Hi all,
You must fully understand the implications of having a DMARC policy
other that p=none. The use of DMARC protected domains in Mailling
lists like this may have undesired effects. This is a generic warning.
That said , to fully understand the problem you must provide more
details, namely rfc5321.Mailfrom and rfc5322.From to check
alignment. Must also check if that specific message was DKIM signed,
although one can assume that had SPF pass if it was sent by one of
your servers and, in that case, DKIM is not required.
José Borges Ferreira
On Fri, Dec 19, 2014 at 2:24 AM, James B. Byrne <byrn...@harte-lyne.ca> wrote:
>
> On Thu, December 18, 2014 19:19, Wietse Venema wrote:
>> Wietse Venema:
>>> James B. Byrne:
>>> > <xxuse...@aol.com>: host mailin-02.mx.aol.com[152.163.0.99] said: 521
>>> 5.2.1 :
>>> > (DMARC) This message failed DMARC Evaluation and is being refused due
>>> to
>>> > provided DMARC Policy (in reply to end of DATA command)
>>> > --->
>>> >
>>> > Has anyone have any idea what AOL might be complaining about WRT to our
>>> DMARC
>>> > policy?
>>>
>> When DNS lookup fails with a SOFT error (timeout etc.) would they
>> mistakenly respond with a HARD reject? We have examples of Google
>> doing that (email from the same host and the same sender will
>> occasionally be rejected).
>>
>> I.e. from the same IP address.
>>
>> If your IPv4 or IPv6 address is not fixed, then mail may be rejected
>> for several reasons.
>>
>> If the error is sporadic, you can use smtp_reply_filter to change
>> this into a 4xx error.
>>
>> /etc/postfix/main.cf:
>> smtp_reply_filter = pcre:/etc/postfix/smtp_reply.pcre
>>
>> /etc/postfix/smtp_reply.pcre
>> /^5(\d+ )5(.+message failed DMARC Evaluation.+)/ replace 4${1}4${2}
>>
>> Wietse
>>
>
> Well, we have 4 dns servers on two separate netblocks (216.x.y.c and
> 209.x.y.c) located in two different cities (Hamilton and Toronto) and using
> two different upstream providers (Rodgers and Verizon). If it is a DNS
> timeout error then the problem has to be somewhere closer to the AOL end than
> ours.
>
> Our IP addresses are fixed, we run two C class netblocks.
>
> It seems likely to be their error rather than ours. I have never encountered
> the error before and I expect that if we were somehow at fault then we would
> have encountered the problem before now. But, this DMARC stuff is all new to
> me and a configuration error at our end is always a possibility.
>
> I am travelling tomorrow so I will look into the matter further sometime this
> weekend. The idea that it is a transient error being reported as hard failure
> had never crossed my mind. That said, now that the idea is raised it seems to
> me to be the case. AOL employs DMARC in a fairly draconian manner and that
> sort of reply to a dmarc record lookup failure would not surprise me in the
> least.
>
> Thank you for the help.
>
> --
> *** E-Mail is NOT a SECURE channel ***
> James B. Byrne mailto:byrn...@harte-lyne.ca
> Harte & Lyne Limited http://www.harte-lyne.ca
> 9 Brockley Drive vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada L8E 3C3
>
