[pfx] Re: gmail failing SPF/DKIM
On 11/27/23 07:40, Linkcheck via Postfix-users wrote: The forms also send a copy to the sender as confirmation. Most of these, as far as I know, get delivered but recently gmail has been rejecting them with the message: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF = did not pass I also tested the form. My server checks DMARC, and on the message I received, both SPF and DKIM pass. Everything I could think of to check looks right to me. If the email address in your DMARC record is valid, you should receive reports from Google regarding their DMARC decision on your messages. Hopefully there will be enough detail in those reports for you to figure out why they rejected it. I get a lot of DMARC rejects from google. Mostly for messages like this one that I send to mailing lists. It seems that a lot of mailing lists (the dovecot list and apache.org lists for sure) do not properly repackage messages so that DKIM/SPF will pass. It does look like this list (headers indicate it is mailman 3.3.8) is sending its own DKIM signature. It does also send my DKIM signature, so I see both a pass and a fail for DKIM on my own messages. I wonder if mailing lists should remove the original sender's DKIM signature, because it is highly unlikely that it will ever pass. Thanks, Shawn ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Stupid questions
On 9/18/23 08:09, Curtis Maurand via Postfix-users wrote:
I'm running Postfix with rspamd which is a milter. At what point in the
email conversation does the DKIM lookup happen? Does Postfix handle that
or am I asking on the wrong list and I should be asking the question on
the rspamd list? I'm getting a DNS failure on my setup that gmail is
not getting. It's a delegated subdomain. I'm getting this temp error.
the relevant message header is below.
Authentication-Results: sirius.xyonet.com;
dkim=temperror ("DNS error when getting key")
header.d=news.circadian.com header.s=default header.b=KGxjxIVc;
spf=temperror (sirius.xyonet.com: error in processing during lookup
ofxyo...@news.circadian.com: DNS error)smtp.mailfrom=xyo...@news.circadian.com;
dmarc=temperror reason="query refused" header.from=circadian.com
(policy=temperror)
SPF, DKIM, and DMARC all pass at gmail.
I know nothing about rspamd. I use opendkim, amavisd-new, and postscreen.
Are the xyonet.com and/or circadian.com domains under your control?
Based on Received headers in the list message I replied to, I think they
are.
The log says "query refused" when it tries to lookup SPF info in DNS...
which sounds to me like a probable issue in the DNS server used by the
system that added that header. This is also probably what happened to
cause the temperror on the DKIM lookup, but in that case the actual
error was not logged.
Is the mail server that added the header also under your control?
If I had to guess, I would say that the DNS server in question either
has the mail server that added the header blocked, or that it is not
configured to accept recursive queries from the mail server. But there
could be other reasons that the connection was refused. Usually if the
traffic was blocked by a firewall, the connection would time out, not be
refused ... but some firewalls can be configured to use connection
refused instead.
It is generally a good idea for a mail server to also run a local
caching DNS server, independent of any DNS servers that you may be
running for your internal infrastructure. That DNS server should NOT be
accessible from the Internet unless you happen to be running the mail
server on the same host as your DNS infrastructure ... which I would say
is probably not the best idea.
My mail server in AWS, running postfix, dovecot, and roundcube, also
runs bind9, config mostly unmodified from the ubuntu defaults. It is
not authoritative for any domains, including the ones that postfix and
dovecot are handling. It does not have forwarders, it performs a
recursing lookup starting at the public root servers for all queries
that it receives related to public domains.
Thanks,
Shawn
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Accepting mail from old Dell iDRAC
On 8/5/23 13:38, Viktor Drukhovni via Postfix-users wrote: If not for your sake, then perhaps for future readers, it would be great if you would confirm or deny what type of certificate is configured on the Postfix SMTP server end? If you switch to RSA, it should work with the iDRAC, the ciphers offered by the client are not particularly exotic. They're all CBC, but that should still be supported on the Postfix end. Even with OpenSSL 3.0, you still have: I can confirm that idrac6 (in my R710) and idrac7 (in my R720xd) will not use a certificate with an ECDSA key, which Lets Encrypt builds by default. I had to build a second certificate just for my idracs and printers using RSA keys. If it can't use an ECDSA certificate as a server, chances are good that it can't use one as a client either. I do not have my idracs configured for email. They are monitored via SNMP by Zabbix. Thanks, Shawn ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Question on the CNAME
On 5/3/23 19:02, Ken Peng via Postfix-users wrote: I am just not sure, for this domain SpaceMail.com, who has a CNAME to CDN for the root domain, every query to this domain will get a CNAME. for instance, $ dig spacemail.com mx +nocmd +noall +answer spacemail.com. 60 IN CNAME spacemail.com.cdn.cloudflare.net. $ dig spacemail.com txt +nocmd +noall +answer spacemail.com. 47 IN CNAME spacemail.com.cdn.cloudflare.net. How does it get mail then? incoming mail was handled by spacemail.com.cdn.cloudflare.net? Here's my opinion on general recommendations on this topic: It is not a good idea to use CNAME for an entire domain, mostly because of the DNS rule that Sean mentioned -- if there is a CNAME record for a name, then that name is not allowed to have most other record types. So if you use a CNAME for a whole domain, you can't define anything else, including MX, though apparently the records required for DNSSEC signing are allowed. The only proper use I can think of for a CNAME on an entire domain is to alias it to another domain which has records for things like NS, SOA, MX, etc. The spacemail.com info you shared points to a CDN hostname that does NOT have these things. I tried connecting to port 25 on the CDN hostname from my mail server, and was unable to connect, so email delivery for spacemail.com is very likely non-functional. The web presence for a domain should use subdomains ... www.example.com for instance. There should be an A or record for example.com. The web server or proxy at that IP address should redirect all incoming requests for "example.com" to a proper subdomain, perhaps www.example.com. That should be done in a way that results in the browser URL changing to the correct canonical subdomain. If handling mail for n...@example.com is desired, then example.com needs an MX record pointing at a host running a mail server. The name in the MX record should have an A or record. If it is a CNAME, then mail delivery probably won't work correctly. One or more subdomains should be set up as CNAMEs for anything that needs to be handled entirely by a CDN ... those subdomains can't be used for anything else. The other DNS records for mail, like imap.example.com, can usually be CNAMEs. Thanks, Shawn ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
