Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples
SheridanJ West via dmarc-discuss wrote: > I only have the mismatch problem with opendmarc-reports and thats using > most of the command line options. > > Normal email (port 587) is matched with spf,dkim and dmarc.Please do > not consider our email servers as mentally retarded in regard to that. > Hence my posting on a dmarc list. > > report emails per the dmarc spec is the last thing left that i struggled > with. So your problem seems to be locally generated emails? Without giving concrete examples of domain names, logfile excerpts and possibly showing a generated report without any obfuscation it is not possible to help you as I don't have a crystal ball :) Juri ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples
I only have the mismatch problem with opendmarc-reports and thats using most of the command line options. Normal email (port 587) is matched with spf,dkim and dmarc.Please do not consider our email servers as mentally retarded in regard to that. Hence my posting on a dmarc list. report emails per the dmarc spec is the last thing left that i struggled with. As to ATPS1 that is something i am unwilling to test out unless atps01 packs up sooner rather than later this week. On Wed, Feb 1, 2017 at 8:45 AM, Juri Haberland via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > SheridanJ West via dmarc-discuss wrote: > > i appear to need atps records for google this is with atps dns text > records > > and probably others > > > > opendmarc-reports: sent report for gmail.com to > mailauth-repo...@google.com > > (2.0.0 Ok: queued as x1) > > > > without atps [results i got from last week] > > > > postfix/smtp[5820]: > > x0: to=, > > relay=aspmx.l.google.com[74.125.71.26]:25, delay=1.1, > > delays=0.13/0.01/0.49/0.43, dsn=5.7.1, status=bounced > > (host aspmx.l.google.com[74.125.71.26] said: 550-5.7.1 > > Unauthenticated email from example.eu is not accepted > > due to 550-5.7.1 domain's DMARC policy. > > Please contact the administrator of 550-5.7.1 example.eu > > domain if this was a legitimate mail. > > Ok, so without ATPS Google won't take your mail. I suggest to check your > SPF > settings - if ATPS (or DKIM) fails, it should at least authenticate via > SPF. > > > I used (appears to work) dns records > > _adsp._domainkey.example.eu. "dkim=all atps=y; asl=example.com > ;" > > ._atps.example.eu. "v=atps01; d=example.com;" > > not work (or tried yet) the content made by openmarc-atpszone > > v=ATPS1; d=example.net > > I don't know anything about ATPS, but I fail to see how OpenDMARC is the > culprit for your problems. You seem to have at least two problems: > - missing or wrong SPF RR for your sending host > - some ATPS/DKIM problem (looking at RFC6541 yields that v=ATPS1 is right > and > v=atps01 is wrong) > > Juri > > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples
SheridanJ West via dmarc-discuss wrote: > i appear to need atps records for google this is with atps dns text records > and probably others > > opendmarc-reports: sent report for gmail.com to mailauth-repo...@google.com > (2.0.0 Ok: queued as x1) > > without atps [results i got from last week] > > postfix/smtp[5820]: > x0: to=, > relay=aspmx.l.google.com[74.125.71.26]:25, delay=1.1, > delays=0.13/0.01/0.49/0.43, dsn=5.7.1, status=bounced > (host aspmx.l.google.com[74.125.71.26] said: 550-5.7.1 > Unauthenticated email from example.eu is not accepted > due to 550-5.7.1 domain's DMARC policy. > Please contact the administrator of 550-5.7.1 example.eu > domain if this was a legitimate mail. Ok, so without ATPS Google won't take your mail. I suggest to check your SPF settings - if ATPS (or DKIM) fails, it should at least authenticate via SPF. > I used (appears to work) dns records > _adsp._domainkey.example.eu. "dkim=all atps=y; asl=example.com;" > ._atps.example.eu. "v=atps01; d=example.com;" > not work (or tried yet) the content made by openmarc-atpszone > v=ATPS1; d=example.net I don't know anything about ATPS, but I fail to see how OpenDMARC is the culprit for your problems. You seem to have at least two problems: - missing or wrong SPF RR for your sending host - some ATPS/DKIM problem (looking at RFC6541 yields that v=ATPS1 is right and v=atps01 is wrong) Juri ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples
I'd suggest that reliance upon ADSP is unwise as - having being reclassified as historic - it could stop working at any time without warning. A better option might be to sign your reports with the DKIM signature of the reporting domain (i.e. sign with example.eu instead of example.com in your obscured example). - Roland From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of SheridanJ West via dmarc-discuss <dmarc-discuss@dmarc.org> Sent: Wednesday, 1 February 2017 00:53 Cc: dmarc-discuss@dmarc.org Subject: Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples i appear to need atps records for google this is with atps dns text records and probably others opendmarc-reports: sent report for gmail.com<http://gmail.com> to mailauth-repo...@google.com<mailto:mailauth-repo...@google.com> (2.0.0 Ok: queued as x1) Gmail<http://gmail.com/> gmail.com Gmail is email that's intuitive, efficient, and useful. 15 GB of storage, less spam, and mobile access. postfix/smtp[28130]: x2: to=<mailauth-repo...@google.com<mailto:mailauth-repo...@google.com>>, relay=aspmx.l.google.com<http://aspmx.l.google.com>[66.102.1.26]:25, delay=0.87, delays=0.13/0.01/0.25/0.48, dsn=2.0.0, status=sent (250 2.0.0 OK xx xx - gsmtp) without atps [results i got from last week] postfix/smtp[5820]: x0: to=<mailauth-repo...@google.com<mailto:mailauth-repo...@google.com>>, relay=aspmx.l.google.com<http://aspmx.l.google.com>[74.125.71.26]:25, delay=1.1, delays=0.13/0.01/0.49/0.43, dsn=5.7.1, status=bounced (host aspmx.l.google.com<http://aspmx.l.google.com>[74.125.71.26] said: 550-5.7.1 Unauthenticated email from example.eu<http://example.eu> is not accepted due to 550-5.7.1 domain's DMARC policy. Please contact the administrator of 550-5.7.1 example.eu<http://example.eu> domain if this was a legitimate mail. I used (appears to work) dns records _adsp._domainkey.example.eu<http://domainkey.example.eu>. "dkim=all atps=y; asl=example.com<http://example.com>;" http://example.com>>._atps.example.eu<http://atps.example.eu>. "v=atps01; d=example.com<http://example.com>;" not work (or tried yet) the content made by openmarc-atpszone v=ATPS1; d=example.net<http://example.net> The windows version appears to be the winner for syntax of atps. although i can get sha1 domain name hashes from both with. opendkim-atpszone -h sha1 -u example.com<http://example.com> -A example.net<http://example.net> So most of opendkim-atpszone is best ignored it appears On Tue, Jan 31, 2017 at 2:17 PM, Juri Haberland via dmarc-discuss <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote: SheridanJ West via dmarc-discuss wrote: > I encountered a opendmarc bug that required adsp records as well to send > dmarc reports and i had a fun time trying to reproduce the output for i do > not know how long the url i mention will last. > Is nearly the same but I am confused - is the web parser right and the > opendkim-atpszone command wrong? with v=ATPS1 > I ask as this affects only dmarc reports (no i do not run > example.com<http://example.com>) our > normal email is sent ok Even though this is not an OpenDMARC specific mailing list but a generic DMARC discussion list, can you be a bit more specific in which way OpenDMARC reports are affected by the differing output of the webtool vs. opendkim-atpszone? Juri ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples
A. Schulze via dmarc-discuss skrev den 2017-01-30 22:30: Am 30.01.2017 um 21:40 schrieb SheridanJ West via dmarc-discuss: I encountered a opendmarc bug that required adsp records don't waste your time with ADSP, forget it. it's deprecated and in fact dead and spamassaasin does not care of that, where is the dmarc support for equant of adsp ? on top of that dnssec is not very well tested, so most domains that have else working dkim key, is not careing of make dnssec working, sadly i begin to hate dkim/dmarc/arc fucked brain dead solutions that is near killing mail systems that just like to have dkim pass and nothing more problems, sadly lowest commodity wins :( i think its okay to say that here when i self do it right, no ? time for me to take another beer :=) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples
SheridanJ West via dmarc-discuss wrote: > I encountered a opendmarc bug that required adsp records as well to send > dmarc reports and i had a fun time trying to reproduce the output for i do > not know how long the url i mention will last. > Is nearly the same but I am confused - is the web parser right and the > opendkim-atpszone command wrong? with v=ATPS1 > I ask as this affects only dmarc reports (no i do not run example.com) our > normal email is sent ok Even though this is not an OpenDMARC specific mailing list but a generic DMARC discussion list, can you be a bit more specific in which way OpenDMARC reports are affected by the differing output of the webtool vs. opendkim-atpszone? Juri ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples
I would rather not rebuild our mail server(s) and the bits hanging off it just to keep opendmarc-report functionality since they do everything else ok. Thanks. On Mon, Jan 30, 2017 at 9:30 PM, A. Schulze via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > > > Am 30.01.2017 um 21:40 schrieb SheridanJ West via dmarc-discuss: > > I encountered a opendmarc bug that required adsp records > don't waste your time with ADSP, forget it. > it's deprecated and in fact dead > > Andreas > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples
Am 30.01.2017 um 21:40 schrieb SheridanJ West via dmarc-discuss: > I encountered a opendmarc bug that required adsp records don't waste your time with ADSP, forget it. it's deprecated and in fact dead Andreas ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] opendkim-atpszone reproducibility and examples
I encountered a opendmarc bug that required adsp records as well to send dmarc reports and i had a fun time trying to reproduce the output for i do not know how long the url i mention will last. a webparser at www.winserver.com/public/wcadsp/default.wct which produces example.com main domain and example.net in asl _adsp._domainkey.example.com IN TXT "dkim=all; atps=y; asl=example.net;" YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps.example.com IN TXT "v=atps01; d= example.net;" Which i think is what i need but opendkim-atpszone -h sha1 -u example.com -A example.net -vvv opendkim-atpszone: database opened server xxx zone example.com update add YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps TXT 86400 "v=ATPS1; d= example.net" send answer opendkim-atpszone: 1 record written Is nearly the same but I am confused - is the web parser right and the opendkim-atpszone command wrong? with v=ATPS1 YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps.example.com IN TXT "v=atps01; YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps TXT 86400 "v=ATPS1; I ask as this affects only dmarc reports (no i do not run example.com) our normal email is sent ok It is close but who is right ?. I ask as this is not terribly clear. - as long as i have a sha1 hash of whatever YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ translates and can work around opendkim-atpszone i think i am good. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)