1 Topic by Stubby066

  • Stubby066
  • Member
  • Offline
  • Registered: 2020-10-10
  • Posts: 33

Topic: DMARC and SPF checks in header

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.0
- Deployed with iRedMail Easy or the downloadable installer? Download
- Linux/BSD distribution name and version: Ubunu 22.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I am trying to get the Authentication headers to reflect the message DMARC and SPF status. I noticed I was not getting these headers when comparing with the FairEmail program on Android - it puts a green checkmark if the messages pass all the checks.

To wit, I used this guide,

https://www.linuxbabe.com/mail-server/o … fix-ubuntu

To setup Opendmarc and openDKIM to inspect the records.

Which notes:

By default, OpenDMARC uses the MTA hostname as the AuthserveID, but it’s better to use a different name for the authentication service, because Amavisd-new will overwrite the authentication results header added by OpenDMARC. You can change it to the following, which will be very easy for you to see which program adds which authentication-results header.

However, talking to support:

The problem is that the signer domain (my.domain.org) and OpenDMARC) is different for the headers.
Technically, the app should inspect the first header only, but it will be lenient on the condition the signer is the same, which isn't the case here.

The underlying problem is that the sender of the message might have insert a header with dkim/spf/dmarc=pass. So, inspecting just all headers is not secure.

Authentication-Results: my.domain.org;
dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=I30IAkNt;
dkim-atps=neutral
Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=gmail.com

How can i get all three Authentical-Results in the message under the proper domain name without overwriting? I've searched on Amavisd and there doesn't appear to be a way that I've found yet.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,081

Re: DMARC and SPF checks in header

Amavisd calls SpamAssassin to do SPF/DKIM/DMARC checking, it writes the result in X-Spam-* headers.

3 Reply by Stubby066 (edited by Stubby066 2024-09-06 10:24:16)

  • Stubby066
  • Member
  • Offline
  • Registered: 2020-10-10
  • Posts: 33

Re: DMARC and SPF checks in header

Ok, I'm not getting those. I get an Authentication-Results header:

Authentication-Results: server.domain.tld (amavis); dkim=pass (2048-bit key) header.d=gmail.com

I have no x-spam headers in the message.

i did recently upgrade to 24.04.1 LTS, so that may have changed some things.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,081

Re: DMARC and SPF checks in header

Turn on debug mode in Amavisd and check whether it performs SPF/DKIM/DMARC checks.
FYI https://docs.iredmail.org/debug.amavisd.html

5 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: DMARC and SPF checks in header

it only adds spam headers if it reaches a defined treshhold in amavis config:

$sa_tag_level_deflt = -999;  # add spam info headers if at, or above that level

that should fix it

6 Reply by Stubby066

  • Stubby066
  • Member
  • Offline
  • Registered: 2020-10-10
  • Posts: 33

Re: DMARC and SPF checks in header

Ok, so I changed the spam header and debug, and it looks like it passed for that.

But that's not what I'm after. I'm after those results being posted in the Authentication-headers field.

https://www.rfc-editor.org/rfc/rfc7001#section-2.6.2

In order for the email client to validate, it all needs to be from the same writer. OpenDIKM/DMARC  fields get overwritten by Amavis. So, is there a way for Amavis to post those results in the authentication-results header as well?

7 Reply by Stubby066

  • Stubby066
  • Member
  • Offline
  • Registered: 2020-10-10
  • Posts: 33

Re: DMARC and SPF checks in header

So, another weird thing.

When I turn off DKIM verification in Amavis

# grep -r dkim_ver *
20-debian_defaults:$enable_dkim_verification = 0; #disabled to prevent warning
21-ubuntu_defaults:$enable_dkim_verification = 0;
50-user:$enable_dkim_verification = 0;

And send a test message - it doesn't do any thing, like it should (not).

When I enable opendkim and opendmarc in postfix, it is somehow invoked again and checks the messages, even when disabled. 

Authentication-Results: huginn.domain.tld; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=GqjnbQsE; dkim-atps=neutral

Authentication-Results: hugninnOPENDKIM; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: hugninnOPENDKIM; spf=pass smtp.mailfrom=gmail.com

8 Reply by Stubby066

  • Stubby066
  • Member
  • Offline
  • Registered: 2020-10-10
  • Posts: 33

Re: DMARC and SPF checks in header

ok, so I had to change the AuthservID in opendmarc to the FQDN. Apparently OpenDkim uses the FQDN and is not configurable.

I had them different because Amavis clobbered the header otherwise. Now emails are showing up in the client (FairEmail) with all indicators green.

Now to figure out how to add TLS status to the authentication headers.

9 Reply by Stubby066

  • Stubby066
  • Member
  • Offline
  • Registered: 2020-10-10
  • Posts: 33

Re: DMARC and SPF checks in header

The tls verification was a user setting. The reason for all this is that it becomes readily apparent for any junk messages that come through.

Post's attachments

Screenshot_20240906_113540_FairEmail.jpg
Screenshot_20240906_113540_FairEmail.jpg 68.28 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.