I apologize for cross-posting this here but a) the opendmarc list seems to
be very low volume and I'm wondering if a reader on this busier list has
come across this, b) not sure if the mechanism of internal emails and
testing is different than if postfix is sending externally and c) clutching
at straws here.
Installed opendmarc last week in my postfix/amavis-new environment and all
seemed to be working quite well.
If I send a message from us...@example.com to a gmail address and check the
headers, I get a pass on the dmarc check.
If I send an internal email from us...@example.com to us...@example.com, I
get a dmarc fail.
Any idea where I should be checking first?
Authentication-Results: amavis.local (amavisd-new); dkim=pass (1024-bit key)
header.d=example.com
Received: from mail.example.com ([127.0.0.1])
by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Ved6pUoj-cwl for <ianev...@example.com>;
Thu, 20 Apr 2017 14:25:34 -0400 (EDT)
Received: from [10.254.248.55] (unknown [69.42.191.138])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
(Authenticated sender: feedb...@example.com)
by mail.example.com (Postfix) with ESMTPSA id 0F56E2009D7
for <ianev...@example.com>; Thu, 20 Apr 2017 14:25:34 -0400 (EDT)
DMARC-Filter: OpenDMARC Filter v1.2.0 mail.example.com 0F56E2009D7
Authentication-Results: mail.example.com; dmarc=fail header.from=example.com
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m
"${EXTENSION}"
mailbox_size_limit = 0
message_size_limit = 104857600
milter_default_action = accept
milter_protocol = 6
myhostname = carson.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12345,inet:localhost:54321
policy-spf_time_limit = 3600s
readme_directory = no
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = carson.example.com ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:12345,inet:localhost:54321
smtpd_recipient_restrictions =
reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service
unix:private/policy-spf,reject_rbl_client zen.spamhaus.org,reject_rbl_client
bl.spamcop.net,reject_rbl_client cbl.abuseat.org,check_policy_service inet:
127.0.0.1:10023
smtpd_relay_restrictions =
permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/valid_senders, reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = EXPORT
smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = example.com
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
postconf -Mf
smtp inet n - - - - smtpd
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
pickup unix n - - 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F
user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
-o smtpd_milters=
policy-spf unix - n n - - spawn user=nobody
argv=/usr/bin/policyd-spf
sa-spam unix - n n - - pipe
user=amavis:amavis argv=/usr/bin/sa-wrapper.pl spam ${sender}
sa-ham unix - n n - - pipe
user=amavis:amavis argv=/usr/bin/sa-wrapper.pl ham ${sender}
Thanks.
