Re: SPF fail and domain fail, why?
Maurizio Caloro skrev den 2023-01-17 19:55: # opendmarc-check caloro.ch DMARC record for caloro.ch: Sample percentage: 100 DKIM alignment: strict SPF alignment: relaxed Domain policy: none Subdomain policy: unspecified Aggregate report URIs: mailto:etczb...@ag.dmarcian-eu.com Failure report URIs: (none) remove opendmarc in non_smtp_milters opendkim is fine there, but opendmarc is not, problem is non_smtp_milters have no ips, so spf will fail
Re: SPF fail and domain fail, why?
On Tue, Jan 17, 2023 at 07:55:08PM +0100, Maurizio Caloro wrote: > > Am 17.01.2023 um 03:34 schrieb Scott Kitterman: > > > > On January 17, 2023 2:25:34 AM UTC, raf wrote: > > > On Mon, Jan 16, 2023 at 08:01:10PM +0100, Maurizio > > > Caloro wrote: > > > > > > > Hello > > > > > > > > Please one more thing about Opendmarc, if send any email to any where > > > > i see in log SPF fail, domain.ch fail ? > > > > > > > > Jan 16 19:43:39 nmail opendkim[16490]: B6090404C3: DKIM-Signature field > > > > added (s=nmail, d=caloro.ch) > > > > Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: SPF(mailfrom): > > > > caloro.ch > > > > fail > > > > Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: caloro.ch fail > > > > > > > > if recieve any mail from any where, any thing pass > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: mailc-bb.linkedin.com > > > > [A.B.C.D] not internal > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: not authenticated > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: message has > > > > signatures > > > > from linkedin.com, mailc.linkedin.com > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: signature=muv88Rcz > > > > domain=linkedin.com selector=d2048-201806-01 result="no signature > > > > error"; > > > > signature=IKaXoyzS domain=mailc.linkedin.com selector=proddkim1024 > > > > result="no signature error" > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: DKIM verification > > > > successful > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: s=d2048-201806-01 > > > > d=linkedin.com SSL > > > > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3 ignoring > > > > Authentication-Results at 2 from nmail.caloro.ch > > > > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: SPF(mailfrom): > > > > bounce.linkedin.com pass > > > > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: linkedin.com pass > > > > > > > > -- > > > > on the header from any mail that i send will appair following > > > > Authentication-Results-Original: caloro.ch, calm-ness.ch; spf=fail > > > > > > > > # cat opendmarc.conf > > > > AuthservID caloro.ch, calm-ness.ch > > > > AuthservIDWithJobID false > > > > AutoRestart false > > > > AutoRestartRate 10/1h > > > > Background true > > > > DNSTimeout 5 > > > > HistoryFile > > > > /var/spool/postfix/opendmarc/opendmarc.dat > > > > *IgnoreAuthenticatedClients true* > > > > IgnoreHosts /etc/opendmarc/ignore.hosts > > > > PidFile /var/run/opendmarc/opendmarc.pid > > > > RejectFailures false > > > > RequiredHeaders true > > > > PublicSuffixList /etc/opendmarc/effective_tld_names.dat > > > > Socketinet:8892@127.0.0.1 > > > > SoftwareHeader true > > > > SPFSelfValidate true > > > > SPFIgnoreResults false > > > > Syslog true > > > > SyslogFacility mail > > > > # TrustedAuthservIDs nmail.caloro.ch, nmail.calm-ness.ch > > > > TrustedAuthservIDs caloro.ch, calm-ness.ch > > > > UMask 077 > > > > UserID opendmarc:opendmarc > > > > > > > > if checking online dmarc, dkim, spf from domain appair anything correct! > > > > please why me email will fail? > > > > > > > > thanks for any hint > > > > Mauri > > > I could be wrong, but I suspect that the problem is > > > that you haven't configured OpenDMARC to not check > > > locally originating mail. According to the first > > > Received: header, the mail is coming from 37.120.190.188 > > > (which is mentioned in multiple ways in the SPF record), > > > but your mail server at that IP address shouldn't be > > > performing this check on outgoing mail. > > > > > > Perhaps you need to add this to your /etc/opendmarc.conf: > > > > > > IgnoreAuthenticatedClients true > > > > > > Unfortunately, the code doing the SPF check doesn't > > > explain why it failed. Some do. For example, the > > package on debian would > > > probably show the IP address that caused the failure. > > > Maybe it's 127.0.0.1 (or the IP address of an > > > authenticated submission client). > > > > The internal SPF implementation in OpenDMARC is not a full > > implementation of the protocol. In general, you are likely to be > > better off having something SPF specific check SPF and then have > > OpenDMARC consume that result for it's DMARC processing. If you > > are inclined towards Perl, then postfix-policyd-spf-perl is a good > > choice. SPF Engine supports either a milter (pyspf-milter) or > > policy server (postfix-policyd-spf-python) interface with Postfix, > > depending on which you prefer, if you're up for a Python based > > solution. > > > > Scott K > this was bevor always in opendmarc.conf present >
Re: SPF fail and domain fail, why?
Am 17.01.2023 um 03:34 schrieb Scott Kitterman: On January 17, 2023 2:25:34 AM UTC, raf wrote: On Mon, Jan 16, 2023 at 08:01:10PM +0100, Maurizio Caloro wrote: Hello Please one more thing about Opendmarc, if send any email to any where i see in log SPF fail, domain.ch fail ? Jan 16 19:43:39 nmail opendkim[16490]: B6090404C3: DKIM-Signature field added (s=nmail, d=caloro.ch) Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: SPF(mailfrom): caloro.ch fail Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: caloro.ch fail if recieve any mail from any where, any thing pass Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: mailc-bb.linkedin.com [A.B.C.D] not internal Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: not authenticated Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: message has signatures from linkedin.com, mailc.linkedin.com Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: signature=muv88Rcz domain=linkedin.com selector=d2048-201806-01 result="no signature error"; signature=IKaXoyzS domain=mailc.linkedin.com selector=proddkim1024 result="no signature error" Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: DKIM verification successful Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: s=d2048-201806-01 d=linkedin.com SSL Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3 ignoring Authentication-Results at 2 from nmail.caloro.ch Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: SPF(mailfrom): bounce.linkedin.com pass Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: linkedin.com pass -- on the header from any mail that i send will appair following Authentication-Results-Original: caloro.ch, calm-ness.ch; spf=fail # cat opendmarc.conf AuthservID caloro.ch, calm-ness.ch AuthservIDWithJobID false AutoRestart false AutoRestartRate 10/1h Background true DNSTimeout 5 HistoryFile /var/spool/postfix/opendmarc/opendmarc.dat *IgnoreAuthenticatedClients true* IgnoreHosts /etc/opendmarc/ignore.hosts PidFile /var/run/opendmarc/opendmarc.pid RejectFailures false RequiredHeaders true PublicSuffixList /etc/opendmarc/effective_tld_names.dat Socketinet:8892@127.0.0.1 SoftwareHeader true SPFSelfValidate true SPFIgnoreResults false Syslog true SyslogFacility mail # TrustedAuthservIDs nmail.caloro.ch, nmail.calm-ness.ch TrustedAuthservIDs caloro.ch, calm-ness.ch UMask 077 UserID opendmarc:opendmarc if checking online dmarc, dkim, spf from domain appair anything correct! please why me email will fail? thanks for any hint Mauri I could be wrong, but I suspect that the problem is that you haven't configured OpenDMARC to not check locally originating mail. According to the first Received: header, the mail is coming from 37.120.190.188 (which is mentioned in multiple ways in the SPF record), but your mail server at that IP address shouldn't be performing this check on outgoing mail. Perhaps you need to add this to your /etc/opendmarc.conf: IgnoreAuthenticatedClients true Unfortunately, the code doing the SPF check doesn't explain why it failed. Some do. For example, the package on debian would probably show the IP address that caused the failure. Maybe it's 127.0.0.1 (or the IP address of an authenticated submission client). The internal SPF implementation in OpenDMARC is not a full implementation of the protocol. In general, you are likely to be better off having something SPF specific check SPF and then have OpenDMARC consume that result for it's DMARC processing. If you are inclined towards Perl, then postfix-policyd-spf-perl is a good choice. SPF Engine supports either a milter (pyspf-milter) or policy server (postfix-policyd-spf-python) interface with Postfix, depending on which you prefer, if you're up for a Python based solution. Scott K this was bevor always in opendmarc.conf present IgnoreAuthenticatedClients true # opendmarc-check caloro.ch DMARC record for caloro.ch: Sample percentage: 100 DKIM alignment: strict SPF alignment: relaxed Domain policy: none Subdomain policy: unspecified Aggregate report URIs: mailto:etczb...@ag.dmarcian-eu.com Failure report URIs: (none) but please why "fail" appair, i think this will post from opendmarc Jan 17 19:17:50 nmail opendkim[801]: 6A2F040132: DKIM-Signature field added (s=nmail, d=caloro.ch) Jan 17 19:17:50 nmail opendmarc[766]: 6A2F040132: SPF(mailfrom): caloro.ch fail Jan 17 19:17:50 nmail opendmarc[766]: 6A2F040132: caloro.ch fail # dig caloro.ch txt ; <<>> DiG 9.11.5-P4-5.1+deb10u8-Debian <<>> caloro.ch txt ;; global options: +cmd ;; Got answer: ;;
Re: SPF fail and domain fail, why?
On January 17, 2023 2:25:34 AM UTC, raf wrote: >On Mon, Jan 16, 2023 at 08:01:10PM +0100, Maurizio Caloro >wrote: > >> Hello >> >> Please one more thing about Opendmarc, if send any email to any where >> i see in log SPF fail, domain.ch fail ? >> >> Jan 16 19:43:39 nmail opendkim[16490]: B6090404C3: DKIM-Signature field >> added (s=nmail, d=caloro.ch) >> Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: SPF(mailfrom): caloro.ch >> fail >> Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: caloro.ch fail >> >> if recieve any mail from any where, any thing pass >> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: mailc-bb.linkedin.com >> [A.B.C.D] not internal >> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: not authenticated >> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: message has signatures >> from linkedin.com, mailc.linkedin.com >> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: signature=muv88Rcz >> domain=linkedin.com selector=d2048-201806-01 result="no signature error"; >> signature=IKaXoyzS domain=mailc.linkedin.com selector=proddkim1024 >> result="no signature error" >> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: DKIM verification >> successful >> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: s=d2048-201806-01 >> d=linkedin.com SSL >> Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3 ignoring >> Authentication-Results at 2 from nmail.caloro.ch >> Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: SPF(mailfrom): >> bounce.linkedin.com pass >> Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: linkedin.com pass >> >> -- >> on the header from any mail that i send will appair following >> Authentication-Results-Original: caloro.ch, calm-ness.ch; spf=fail >> >> # cat opendmarc.conf >> AuthservID caloro.ch, calm-ness.ch >> AuthservIDWithJobID false >> AutoRestart false >> AutoRestartRate 10/1h >> Background true >> DNSTimeout 5 >> HistoryFile /var/spool/postfix/opendmarc/opendmarc.dat >> IgnoreAuthenticatedClients true >> IgnoreHosts /etc/opendmarc/ignore.hosts >> PidFile /var/run/opendmarc/opendmarc.pid >> RejectFailures false >> RequiredHeaders true >> PublicSuffixList /etc/opendmarc/effective_tld_names.dat >> Socket inet:8892@127.0.0.1 >> SoftwareHeader true >> SPFSelfValidate true >> SPFIgnoreResults false >> Syslog true >> SyslogFacility mail >> # TrustedAuthservIDs nmail.caloro.ch, nmail.calm-ness.ch >> TrustedAuthservIDs caloro.ch, calm-ness.ch >> UMask 077 >> UserID opendmarc:opendmarc >> >> if checking online dmarc, dkim, spf from domain appair anything correct! >> please why me email will fail? >> >> thanks for any hint >> Mauri > >I could be wrong, but I suspect that the problem is >that you haven't configured OpenDMARC to not check >locally originating mail. According to the first >Received: header, the mail is coming from 37.120.190.188 >(which is mentioned in multiple ways in the SPF record), >but your mail server at that IP address shouldn't be >performing this check on outgoing mail. > >Perhaps you need to add this to your /etc/opendmarc.conf: > > IgnoreAuthenticatedClients true > >Unfortunately, the code doing the SPF check doesn't >explain why it failed. Some do. For example, the package on debian would >probably show the IP address that caused the failure. >Maybe it's 127.0.0.1 (or the IP address of an >authenticated submission client). The internal SPF implementation in OpenDMARC is not a full implementation of the protocol. In general, you are likely to be better off having something SPF specific check SPF and then have OpenDMARC consume that result for it's DMARC processing. If you are inclined towards Perl, then postfix-policyd-spf-perl is a good choice. SPF Engine supports either a milter (pyspf-milter) or policy server (postfix-policyd-spf-python) interface with Postfix, depending on which you prefer, if you're up for a Python based solution. Scott K
Re: SPF fail and domain fail, why?
On Mon, Jan 16, 2023 at 08:01:10PM +0100, Maurizio Caloro wrote: > Hello > > Please one more thing about Opendmarc, if send any email to any where > i see in log SPF fail, domain.ch fail ? > > Jan 16 19:43:39 nmail opendkim[16490]: B6090404C3: DKIM-Signature field > added (s=nmail, d=caloro.ch) > Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: SPF(mailfrom): caloro.ch > fail > Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: caloro.ch fail > > if recieve any mail from any where, any thing pass > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: mailc-bb.linkedin.com > [A.B.C.D] not internal > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: not authenticated > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: message has signatures > from linkedin.com, mailc.linkedin.com > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: signature=muv88Rcz > domain=linkedin.com selector=d2048-201806-01 result="no signature error"; > signature=IKaXoyzS domain=mailc.linkedin.com selector=proddkim1024 > result="no signature error" > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: DKIM verification > successful > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: s=d2048-201806-01 > d=linkedin.com SSL > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3 ignoring > Authentication-Results at 2 from nmail.caloro.ch > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: SPF(mailfrom): > bounce.linkedin.com pass > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: linkedin.com pass > > -- > on the header from any mail that i send will appair following > Authentication-Results-Original: caloro.ch, calm-ness.ch; spf=fail > > # cat opendmarc.conf > AuthservID caloro.ch, calm-ness.ch > AuthservIDWithJobID false > AutoRestart false > AutoRestartRate 10/1h > Background true > DNSTimeout 5 > HistoryFile /var/spool/postfix/opendmarc/opendmarc.dat > IgnoreAuthenticatedClients true > IgnoreHosts /etc/opendmarc/ignore.hosts > PidFile /var/run/opendmarc/opendmarc.pid > RejectFailures false > RequiredHeaders true > PublicSuffixList /etc/opendmarc/effective_tld_names.dat > Socket inet:8892@127.0.0.1 > SoftwareHeader true > SPFSelfValidate true > SPFIgnoreResults false > Syslog true > SyslogFacility mail > # TrustedAuthservIDs nmail.caloro.ch, nmail.calm-ness.ch > TrustedAuthservIDs caloro.ch, calm-ness.ch > UMask 077 > UserID opendmarc:opendmarc > > if checking online dmarc, dkim, spf from domain appair anything correct! > please why me email will fail? > > thanks for any hint > Mauri I could be wrong, but I suspect that the problem is that you haven't configured OpenDMARC to not check locally originating mail. According to the first Received: header, the mail is coming from 37.120.190.188 (which is mentioned in multiple ways in the SPF record), but your mail server at that IP address shouldn't be performing this check on outgoing mail. Perhaps you need to add this to your /etc/opendmarc.conf: IgnoreAuthenticatedClients true Unfortunately, the code doing the SPF check doesn't explain why it failed. Some do. For example, the postfix-policyd-spf-perl package on debian would probably show the IP address that caused the failure. Maybe it's 127.0.0.1 (or the IP address of an authenticated submission client). cheers, raf
SPF fail and domain fail, why?
Hello Please one more thing about Opendmarc, if send any email to any where i see in log SPF fail, domain.ch fail ? Jan 16 19:43:39 nmail opendkim[16490]: B6090404C3: DKIM-Signature field added (s=nmail, d=caloro.ch) Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: SPF(mailfrom): caloro.ch fail Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: caloro.ch fail if recieve any mail from any where, any thing pass Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: mailc-bb.linkedin.com [A.B.C.D] not internal Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: not authenticated Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: message has signatures from linkedin.com, mailc.linkedin.com Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: signature=muv88Rcz domain=linkedin.com selector=d2048-201806-01 result="no signature error"; signature=IKaXoyzS domain=mailc.linkedin.com selector=proddkim1024 result="no signature error" Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: DKIM verification successful Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: s=d2048-201806-01 d=linkedin.com SSL Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3 ignoring Authentication-Results at 2 from nmail.caloro.ch Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: SPF(mailfrom): bounce.linkedin.com pass Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: linkedin.com pass -- on the header from any mail that i send will appair following Authentication-Results-Original: caloro.ch, calm-ness.ch; spf=fail # cat opendmarc.conf AuthservID caloro.ch, calm-ness.ch AuthservIDWithJobID false AutoRestart false AutoRestartRate 10/1h Background true DNSTimeout 5 HistoryFile /var/spool/postfix/opendmarc/opendmarc.dat IgnoreAuthenticatedClients true IgnoreHosts /etc/opendmarc/ignore.hosts PidFile /var/run/opendmarc/opendmarc.pid RejectFailures false RequiredHeaders true PublicSuffixList /etc/opendmarc/effective_tld_names.dat Socket inet:8892@127.0.0.1 SoftwareHeader true SPFSelfValidate true SPFIgnoreResults false Syslog true SyslogFacility mail # TrustedAuthservIDs nmail.caloro.ch, nmail.calm-ness.ch TrustedAuthservIDs caloro.ch, calm-ness.ch UMask 077 UserID opendmarc:opendmarc if checking online dmarc, dkim, spf from domain appair anything correct! please why me email will fail? thanks for any hint Mauri