Issue DMARC issue with forward mail

[Giuseppe]

Hi all,
i have a problem with forward mail.
The destination server report many times a DMARC policy problem ( for ex. if someone send mail to my server and after forward to gmail.com ).
I not found a solution and ask an help.

This is the message error that return:
<[email protected]>: host gmail-smtp-in.l.google.com[66.102.1.26]
said: 550-5.7.1 Unauthenticated email from yahoo.it is not accepted due to
domain's 550-5.7.1 DMARC policy. Please contact the administrator of
yahoo.it domain if 550-5.7.1 this was a legitimate mail. Please visit
550-5.7.1 Control unauthenticated mail from your domain - Gmail Help to learn about
the 550 5.7.1 DMARC initiative. j18si547897wrc.479 - gsmtp (in reply to end
of DATA command)
Reporting-MTA: dns; mail.mywabisabi.eu
X-Postfix-Queue-ID: 492603627A5
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Fri, 9 Mar 2018 10:39:12 +0100 (CET)

I see the problem is that server convert the sender of mail... and this cause a DMARC problem,

Thanks
Giuseppe

 

[Sergio Manzi]

I don't see this at all on my server...

Can you please provide more information?

• OS Version
  
• Plesk Version
• Mail system used (Postfix/Qmail, Dovecot/Courier, Horde/Roundcube)
• How is the forwarding performed?

P.S.: I'm Italian, PM me in Italian if you wish (but not here, of course...)

 

[Sergio Manzi]

I see the problem is that server convert the sender of mail...

I forgot to mention that this is totally normal: your server can't "present" himself for sending on behalf of "other" domains: mail will be (hopefully) rejected because of the SPF policy. That's why your server must rewrite the sender address, in accordance with the Sender Rewriting Scheme - Wikipedia

 

[G J Piper]

I'm having this same problem, and it is with any forwarding email to Yahoo.com or gmail through my server. My research finds there are big problems with forwarded email and DMARC. In fact, if I have DMARC checking turned on in my mail server, even email accts that forward to other domains on my own server are blocked by my own DMARC filter. I've resorted to leaving the DMARC turned off to solve my own server problem, but nothing can be done about Yahoo and Gmail, as they have implemented DMARC strict policies on their own servers, obeying any DMARC DNS records found on servers which send to them. This blocks any emails forwarded through my server to them from sites such as Twitter, Etsy, and others who have listed DMARC policies in their own DNS records that specify that their email is not to be forwarded. This handshaking is done between the sending server and the endpoint receiving server, so as a forwarding account server (in the middle) it seems there is nothing that can be done.

I understand that Plesk is supposed to implement SPF: SRS Email Rewriting when email is forwarded, but I can't find any controls for that, and it doesn't seem to be working on my server running Plesk 17.5.3 even though it says it exists in the Plesk Docs here:
DKIM, SPF, and DMARC Protection

 

[Giuseppe]

I don't see this at all on my server...

Can you please provide more information?

• OS Version
  
• Plesk Version
• Mail system used (Postfix/Qmail, Dovecot/Courier, Horde/Roundcube)
• How is the forwarding performed?

P.S.: I'm Italian, PM me in Italian if you wish (but not here, of course...)

Hi Sergio,

• CentOS 7
• Plesk 17.5.3
• Postfix / Dovecot / roundcube
• I set automatic forward in plesk-domain-mail- (account) - forward

I have this problem with different sender and different recipient, but in general gmail.com, yahoo.com, Mac.com

thanks
Giuseppe

 

[Sergio Manzi]

Hello! I don't know what to say... it perfectly works here and I'm attaching a PDF with a message (with full headers) sent from Yahoo and delivered to GMail, through a forwarder on my Plesk server. Log entries from /var/log/maillog are in the PDF too.

DMARC is just a method for advertising what you want receiving MTAs to do with mail apparently originated from your domains and failing DKIM and/or SPF verification, and it is just an "hint" for the receiving MTA, which can instead apply its own rules. So if DMARC fails it is because either or both of DKIM and/or SPF have failed. Check those, for your domains...

@G J Piper the wording in the documentation is that "... some mail servers in Plesk support SRS (Sender Rewriting Scheme) ...": I think that means that some mail servers (e.g. Postfix) support SRS, while others (Qmail ????) don't. It doesn't mean that you can turn on/off SRS (you can't, at least from the panel).

N.B.: I removed the attachment as it contained personal information. Se below for a cleaned-up version.

 

[G J Piper]

...if DMARC fails it is because either or both of DKIM and/or SPF have failed. Check those, for your domains...

@G J Piper the wording in the documentation is that "... some mail servers in Plesk support SRS (Sender Rewriting Scheme) ...": I think that means that some mail servers (e.g. Postfix) support SRS, while others (Qmail ????) don't. It doesn't mean that you can turn on/off SRS (you can't, at least from the panel).

Actually, DMARC is controlled by both ends. If the sending server (Twitter, for example) has a DMARC policy of "p=reject" and the destination server has a DMARC check on incoming mail, and the receiving server is set to enforce all DMARC policies set by the sending server, then the email will be rejected by the destination because the forwarding server has added it's own receive/sent headers to the email on it's way through. This is why your headers seem to work in the example PDF you gave us -- because webops.it sent your example email and it has a DMARC setting of "p=none" (no enforcement).

I'm running postfix/dovecot/CentOS 7 and it seems to list my setup as one of the servers that performs SRS rewriting in the Plesk docs, but I can't see it happening. If I have DMARC checking turned on, even forwarded email between two domains on my own server get blocked. SPF fails because Twitter doesn't list my server as an acceptable sender for it's email.

You can lookup DMARC settings for any server here: dmarcian - DMARC Inspector

 

[Sergio Manzi]

@Giuseppe I see you have "

_dmarc.paulicelli.com.  79429   IN      TXT     "v=DMARC1\; p=reject"

try changing it to "v=DMARC1; p=none"

Also I see that spf is:

v=spf1 +a +mx +a:mail.mywabisabi.eu -all

So who can send?

• A for paulicelli.com: this is 54.36.136.221
• MX for paulicelli.com: this is mail.paulicelli.com (54.36.136.221)
• A (again 54.36.136.221) presenting himself as "mail.mywabisabi.eu"
• All the others FAIL!

But mail.mywabisabi.eu with A=37.187.76.98 is not allowed to send

Beside, there are issue with PTRs too:

• mail.mywabisabi.eu -> 37.187.76.98
• 37.187.76.98 -> mywabisabi.eu
  
• 54.36.136.221 -> mail.mywabisabi.eu

Until the problem is solved you should also lower the TTL of your records (to 10 minutes ore something like that...), or testing will be much more difficult.

=======================
@G J Piper

I'm running postfix/dovecot/CentOS 7 and it seems to list my setup as one of the servers that performs SRS rewriting in the Plesk docs, but I can't see it happening

I'm running your very same configuration and SRS is working (with Plesk 17.8.11, but it was OK with 17.5.3 too..). Yours, I think, is a different issue from the one of @Giuseppe who apparently has SRS working...

Do me a favour: set up a forwarder on your domain to my GMail mailbox (see the PDF...) and send a mail to that forwarder...

 

[Sergio Manzi]

This is why your headers seem to work in the example PDF you gave us -- because webops.it sent your example email and it has a DMARC setting of "p=none" (no enforcement).

My headers don't "seems to work"; they do work! (point me to a failing one...)

Your problem is that without SRS you are sending from your server "as you were Yahoo" (or watever else) and what fails is Yahoo's (or whatever else's) DMARC (obviously)

 

[G J Piper]

My headers don't "seems to work"; they do work! (point me to a failing one...)

Your problem is that without SRS you are sending from your server "as you were Yahoo" (or watever else) and what fails is Yahoo's (or whatever else's) DMARC (obviously)

Exactly.

Ok, I set up a forwarding email acct on my server. Sending it an email from my AOL acct to see what happens.

Ok see the results in this screenshot attached...



Email blocked.

 

[Sergio Manzi]

do you have

127.0.0.1:12346 inet n n n - - spawn user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-srs

in your /etc/postfix/master.cf ?

Seems to be related...

 

[G J Piper]

do you have

127.0.0.1:12346 inet n n n - - spawn user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-srs

in your /etc/postfix/master.cf ?

I don't have that in my /etc/postfix/master.cf
Also, I don't have any /usr/lib64/plesk-9.0/postfix-srs

Here is a screen of the logs with our emails obfuscated:
Hmmmm.....

 

[Sergio Manzi]

SRS seems to be very well active!

Who the hell is smtp.sendgrid.net[169.45.113.201]??

 

[Sergio Manzi]

do you relay through them? Is it their the failur message you posted before? HERE, in your log, everything is OK!

 

[G J Piper]

SRS seems to be very well active!

Who the hell is smtp.sendgrid.net[169.45.113.201]??

I'm running in Google Compute Engine (Google Cloud Server) and they have all outbound SMTP ports locked up -- they require you to get a third-party SMTP service at the moment. (a different issue, but see my signature below and help me get this changed lol)

Sendgrid is an SMTP service. When my server goes to send the email, it sends it finally through sendgrid's authenticated relay.

 

[Sergio Manzi]

... but you didn't sent to GMail! cfr my log in the PDF attached before...

 

[Sergio Manzi]

I'm running in Google Compute Engine (Google Cloud Server)

That's the issue, man!!

 

[G J Piper]

... but you didn't sent to GMail! cfr my log in the PDF attached before...

I set up the forwarding account on my server to forward to your gmail acct, yes I did. I sent the email to my server's acct from my AOL acct, which should have forwarded to your gmail acct if DMARC hadn't stopped it. In my log output I changed your email to "[email protected]".

 

[Sergio Manzi]

When my server goes to send the email, it sends it finally through sendgrid's authenticated relay.

... but Sendgrid doesn't accept SRS'ed email...

Actually what they apparently do is to "implode" the SRS'ed address into the original sender address and apply DMARC of the original domain: FAILURE!

 

[G J Piper]

... but Sendgrid does'nt accept SRS'ed email...

Actually what they apparently do is to "implode" the SRS'ed address into the original sender address and apply DMARC of the original domain: FAILURE!

That bites! lol Where did you find this info... I can't find where Sendgrid addresses SRS.