The anti-spoofing control in Mailu is over-zealous

[Aaron-Ritter]

Before you open your issue

• Check if no issue or pull-request for this already exists.
• Check documentation and FAQ. (Tip, use the search function on the documentation page)
• You understand Mailu is made by volunteers in their free time — be conscise, civil and accept that delays can occur.
• The title of the issue should be short and simple. It should contain specific terms related to the actual issue. Be specific while writing the title.

Environment & Versions

Environment

• docker-compose

Versions

4467547357cc mailu/postfix:1.9 "/bin/sh -c /start.py" 6 hours ago Up 6 hours (healthy) 25/tcp, 10025/tcp mailu_smtp_1

Description

We are currently trying to setup an email domain redacted-domain.support with DKIM enabled and integrade zendesk mailing in to it. As soon we activated DKIM for the domain it started to reject emails from local created email alias, despite the zendesk DKIM setup being setup and evaluated.

Replication Steps

1. Create a email Domain redacted-domain.support
2. Setup an email Alias help@redacted-somain.support Destination support@redacted-alias.zendesk.com
3. Add and verify email in your zendesk account https://support.zendesk.com/hc/en-us/articles/4408832543770-Allowing-Zendesk-to-send-email-on-behalf-of-your-email-domain (at this step you will see everything still working properly)
4. Activate DKIM according to mailu instructions
5. Activate DKIM according to zendesk instructions https://support.zendesk.com/hc/en-us/articles/4408822303386-Digitally-signing-your-email-with-DKIM-or-DMARC (at that point it stops working, sometimes delayed because zendesk has a moment to switch)

Expected behaviour

mailu should not try and check the sender email and allow external email servers with a valid DKIM entry in the domain.

Logs

```
smtp_1       | 2022-10-13T18:22:07.268759+02:00 af0ed861f43f postfix/smtpd[372]: disconnect from outbyoip1.pod29.euw1.zdsys.com[188.172.137.46] ehlo=2 xclient=0/1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=5/8
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.support')
smtp_1       | DEBUG:root:Request domain/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | INFO:root:Connect
smtp_1       | DEBUG:root:Received bytearray(b'senderaccess help@domain-redacted.support')
smtp_1       | DEBUG:root:Request senderaccess/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support is domain-redacted.support
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.support'
smtp_1       | DEBUG:root:Table get help@domain-redacted.support is REJECT
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.support')
smtp_1       | DEBUG:root:Replying b'OK REJECT'
smtp_1       | DEBUG:root:Request transport/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | 2022-10-13T18:22:07.286126+02:00 af0ed861f43f postfix/smtpd[420]: NOQUEUE: reject: RCPT from outbyoip10.pod29.euw1.zdsys.com[188.172.137.55]: 554 5.7.1 <help@domain-redacted.support>: Sender address rejected: Access denied; from=<help@domain-redacted.support> to=<user1-redacted+zendesk@domain-redacted.llc> proto=ESMTP helo=<outbyoip10.pod29.euw1.zdsys.com>
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport help@domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.llc')
smtp_1       | DEBUG:root:Request domain/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc is domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.llc'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport user2-redacted+zendesk@domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/user2-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Table get user2-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.support')
smtp_1       | DEBUG:root:Request domain/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support is domain-redacted.support
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.support'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport help@domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'senderaccess help@domain-redacted.support')
smtp_1       | DEBUG:root:Request senderaccess/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.llc')
smtp_1       | DEBUG:root:Request domain/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc is domain-redacted.llc
smtp_1       | DEBUG:root:Table get help@domain-redacted.support is REJECT
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.llc'
smtp_1       | DEBUG:root:Replying b'OK REJECT'
smtp_1       | 2022-10-13T18:22:07.342034+02:00 af0ed861f43f postfix/smtpd[420]: NOQUEUE: reject: RCPT from outbyoip10.pod29.euw1.zdsys.com[188.172.137.55]: 554 5.7.1 <help@domain-redacted.support>: Sender address rejected: Access denied; from=<help@domain-redacted.support> to=<user2-redacted+zendesk@domain-redacted.llc> proto=ESMTP helo=<outbyoip10.pod29.euw1.zdsys.com>
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport user1-redacted+zendesk@domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/user1-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Table get user1-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.llc')
smtp_1       | DEBUG:root:Request domain/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc is domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.llc'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport user3-redacted+zendesk@domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/user3-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Table get user3-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.support')
smtp_1       | DEBUG:root:Request domain/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support is domain-redacted.support
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.support'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport help@domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.support')
smtp_1       | INFO:root:Connect
smtp_1       | DEBUG:root:Request domain/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Received bytearray(b'senderaccess help@domain-redacted.support')
smtp_1       | DEBUG:root:Request senderaccess/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support is domain-redacted.support
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.support'
smtp_1       | DEBUG:root:Table get help@domain-redacted.support is REJECT
smtp_1       | DEBUG:root:Replying b'OK REJECT'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | 2022-10-13T18:22:07.401475+02:00 af0ed861f43f postfix/smtpd[422]: NOQUEUE: reject: RCPT from outbyoip7.pod29.euw1.zdsys.com[188.172.137.52]: 554 5.7.1 <help@domain-redacted.support>: Sender address rejected: Access denied; from=<help@domain-redacted.support> to=<user1-redacted+zendesk@domain-redacted.llc> proto=ESMTP helo=<outbyoip7.pod29.euw1.zdsys.com>
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport help@domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'senderaccess help@domain-redacted.support')
smtp_1       | DEBUG:root:Request senderaccess/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.llc')
smtp_1       | DEBUG:root:Request domain/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc is domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.llc'
smtp_1       | DEBUG:root:Table get help@domain-redacted.support is REJECT
smtp_1       | DEBUG:root:Replying b'OK REJECT'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.llc')
smtp_1       | 2022-10-13T18:22:07.423873+02:00 af0ed861f43f postfix/smtpd[420]: NOQUEUE: reject: RCPT from outbyoip10.pod29.euw1.zdsys.com[188.172.137.55]: 554 5.7.1 <help@domain-redacted.support>: Sender address rejected: Access denied; from=<help@domain-redacted.support> to=<user3-redacted+zendesk@domain-redacted.llc> proto=ESMTP helo=<outbyoip10.pod29.euw1.zdsys.com>
smtp_1       | DEBUG:root:Request transport/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport user2-redacted+zendesk@domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/user2-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Table get user2-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.support')
smtp_1       | DEBUG:root:Request domain/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support is domain-redacted.support
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.support'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport help@domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | 2022-10-13T18:22:07.452639+02:00 af0ed861f43f postfix/smtpd[420]: disconnect from outbyoip10.pod29.euw1.zdsys.com[188.172.137.55] ehlo=2 xclient=0/1 mail=1 rcpt=0/3 data=0/1 rset=1 quit=1 commands=5/10
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'senderaccess help@domain-redacted.support')
smtp_1       | DEBUG:root:Request senderaccess/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support is REJECT
smtp_1       | DEBUG:root:Replying b'OK REJECT'
smtp_1       | 2022-10-13T18:22:07.464499+02:00 af0ed861f43f postfix/smtpd[422]: NOQUEUE: reject: RCPT from outbyoip7.pod29.euw1.zdsys.com[188.172.137.52]: 554 5.7.1 <help@domain-redacted.support>: Sender address rejected: Access denied; from=<help@domain-redacted.support> to=<user2-redacted+zendesk@domain-redacted.llc> proto=ESMTP helo=<outbyoip7.pod29.euw1.zdsys.com>
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.llc')
smtp_1       | DEBUG:root:Request domain/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc is domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.llc'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/domain-redacted.llc
smtp_1       | DEBUG:root:Table get domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport user3-redacted+zendesk@domain-redacted.llc')
smtp_1       | DEBUG:root:Request transport/user3-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Table get user3-redacted+zendesk@domain-redacted.llc
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'domain domain-redacted.support')
smtp_1       | DEBUG:root:Request domain/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support is domain-redacted.support
smtp_1       | DEBUG:root:Replying b'OK domain-redacted.support'
smtp_1       | DEBUG:root:Received bytearray(b'transport domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/domain-redacted.support
smtp_1       | DEBUG:root:Table get domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'transport help@domain-redacted.support')
smtp_1       | DEBUG:root:Request transport/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Replying b'NOTFOUND '
smtp_1       | DEBUG:root:Received bytearray(b'senderaccess help@domain-redacted.support')
smtp_1       | DEBUG:root:Request senderaccess/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support is REJECT
smtp_1       | DEBUG:root:Replying b'OK REJECT'
smtp_1       | 2022-10-13T18:22:07.510830+02:00 af0ed861f43f postfix/smtpd[422]: NOQUEUE: reject: RCPT from outbyoip7.pod29.euw1.zdsys.com[188.172.137.52]: 554 5.7.1 <help@domain-redacted.support>: Sender address rejected: Access denied; from=<help@domain-redacted.support> to=<user3-redacted+zendesk@domain-redacted.llc> proto=ESMTP helo=<outbyoip7.pod29.euw1.zdsys.com>
smtp_1       | 2022-10-13T18:22:07.542378+02:00 af0ed861f43f postfix/smtpd[422]: disconnect from outbyoip7.pod29.euw1.zdsys.com[188.172.137.52] ehlo=2 xclient=0/1 mail=1 rcpt=0/3 data=0/1 rset=1 quit=1 commands=5/10
```

domain zone file for reference

$ORIGIN .
$TTL 3600       ; 1 hour
domain-redacted.support    IN SOA  ns01.domain-redacted.net. domainmaster.domain-redacted.network. (
                                2022101204 ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                1209600    ; expire (2 weeks)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.first-ns.de.
                        NS      ns01.domain-redacted.net.
                        NS      ns02.domain-redacted.org.
                        NS      ns03.domain-redacted.ch.
                        NS      robotns2.second-ns.de.
                        NS      robotns3.second-ns.com.
                        A       159.69.232.198
                        MX      10 mx01.domain-redacted.network.
                        MX      20 mx02.domain-redacted.network.
                        TXT     "v=spf1 mx a include:mail.zendesk.com ~all"
                        TXT     "mailconf=https://autoconfig.domain-redacted.support/mail/config-v1.1.xml"
                        SPF     "v=spf1 mx a include:mail.zendesk.com ~all"
                        CAA     128 iodef "mailto:caareport@domain-redacted.llc"
                        CAA     128 issue "letsencrypt.org"
$ORIGIN domain-redacted.support.
_dmarc                  TXT     "v=DMARC1; p=reject; rua=mailto:admin@mx01.domain-redacted.network; ruf=mailto:admin@mx01.domain-redacted.network; adkim=s; aspf=s"
$ORIGIN _domainkey.domain-redacted.support.
dkim                    TXT     "v=DKIM1; k=rsa; p=redacted-mailu-dkim"
zendesk1                CNAME   zendesk1._domainkey.zendesk.com.
zendesk2                CNAME   zendesk2._domainkey.zendesk.com.
$ORIGIN _tcp.domain-redacted.support.
_autodiscover           SRV     10 10 443 autodiscover.domain-redacted.support.
_imap                   SRV     1 1 143 domain-redacted.monster.
_imaps                  SRV     1 1 993 domain-redacted.monster.
_pop3                   SRV     1 1 110 domain-redacted.monster.
_pop3s                  SRV     1 1 995 domain-redacted.monster.
_submission             SRV     1 1 587 domain-redacted.monster.
$ORIGIN domain-redacted.support.
autoconfig              A       159.69.232.199
autodiscover            A       159.69.232.199
help                    CNAME   domain-redacted.zendesk.com.
www                     CNAME   traefik01.domain-redacted.network.
zendeskverification     TXT     "redacted-key"

[Aaron-Ritter]

for clarification the traffic enters via port 25 from zendesk.

smtp_1 | 2022-10-13T18:22:03.797498+02:00 af0ed861f43f postfix/smtp[418]: Trusted TLS connection established to mail-pod-29.int.zendesk.com[18.200.91.223]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

So this should not apply: A user gets Sender address rejected: Access denied. Please check the message recipient […] and try again even though the sender is legitimate?
https://mailu.io/1.9/faq.html#a-user-gets-sender-address-rejected-access-denied-please-check-the-message-recipient-and-try-again-even-though-the-sender-is-legitimate

in addition the admin_1 logs:

admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/recipient/map/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/alias/help@domain-redacted.monster.support HTTP/1.1" 200 35 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/alias/support@domain-redacted.monster.zendesk.com HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/domain/domain-redacted.monster.zendesk.com HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/transport/domain-redacted.monster.zendesk.com HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/transport/support@domain-redacted.monster.zendesk.com HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/dane/domain-redacted.monster.zendesk.com HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:03 +0200] "GET /internal/postfix/dane/.zendesk.com HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/sender/access/help@domain-redacted.monster.support HTTP/1.1" 200 9 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/user1-redacted%2Bzendesk@domain-redacted.monster.llc HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/sender/access/help@domain-redacted.monster.support HTTP/1.1" 200 9 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/user2-redacted%2Bzendesk@domain-redacted.monster.llc HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/sender/access/help@domain-redacted.monster.support HTTP/1.1" 200 9 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/user1-redacted%2Bzendesk@domain-redacted.monster.llc HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/user3-redacted%2Bzendesk@domain-redacted.monster.llc HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/sender/access/help@domain-redacted.monster.support HTTP/1.1" 200 9 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/sender/access/help@domain-redacted.monster.support HTTP/1.1" 200 9 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/user2-redacted%2Bzendesk@domain-redacted.monster.llc HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/sender/access/help@domain-redacted.monster.support HTTP/1.1" 200 9 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/user3-redacted%2Bzendesk@domain-redacted.monster.llc HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/transport/help@domain-redacted.monster.support HTTP/1.1" 404 232 "-" "Python/3.9 aiohttp/3.8.3"
admin_1      | 10.168.203.9 - - [13/Oct/2022:18:22:07 +0200] "GET /internal/postfix/sender/access/help@domain-redacted.monster.support HTTP/1.1" 200 9 "-" "Python/3.9 aiohttp/3.8.3"

[nextgens]

The steps should be:

1. create a mailbox for help@redacted-domain.support
2. add help@redacted-domain.support on zendesk's side
3. login as help@redacted-somain.support on Mailu's admin interface (https://redacted-domain.support/admin/user/settings), configure a forwarding to support@redacted-alias.zendesk.com ; there shouldn't be any Alias involved on Mailu's side.

Assuming you have configured DKIM & SPF, Zendesk will send emails directly and there shouldn't be anything else to configure

[Aaron-Ritter]

Hi @nextgens, not exactly sure what the difference would be, it will lookup accounts as well as aliases to find a match.

I any case, yes, its something I've already tested a mailbox with forward rather than an alias. But sadly the behaviour is the same with the difference that it will find an account rather then an alias and reject it. My understanding is that it should not even go through theses checks if its a server to server communication (entering port 25), but when I enable DKIM for a domain it is starting to do these checks.

I have configured SPF and DKIM as you can see in the DNS zone file example in the first issue-entry.

Just to mention again: The exact same setup without DKIM works (also with an alias setup instead of a mailbox), but when enabling DKIM it stops working.

[nextgens]

It's really hard to help when no logs showing an error are provided and it is unclear what deployment scenario we are in.

As for how it can work, the options for sending are:

1. Zendesk sends the emails directly (that requires DKIM & SPF to be configured but doesn't involve Mailu)
2. Zendesk uses Mailu as an SMTP server (by authenticating using the credentials for help@redacted-domain.support and port 465 or 587)
3. Zendesk uses Mailu as an SMTP relay (no authentication -other than by IP address- and port 25)

If we are in option 2, be aware that Mailu enforces a sender check to prevent spoofing ; You disable it for a specific mailbox see https://mailu.io/master/configuration.html#common-configuration and WILDCARD_SENDERS.

[nextgens]

I am unsure whether WILDCARD_SENDERS is required or not... but if Zendesk attempts to send something from noreply@redacted-domain.support instead of exclusively help@redacted-domain.support you will need it

[Aaron-Ritter]

From what I understand zendesk is configured to do 1.

We have zendesk added in SPF as well as all A and MX records, in the new and deprecated way:

TXT     "v=spf1 mx a include:mail.zendesk.com ~all"
SPF     "v=spf1 mx a include:mail.zendesk.com ~all"

We have zendesk DKIM defined as well as our mailu DKIM

$ORIGIN domain-redacted.support.
dkim                    TXT     "v=DKIM1; k=rsa; p=redacted-mailu-dkim"
zendesk1                CNAME   zendesk1._domainkey.zendesk.com.
zendesk2                CNAME   zendesk2._domainkey.zendesk.com.

And the DMARC entries accordingly

$ORIGIN domain-redacted.support.
_dmarc                  TXT     "v=DMARC1; p=reject; rua=mailto:admin@mx01.domain-redacted.network; ruf=mailto:admin@mx01.domain-redacted.network; adkim=s; aspf=s"
$ORIGIN _domainkey.domain-redacted.support.

but for what ever reason mailu is doing all the checks as if it where option 2. in postfix / smtp_1. which does a sendercheck and because the account is available in the system its rejecting it.

DKIM is not even getting checked, postfix is REJECTING it before it can enter rspamd.

smtp_1       | DEBUG:root:Received bytearray(b'senderaccess help@domain-redacted.support')
smtp_1       | DEBUG:root:Request senderaccess/help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support
smtp_1       | DEBUG:root:Table get help@domain-redacted.support is REJECT
smtp_1       | DEBUG:root:Replying b'OK REJECT'
smtp_1       | 2022-10-13T18:22:07.510830+02:00 af0ed861f43f postfix/smtpd[422]: NOQUEUE: reject: RCPT from outbyoip7.pod29.euw1.zdsys.com[188.172.137.52]: 554 5.7.1 <help@domain-redacted.support>: Sender address rejected: Access denied; from=<help@domain-redacted.support> to=<user3-redacted+zendesk@domain-redacted.llc> proto=ESMTP helo=<outbyoip7.pod29.euw1.zdsys.com>

It enters on port 25 so it shouldnt be 2. (at max maybe option 3. but then again it should not do a senderadress check)

smtp_1 | 2022-10-13T18:22:03.797498+02:00 af0ed861f43f postfix/smtp[418]: Trusted TLS connection established to mail-pod-29.int.zendesk.com[18.200.91.223]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

[nextgens]

Okay, now it's more clear.

Taking the logs from your last message:

• the former is about smtpd : Mailu receives something on port 25 that pretends to be from help@domain-redacted.support -> that's the problem
• the later is about the bounce message, where Mailu sends a bounce message to user3-redacted+zendesk@domain-redacted.llc to let it know that the delivery to help@domain-redacted.support has failed

So, fixing this involves:

1. deleting the alias you have created that links help@domain-redacted.support to user3-redacted+zendesk@domain-redacted.llc
2. creating a mailbox for help@domain-redacted.support
3. adding an unconditional forwarding for that user to user3-redacted+zendesk@domain-redacted.llc (you can create it by logging out and back in as help@domain-redacted.support)

[Aaron-Ritter]

It is a bit more complicated than that. sorry.

On the same Email server we have 2 domains "my.support" and "company.llc":
We have a my.support domain where all support requests enter via help@my.support which forwards to support@companyalias.zendesk.com.

• So customers open a new ticket in zendesk by sending an email to help@my.support forward address
• zendesk sends emails with the sender address help@my.support to all involved emails in a related support ticket. Informing that the ticket was received, a ticket is updated etc.
  And we have 3 support user accounts on the company.llc which receive emails from zendesk with the sender address help@my.support which get informed that a ticket was created or updated.

When zendesk sends emails to google and office accounts they are accepted with a propper DKIM signature from zendesk.
When zendesk sends emails to our mailu system they get rejected for the above mentioned reason.

[nextgens]

Add the egress IPs/subnets listed below to RELAYNETS in your mailu.env and restart the stack

$host -t TXT mail.zendesk.com
mail.zendesk.com descriptive text "v=spf1 ip4:103.151.192.0/23 ip4:185.12.80.0/22 ip4:188.172.128.0/20 ip4:192.161.144.0/20 ip4:216.198.0.0/18 ~all"

[nextgens]

@Aaron-Ritter alternatively you can try out the code in the PR above; with it no configuration change would be required

[Aaron-Ritter]

@nextgens the RELAYNET works, but its definitely not our preferred solution as 1) despite these are zendesk IP-ranges it opens up a huge number of IPs and 2) with almost 100 mail domains on the mailu system i don't feel confortalbe opening up this for the whole server where only one domain makes use of it.

And yes therefore very gladly testing testing #2479 asap :) thanks!

[Aaron-Ritter]

This works perfectly, by the way I have implemented it with an postfix.cf override
smtpd_client_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit

[nextgens]

We have talked it through on #mailu-dev and we will re-introduce some form of anti-spoofing protection. More likely than not this will be done with rspamd, by adding a new rule enforcing DMARC compliance for the domains locally hosted (regardless of whether a policy has been configured).

The idea being that SPF or DKIM should pass... and if they don't we should still reject the messages.

[Aaron-Ritter]

I think rspamd is a great approach. Question about the rspamd implementation, would it actually show in rspamd that it is rejected through the web interface, and that it is rejected because of that rule? And if this is the case to maybe elaborate a more on the reject reason and actively suggest to setup SPF, DKIM and/or have the specific error documented in the mailu docs with the SPF and/or DKIM instructions?

[nextgens]

Please give what's on the PR a try and let us know how it works for you.

The rejection messages should be explicit enough, but feel free to suggest improvements

[Aaron-Ritter]

Currently thinking about how to be able to give it a try in the live environment with overrides. I'll let you know once I tested it.

[nextgens]

You can pull the two images you need directly from the CI:
https://hub.docker.com/r/mailuci/

mailuci/rspamd:pr-2479
mailuci/postfix:pr-2479

[Aaron-Ritter]

Thanks for the input @nextgens I've deployed the rspamd build and there are different positive test is successful for me:

DMARC_POLICY_ALLOW (-0.5) [redacted-domain.support,reject]
R_SPF_ALLOW (-0.2) [+ip4:188.172.128.0/20]
R_DKIM_ALLOW (-0.2) [redacted-domain.support:s=zendesk2]

R_SPF_ALLOW (-0.2) [+ip4:167.89.3.126:c]
R_DKIM_ALLOW (-0.2) [bexio.com:s=s1]

Will try to create a negative test the next week. And I'll check the logs regularly.

[Aaron-Ritter]

the changes are promising, i did run it now for a week and:

• RELAYNET works
• id argue that it's better to suggest for SPF -all rather than ~all because it will pass through if the untrusted sender does a retry it will pass through.
• if SPF and DKIM is defined for the domain and you have a sender without DKIM should it pass through based on SPF ~all or has DKIM priority over SPF?

[nextgens]

Hmm the idea is that if any type of authentication passes we should let it happen.

~all and -all will be treated the same: the message will be rejected unless some other authentication mechanism (like ARC, DKIM, RELAYNETs ...) passes

[Aaron-Ritter]

in my tests I did not experience that, in my test I setup a local mailu on my dev system and added a domain we use in our prod system. the email was soft rejected at first but when my dev system did a retry it passed.

I will create a full test setup with one of our test domains and document it in detail.

[Aaron-Ritter]

@nextgens my test was not 100% correct the first time as the rules where only implemented in the primary MX record mail server.

I've further tested the setup with all mail servers including the new images and it's now rejecting the incomming emails accordingly:
Rejected (anti-spoofing: DMARC compliance is enforced for local domains, regardless of the policy setting)

[Aaron-Ritter]

@nextgens i was wondering if we could add further enhancement / anti spam measures before reaching the antispoof rules by integrating https://github.com/spacefreak86/pyquarantine-milter, if so i can open a new issue for it.

[nextgens]

Sure, create a new feature request describing the usecase and we can look into it. Probably not in the outstanding release though.

I personally don't like milters that modify messages (as they tend to break things)

[LeeYanF]

We have talked it through on #mailu-dev and we will re-introduce some form of anti-spoofing protection. More likely than not this will be done with rspamd, by adding a new rule enforcing DMARC compliance for the domains locally hosted (regardless of whether a policy has been configured).

The idea being that SPF or DKIM should pass... and if they don't we should still reject the messages.

May I ask how to remove this restriction as I need to test emails on the intranet.

[wienfuchs]

I have another scenario leading to this beeing a problem: doublebounce.
to reproduce:
.) One has an outgoing mailserver, mailing proper coverd by SPF, DKIM and DMARC
.) Incoming mailserver is mailu base, "standard" configuration to accept e.g. root@out.example.com via MX to mailu.example.com
.) root@out.example.com cannot deliver a mail, so it tries to bounce this to root@out.example.com mailu.example.com
.) Mailer daemon has empty mailadress, so bounce does not get signed for the NDN
.) mailu.example.com does not accept the bounce, as DMARC is not totally satisfied

Only workaround so far: Declare out.example.com in RELAY_HOSTS - which not really is, what it should be. You agree?

[nextgens]

@wienfuchs "The outgoing mailserver", whatever that is, should pass SPF in that scenario... so DMARC should pass too.

[wienfuchs]

@nextgens thx for reply

"The outgoing mailserver", whatever that is, should pass SPF in that scenario... so DMARC should pass too.

spf passes, record looks like:
"v=spf1 a mx a:mailservice.example.com a:mail.example.com a:out.example.com ~all"

Additional steps fore reproduction, slight changes to above:
"out.example.com" maildomain is "example.com", so mail is sent e.g. from "root@example.com"
on "mailu" system "example.com" is configered as maildomain, "noreply@example.com" is configured as empty (not existing) alias.

1. out root sends testmail to "noreply@example.com" - that mail is proper signed by out and out is covered by spf so dmarc for "example.com" is met.
2. "mailservice.example.com" still - as intened - rejects the mail, as "noreply" does not want mail as per configuration.
3. "out" postfix now produces a ndn bounce notifiation, from "<>" to "root@example.com" - as intended
4. mailservice.example.com does not accept this NDN with "Rejected (anti-spoofing: DMARC compliance is enforced for local domains, regardless of the policy setting) (in reply to end of DATA command))"

IMHO "mailu" on mailsevice should accept the NDN, as this is a legitimate bounce from a SPF allowed system. It cannot meet any DKIM/DMARC as mailadress "<>" must not be signed. Am I wrong?

[wienfuchs]

As I can see the intention of the restriction and although I would think there should be an option to deactivate it I also do not count this yet a major problem.
A workaround for the "double bounce" dropping issou can easily found and implemented as to re-send bounce notifications, e.g with postfix as somle three lines in main.cf of "out.example.com":

bounce_queue_lifetime = 0
notify_classes = bounce
bounce_notice_recipient = bounces@example.com

That's how I got it working now for me - so from my side, it's not a major thing and anti-spoofing code is a good thought anyhow.
Where was the donation section now? ;)

[nextgens]

IMHO "mailu" on mailsevice should accept the NDN, as this is a legitimate bounce from a SPF allowed system. It cannot meet any DKIM/DMARC as mailadress "<>" must not be signed. Am I wrong?

That's also my understanding; I suggest you start a support request with logs in the discussion section and we can look into it