New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The anti-spoofing control in Mailu is over-zealous #2475
Comments
for clarification the traffic enters via port 25 from zendesk.
So this should not apply: A user gets Sender address rejected: Access denied. Please check the message recipient […] and try again even though the sender is legitimate? in addition the admin_1 logs:
|
The steps should be:
Assuming you have configured DKIM & SPF, Zendesk will send emails directly and there shouldn't be anything else to configure |
Hi @nextgens, not exactly sure what the difference would be, it will lookup accounts as well as aliases to find a match. I any case, yes, its something I've already tested a mailbox with forward rather than an alias. But sadly the behaviour is the same with the difference that it will find an account rather then an alias and reject it. My understanding is that it should not even go through theses checks if its a server to server communication (entering port 25), but when I enable DKIM for a domain it is starting to do these checks. I have configured SPF and DKIM as you can see in the DNS zone file example in the first issue-entry. Just to mention again: The exact same setup without DKIM works (also with an alias setup instead of a mailbox), but when enabling DKIM it stops working. |
It's really hard to help when no logs showing an error are provided and it is unclear what deployment scenario we are in. As for how it can work, the options for sending are:
If we are in option 2, be aware that Mailu enforces a sender check to prevent spoofing ; You disable it for a specific mailbox see https://mailu.io/master/configuration.html#common-configuration and WILDCARD_SENDERS. |
I am unsure whether WILDCARD_SENDERS is required or not... but if Zendesk attempts to send something from noreply@redacted-domain.support instead of exclusively help@redacted-domain.support you will need it |
From what I understand zendesk is configured to do 1. We have zendesk added in SPF as well as all A and MX records, in the new and deprecated way:
We have zendesk DKIM defined as well as our mailu DKIM
And the DMARC entries accordingly
but for what ever reason mailu is doing all the checks as if it where option 2. in postfix / smtp_1. which does a sendercheck and because the account is available in the system its rejecting it. DKIM is not even getting checked, postfix is REJECTING it before it can enter rspamd.
It enters on port 25 so it shouldnt be 2. (at max maybe option 3. but then again it should not do a senderadress check)
|
Okay, now it's more clear. Taking the logs from your last message:
So, fixing this involves:
|
It is a bit more complicated than that. sorry. On the same Email server we have 2 domains "my.support" and "company.llc":
When zendesk sends emails to google and office accounts they are accepted with a propper DKIM signature from zendesk. |
Add the egress IPs/subnets listed below to RELAYNETS in your mailu.env and restart the stack
|
@Aaron-Ritter alternatively you can try out the code in the PR above; with it no configuration change would be required |
@nextgens the RELAYNET works, but its definitely not our preferred solution as 1) despite these are zendesk IP-ranges it opens up a huge number of IPs and 2) with almost 100 mail domains on the mailu system i don't feel confortalbe opening up this for the whole server where only one domain makes use of it. And yes therefore very gladly testing testing #2479 asap :) thanks! |
This works perfectly, by the way I have implemented it with an postfix.cf override |
We have talked it through on #mailu-dev and we will re-introduce some form of anti-spoofing protection. More likely than not this will be done with rspamd, by adding a new rule enforcing DMARC compliance for the domains locally hosted (regardless of whether a policy has been configured). The idea being that SPF or DKIM should pass... and if they don't we should still reject the messages. |
I think rspamd is a great approach. Question about the rspamd implementation, would it actually show in rspamd that it is rejected through the web interface, and that it is rejected because of that rule? And if this is the case to maybe elaborate a more on the reject reason and actively suggest to setup SPF, DKIM and/or have the specific error documented in the mailu docs with the SPF and/or DKIM instructions? |
Please give what's on the PR a try and let us know how it works for you. The rejection messages should be explicit enough, but feel free to suggest improvements |
Currently thinking about how to be able to give it a try in the live environment with overrides. I'll let you know once I tested it. |
You can pull the two images you need directly from the CI: mailuci/rspamd:pr-2479 |
Thanks for the input @nextgens I've deployed the rspamd build and there are different positive test is successful for me:
Will try to create a negative test the next week. And I'll check the logs regularly. |
the changes are promising, i did run it now for a week and:
|
Hmm the idea is that if any type of authentication passes we should let it happen. ~all and -all will be treated the same: the message will be rejected unless some other authentication mechanism (like ARC, DKIM, RELAYNETs ...) passes |
in my tests I did not experience that, in my test I setup a local mailu on my dev system and added a domain we use in our prod system. the email was soft rejected at first but when my dev system did a retry it passed. I will create a full test setup with one of our test domains and document it in detail. |
@nextgens my test was not 100% correct the first time as the rules where only implemented in the primary MX record mail server. I've further tested the setup with all mail servers including the new images and it's now rejecting the incomming emails accordingly: |
@nextgens i was wondering if we could add further enhancement / anti spam measures before reaching the antispoof rules by integrating https://github.com/spacefreak86/pyquarantine-milter, if so i can open a new issue for it. |
Sure, create a new feature request describing the usecase and we can look into it. Probably not in the outstanding release though. I personally don't like milters that modify messages (as they tend to break things) |
May I ask how to remove this restriction as I need to test emails on the intranet. |
I have another scenario leading to this beeing a problem: doublebounce. Only workaround so far: Declare out.example.com in RELAY_HOSTS - which not really is, what it should be. You agree? |
@wienfuchs "The outgoing mailserver", whatever that is, should pass SPF in that scenario... so DMARC should pass too. |
@nextgens thx for reply
spf passes, record looks like: Additional steps fore reproduction, slight changes to above:
IMHO "mailu" on mailsevice should accept the NDN, as this is a legitimate bounce from a SPF allowed system. It cannot meet any DKIM/DMARC as mailadress "<>" must not be signed. Am I wrong? |
As I can see the intention of the restriction and although I would think there should be an option to deactivate it I also do not count this yet a major problem.
That's how I got it working now for me - so from my side, it's not a major thing and anti-spoofing code is a good thought anyhow. |
That's also my understanding; I suggest you start a support request with logs in the discussion section and we can look into it |
Before you open your issue
Mailu
is made by volunteers in their free time — be conscise, civil and accept that delays can occur.Environment & Versions
Environment
Versions
4467547357cc mailu/postfix:1.9 "/bin/sh -c /start.py" 6 hours ago Up 6 hours (healthy) 25/tcp, 10025/tcp mailu_smtp_1
Description
We are currently trying to setup an email domain
redacted-domain.support
with DKIM enabled and integrade zendesk mailing in to it. As soon we activated DKIM for the domain it started to reject emails from local created email alias, despite the zendesk DKIM setup being setup and evaluated.Replication Steps
redacted-domain.support
help@redacted-somain.support
Destinationsupport@redacted-alias.zendesk.com
Expected behaviour
mailu should not try and check the sender email and allow external email servers with a valid DKIM entry in the domain.
Logs
domain zone file for reference
The text was updated successfully, but these errors were encountered: