1

Topic: Vacation auto-responder failing DMARC to external domains

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: CentOS 7.x current
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue: See below
====

Vacation auto-responder works fine internally, but isn't working to external domains e.g. gmail.com due to DMARC failure.

Feb 19 17:18:05 xxxxx postfix/smtp[28347]: 5ABDD1CC9: to=<xxxxxxx@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.22.26]:25, delay=0.33, delays=0.01/0.02/0.13/0.17, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.22.26] said: 550-5.7.1 Unauthenticated email from xxxxxx.org is not accepted due 550-5.7.1 to domain's DMARC policy. Please contact the administrator of 550-5.7.1 xxxxxxx.org domain if this was a legitimate mail. Please 550-5.7.1 visit 550-5.7.1  https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1 DMARC initiative. 64si7982665qks.68 - gsmtp (in reply to end of DATA command))

Any idea what I can do to correct this?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Vacation auto-responder failing DMARC to external domains

More info - I've confirmed that filters that reply to messages from gmail etc. also fail to deliver due to the same failure.  Mail sent via Roundcube works fine, signed with DKIM and passing DMARC.

3

Re: Vacation auto-responder failing DMARC to external domains

What's your DMARC policy published in DNS? especially SPF related policy.

4

Re: Vacation auto-responder failing DMARC to external domains

ZhangHuangbin wrote:

What's your DMARC policy published in DNS? especially SPF related policy.

Hope this helps - I don't recall the detail of what it all means, but I do remember intending to configure it fairly strictly. 

Like I said, it does work with all other email, sent from Roundcube and smtp/ldap from mobile devices.  Things are getting signed, and delivered to gmail inboxes.

For whatever reason, Vacation auto-responses (and any other managesieve filters that send a reply) result in that DMARC failure error above.   

Here are the DNS entries, and the amavisd.conf follows.

_dmarc    v=DMARC1; p=reject; rua=mailto:ruf@youcantspoilababy.org; ruf=mailto:ruf@youcantspoilababy.org; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject

dkim._domainkey v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfONH89keAML9oz8IuiCIhwUjDi/GQQFHJqKjCustWHKeD3GhSfHDiZplitBZF7eovr56S7QDWt0z0OSFhP4s0auwmLvi8oZl6fprHQZpvOK7328tRj12K+dC8b0P3ev3/c1iGixjKNQmb4xZCrkNEj+WepVlSi9Y+1AbqFZ3RVQIDAQAB


Feb 19 18:08:05 ycsab postfix/smtp[29468]: 85890260D: to=<jdelisle@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.22.26]:25, delay=0.38, delays=0/0.02/0.12/0.23, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.22.26] said: 550-5.7.1 Unauthenticated email from youcantspoilababy.org is not accepted due 550-5.7.1 to domain's DMARC policy. Please contact the administrator of 550-5.7.1 youcantspoilababy.org domain if this was a legitimate mail. Please 550-5.7.1 visit 550-5.7.1  https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1 DMARC initiative. l62si11485449qkf.159 - gsmtp (in reply to end of DATA command))


amavisd.conf:
http://pastebin.com/VpRzXKF3

5

Re: Vacation auto-responder failing DMARC to external domains

Maybe you should try "p=quarantine" and "sp=quarantine".

6

Re: Vacation auto-responder failing DMARC to external domains

ZhangHuangbin wrote:

Maybe you should try "p=quarantine" and "sp=quarantine".

Is this a workaround?

I have same problem.

7

Re: Vacation auto-responder failing DMARC to external domains

hi @karkaaa,

Check the latest reply in this issue:
https://bitbucket.org/zhb/iredmail/issu … e-not-dkim

The solution is signing DKIM signature on locally generated emails, so that it matches DMARC.