Am 17.01.2023 um 03:34 schrieb Scott Kitterman:
On January 17, 2023 2:25:34 AM UTC, raf<post...@raf.org> wrote:
On Mon, Jan 16, 2023 at 08:01:10PM +0100, Maurizio Caloro<mauri...@caloro.ch>
wrote:
Hello
Please one more thing about Opendmarc, if send any email to any where
i see in log SPF fail, domain.ch fail ?
Jan 16 19:43:39 nmail opendkim[16490]: B6090404C3: DKIM-Signature field
added (s=nmail, d=caloro.ch)
Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: SPF(mailfrom): caloro.ch
fail
Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: caloro.ch fail
if recieve any mail from any where, any thing pass
Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: mailc-bb.linkedin.com
[A.B.C.D] not internal
Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: not authenticated
Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: message has signatures
from linkedin.com, mailc.linkedin.com
Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: signature=muv88Rcz
domain=linkedin.com selector=d2048-201806-01 result="no signature error";
signature=IKaXoyzS domain=mailc.linkedin.com selector=proddkim1024
result="no signature error"
Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: DKIM verification
successful
Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: s=d2048-201806-01
d=linkedin.com SSL
Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3 ignoring
Authentication-Results at 2 from nmail.caloro.ch
Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: SPF(mailfrom):
bounce.linkedin.com pass
Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: linkedin.com pass
--
on the header from any mail that i send will appair following
Authentication-Results-Original: caloro.ch, calm-ness.ch; spf=fail
# cat opendmarc.conf
AuthservID caloro.ch, calm-ness.ch
AuthservIDWithJobID false
AutoRestart false
AutoRestartRate 10/1h
Background true
DNSTimeout 5
HistoryFile /var/spool/postfix/opendmarc/opendmarc.dat
*IgnoreAuthenticatedClients true*
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/opendmarc/opendmarc.pid
RejectFailures false
RequiredHeaders true
PublicSuffixList /etc/opendmarc/effective_tld_names.dat
Socketinet:8892@127.0.0.1
SoftwareHeader true
SPFSelfValidate true
SPFIgnoreResults false
Syslog true
SyslogFacility mail
# TrustedAuthservIDs nmail.caloro.ch, nmail.calm-ness.ch
TrustedAuthservIDs caloro.ch, calm-ness.ch
UMask 077
UserID opendmarc:opendmarc
if checking online dmarc, dkim, spf from domain appair anything correct!
please why me email will fail?
thanks for any hint
Mauri
I could be wrong, but I suspect that the problem is
that you haven't configured OpenDMARC to not check
locally originating mail. According to the first
Received: header, the mail is coming from 37.120.190.188
(which is mentioned in multiple ways in the SPF record),
but your mail server at that IP address shouldn't be
performing this check on outgoing mail.
Perhaps you need to add this to your /etc/opendmarc.conf:
IgnoreAuthenticatedClients true
Unfortunately, the code doing the SPF check doesn't
explain why it failed. Some do. For example, the
package on debian would
probably show the IP address that caused the failure.
Maybe it's 127.0.0.1 (or the IP address of an
authenticated submission client).
The internal SPF implementation in OpenDMARC is not a full implementation of
the protocol. In general, you are likely to be better off having something SPF
specific check SPF and then have OpenDMARC consume that result for it's DMARC
processing. If you are inclined towards Perl, then postfix-policyd-spf-perl is
a good choice. SPF Engine supports either a milter (pyspf-milter) or policy
server (postfix-policyd-spf-python) interface with Postfix, depending on which
you prefer, if you're up for a Python based solution.
Scott K
this was bevor always in opendmarc.conf present
IgnoreAuthenticatedClients true
# opendmarc-check caloro.ch
DMARC record for caloro.ch:
Sample percentage: 100
DKIM alignment: strict
SPF alignment: relaxed
Domain policy: none
Subdomain policy: unspecified
Aggregate report URIs:
mailto:etczb...@ag.dmarcian-eu.com
Failure report URIs:
(none)
but please why "fail" appair, i think this will post from opendmarc
Jan 17 19:17:50 nmail opendkim[801]: 6A2F040132: DKIM-Signature field
added (s=nmail, d=caloro.ch)
Jan 17 19:17:50 nmail opendmarc[766]: 6A2F040132: SPF(mailfrom):
caloro.ch fail
Jan 17 19:17:50 nmail opendmarc[766]: 6A2F040132: caloro.ch fail
# dig caloro.ch txt
; <<>> DiG 9.11.5-P4-5.1+deb10u8-Debian <<>> caloro.ch txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62132
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 34ed9f18546262197eb3532863c6ee9dc447edcb667b812b (good)
;; QUESTION SECTION:
;caloro.ch. IN TXT
;; ANSWER SECTION:
*caloro.ch. * 776 IN TXT "*v=spf1 a mx
ip4:37.120.190.188/32 a:nmail.caloro.ch -all*"
;; AUTHORITY SECTION:
. 68162 IN NS m.root-servers.net.
. 68162 IN NS k.root-servers.net.
. 68162 IN NS g.root-servers.net.
. 68162 IN NS j.root-servers.net.
. 68162 IN NS b.root-servers.net.
. 68162 IN NS a.root-servers.net.
. 68162 IN NS l.root-servers.net.
. 68162 IN NS i.root-servers.net.
. 68162 IN NS f.root-servers.net.
. 68162 IN NS e.root-servers.net.
. 68162 IN NS d.root-servers.net.
. 68162 IN NS h.root-servers.net.
. 68162 IN NS c.root-servers.net
how i can this trace so that i can find the right solution?
thanks
Mauri
