Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skipping opendmarc for submission-port email? ("opendmarc: 49b7B40D4B mydomain.ca fail") #703

Closed
init-js opened this issue Aug 29, 2017 · 2 comments
Closed

Skipping opendmarc for submission-port email? ("opendmarc: 49b7B40D4B mydomain.ca fail") #703

init-js opened this issue Aug 29, 2017 · 2 comments

Comments

@init-js
Copy link
Contributor

init-js commented Aug 29, 2017
edited

Every email submitted via the submission port by authenticated clients fails in the dmarc milter. Could we simply skip that milter for authenticated clients?

Aug 29 02:11:51 mx1 postfix/submission/smtpd[6391]: connect from d50-91-38-6.bchsia.telus.net[50.91.38.6]
Aug 29 02:11:52 mx1 postfix/submission/smtpd[6391]: 49B7B40D4B: client=d50-91-38-6.bchsia.telus.net[50.91.38.6], sasl_method=PLAIN, sasl_username=foo@mydomain.ca
Aug 29 02:11:52 mx1 postfix/cleanup[6395]: 49B7B40D4B: message-id=<a7adca22-8f3c-330d-c13c-8a793a03fb70@mydomain.ca>
Aug 29 02:11:52 mx1 opendkim[171]: 49B7B40D4B: DKIM-Signature field added (s=mail, d=mydomain.ca)
Aug 29 02:11:52 mx1 opendmarc[177]: implicit authentication service: mx1.mydomain.ca
Aug 29 02:11:52 mx1 opendmarc[177]: 49B7B40D4B: mydomain.ca fail

Note: On this domain, SPF, DKIM, and DMARC all pass gmail's tests. (when I send an email to a *@gmail.com email address and do "inspect source" from their UI). I'm assuming the configuration of keys and DNS is correct. Perhaps the failure occurs because the originating IP is the client's IP, and not localhost (the latter is in /etc/opendmarc/ignore.hosts)?

I've added IgnoreAuthenticatedClients true to /etc/opendmarc.conf, and that has fixed the issue, but I'm wondering if there's a better/safer way to proceed here. Is there any value in having opendmarc filter mail submitted on the submission ports?
@johansmitsnl
Copy link
Contributor

I see this to in my own log files but it does not have effect on the email validation.
No expert on opendmarc but I see more users on the "internet" with your suggested change. No harm would be done in not checking a valid user.

@tomav what do you think?

init-js added a commit to init-js/docker-mailserver that referenced this issue Sep 8, 2017
@init-js
[opendmarc] Skip dmarc checks for email sent over authenticated sockets
f8adf38 
   opendmarc checks fail for mail sent over (SMTP AUTH) submission
   ports. Adding this directive skips checks for those emails, and
   clears the logs of related errors.

   See docker-mailserver#703
@init-js init-js mentioned this issue Sep 12, 2017
Merged
init-js added a commit to init-js/docker-mailserver that referenced this issue Sep 12, 2017
@init-js
[opendmarc] Skip dmarc checks for email sent over authenticated sockets
c4cf848 
   opendmarc checks fail for mail sent over (SMTP AUTH) submission
   ports. Adding this directive skips checks for those emails, and
   clears the logs of related errors.

   See docker-mailserver#703
@johansmitsnl
Copy link
Contributor

Merged, currently building.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@init-js @johansmitsnl