:16 plesk postfix/qmgr[28546]: 305B040427C8: from=<[email protected]>, size=2498, nrcpt=1 (queue active)
Mar 13 19:46:16 plesk postfix-local[28600]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Mar 13 19:46:16 plesk dk_check[28601]: Starting the dk_check filter...
Mar 13 19:46:16 plesk dk_check[28601]: DKIM verify result: DKIM verification (d=yahoo.com, 2048-bit key) succeeded
Mar 13 19:46:16 plesk check-quota[28606]: cannot get sender domain
Mar 13 19:46:16 plesk check-quota[28606]: Unable to intialize check-quota mail handler
Mar 13 19:46:16 plesk journal: plesk sendmail[28605]: Error during 'check-quota' handler
Mar 13 19:46:16 plesk postfix/pickup[28545]: 88F0C4116A5D: uid=30 from=<[email protected]>
Mar 13 19:46:16 plesk postfix/cleanup[28596]: 88F0C4116A5D: message-id=<[email protected]>
Mar 13 19:46:16 plesk postfix/qmgr[28546]: 88F0C4116A5D: from=<[email protected]>, size=3118, nrcpt=1 (queue active)
Mar 13 19:46:16 plesk check-quota[28614]: cannot get sender domain
Mar 13 19:46:16 plesk check-quota[28614]: Unable to intialize check-quota mail handler
Mar 13 19:46:16 plesk journal: plesk sendmail[28613]: Error during 'check-quota' handler
Mar 13 19:46:16 plesk postfix/pickup[28545]: 92F384116B21: uid=30 from=<[email protected]>
Mar 13 19:46:16 plesk postfix/cleanup[28596]: 92F384116B21: message-id=<[email protected]>
Mar 13 19:46:16 plesk postfix/pipe[28599]: 305B040427C8: to=<[email protected]>, relay=plesk_virtual, delay=0.53, delays=0.43/0.01/0/0.09, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Mar 13 19:46:16 plesk postfix/qmgr[28546]: 305B040427C8: removed
Mar 13 19:46:16 plesk postfix/qmgr[28546]: 92F384116B21: from=<[email protected]>, size=3118, nrcpt=1 (queue active)
Mar 13 19:46:16 plesk postfix-local[28618]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Mar 13 19:46:16 plesk postfix/smtpd[28591]: disconnect from sonic309-26.consmr.mail.ir2.yahoo.com[77.238.179.84]
Mar 13 19:46:16 plesk dk_check[28619]: Starting the dk_check filter...
Mar 13 19:46:16 plesk dk_check[28619]: DKIM verify result: DKIM verification (d=yahoo.com, 2048-bit key) succeeded
Mar 13 19:46:16 plesk dovecot: service=lda, [email protected], ip=[]. msgid=<[email protected]>: saved mail to INBOX
Mar 13 19:46:16 plesk postfix/pipe[28599]: 92F384116B21: to=<[email protected]>, relay=plesk_virtual, delay=0.04, delays=0/0/0/0.04, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Mar 13 19:46:16 plesk postfix/qmgr[28546]: 92F384116B21: removed
Mar 13 19:46:17 plesk postfix/smtp[28611]: 88F0C4116A5D: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[209.85.232.26]:25, delay=0.95, delays=0.01/0.01/0.23/0.7, dsn=2.0.0, status=sent (250 2.0.0 OK 1520995577 e21si1219948qkm.470 - gsmtp)
Mar 13 19:46:17 plesk postfix/qmgr[28546]: 88F0C4116A5D: removed
Mar 13 19:47:08 plesk dovecot: imap-login: Login: user=<[email protected]>, method=DIGEST-MD5, rip=::1, lip=::1, mpid=28639, secured, session=<iVcdZFZnkqwAAAAAAAAAAAAAAAAAAAAB>
Mar 13 19:47:08 plesk dovecot: service=imap, [email protected], ip=[::1]. Logged out rcvd=318, sent=4356

I don't see any DMARC checking in this anywhere? You sure it was turned on? No logs of it like mine had.

 

[MarkM]

If you send from the Yahoo address to the premiovenezia.it and it forwards to a Gmail account (or vice-versa) does it all work?
Also are premiovenezia.it and premiovenezia.org on the same server with the same IP addy?

They are both on the same IP. Only one IP on the server he used to test.

I don't see any DMARC checking in this anywhere? You sure it was turned on? No logs of it like mine had.

DMARC was 100% on. Both domains are actually still pointed at the server and DMARC is enabled with a policy to reject.

 

[Sergio Manzi]

If you send from the Yahoo address to the premiovenezia.it and it forwards to a Gmail account (or vice-versa) does it all work?
Also are premiovenezia.it and premiovenezia.org on the same server with the same IP addy?

As @Mark Muyskens already confirmed, "YES!", to both questions!

 

[G J Piper]

What are you guys using for these SPF settings? Are yours blank on the three text fields?

 

[Sergio Manzi]

That!

 

[G J Piper]

I've been back and forth for 12 days on this now with Sendgrid. It took the first 9 days just to get them understanding what SRS and the problem is...
They are now saying they think my server is sending correctly rewritten SRS "from" and "envelope-from" headers but that it is not removing the old non-rewritten "from" and "envelope-from" headers, and that is supposedly why there is a problem. Of course, they are guessing at this and want me to essentially troubleshoot my own server and give an adequate proof this is not happening on my server before they'll troubleshoot this for me any further.

Is there any way for me to have one of my email accounts forward an email to a log file directly without/before sending it off to the Sendgrid SMTP relay?

 

[Sergio Manzi]

Is there any way for me to have one of my email accounts forward an email to a log file directly without/before sending it off to the Sendgrid SMTP relay?

... nothing I can think of...

If put against a wall with a gun pointed at my face, what I'll try to do is to somehow capture the network traffic between my server and the remote SMTP server. Locally (under Windows) I'll do that using Wireshark, but I don't know how to do that on a remote Linux system... I'm quite sure something like that exists for Linux too, but I'm leaving the word to the Linux experts

 

[Sergio Manzi]

... wait... maybe I have an idea (well, just a small candle, not a bright lamp over my head...):

• setup a domain with MX to a temporary host you manage
  
• shut down that server
• from your main server forward mail to that domain
• examine the outgoing message in the queue (it should be... somewhere! )

 

[Sergio Manzi]

... but in any case I'm really not sure "from" and "envelope-from" should be rewritten!
Time to dig into RFCs, I'm afraid...

 

[Sergio Manzi]

Mine were not rewritten and message was accepted from Google (see header in my example above)

 

[MarkM]

Send them a fake log

 

[Sergio Manzi]

Send them a fake log

You nasty boy!

 

[G J Piper]

Mine were not rewritten and message was accepted from Google (see header in my example above)

Yep look at your SPF check in your logs where it says:

 

[G J Piper]

Here is the last message I've received. Maybe I should open a support ticket with Plesk at this point... but I really think Plesk and Sendgrid should put their heads together over a smouldering Google Compute Engine setup and see if they can get this working between themselves! @IgorG have any input?

 

[Sergio Manzi]

Nope!

I was talking about:

From: Sergio Manzi <[email protected]>

and:

Received-SPF: pass (ourplesk.example.net: domain of yahoo.com designates 77.238.179.84 as permitted sender) client-ip=77.238.179.84; [email protected]; helo=sonic309-26.consmr.mail.ir2.yahoo.com;

There you see that addresses are "[email protected]", so they are not rewritten...

 

[G J Piper]

Nope!

I was talking about:
and:
There you see that addresses are "[email protected]", so they are not rewritten...

I see! However, I also see that the address was in rewritten SRS form when your server checked SPF... I can't figure out that one. DMARC should be using that rewritten address from what I've read.

 

[Sergio Manzi]

They says: "we simply pass the mail object on exactly as it is handled to us."

That's bollocks, I think: they are not "transparent" they receive and they send and there is trace of that in the headers

They should re-spf re-SRS the message, I think... I'll check the relevant RFCs, but not now... I haven't the time right now, sorry...