sanity-check postfix XCLIENT usage ?

Wed, 21 Oct 2020 10:14:58 -0700 

I'm using Postfix's XCLIENT to synthesize/inject a test email into my 
postfix->filter/milter->delivery chain.

I'd like to verify that my XCLIENT usage isn't the cause of the delivery 
failure I see below ...

@ this postfix instance, mail flows as

-> postscreen (@ IP = 203.0.113.1)
        |
        internal smptd
        |
        spf policy engine (no reject; check + header only)
        |
        preQ milters: opendkim, opendmarc, clamav-milter, spamassassin-milter
        |
        lmtp -> dovecot

I've no inbound/outbound issues.

Except ...

... from a single source -- @intuit.com.  it's FAIL'ing @ opendmarc checks.

I've online-checked SPF/DMARC records for 'intuit.com'; all _seems_ to be ok.
I've cranked up opendmarc logging level to

        MilterDebug 5

with that, on failed attempt, I see only an unhelpful

        Oct 21 09:43:39 mx.example.com opendmarc[7977]: 4CGbb3aX1Pz2N: 
intuit.com fail

I'm trying to use XCLIENT to replicate the issue so I can test, rinse & repeat.

Trying 1st from @gmail.com (or any domain i've tried _other_ than 'intuit.com')

using data pulled from postfix logs for a SUCCESSFUL [email protected] delivery,
@ an opened 'openssl s_client' session to my postfix external IP, injecting

        XCLIENT NAME=mail-vs1-f46.google.com ADDR=209.85.217.46 PORT=40169 
PROTO=ESMTP HELO=mail-vs1-f46.google.com DESTADDR=203.0.113.1 DESTPORT=25
        MAIL FROM:<[email protected]>
        RCPT TO:<[email protected]>
        DATA
        test message
        (CR/LF)
        .
        (CR/LF)

mail passes all filters, and is delivered cleanly.

I'm able to repeat the success for any/all of the non-intuit.com senders I try.

Switching to the data pulled from postfix logs for a FAILED [email protected] 
delivery,
again @ an opened 'openssl s_client' session to my postfix external IP, 
injecting

        XCLIENT NAME=55.57.138.139.in-addr.arpa.iphmx.com ADDR=139.138.57.55 
PORT=62440 PROTO=ESMTP HELO=esa3.hc3812-35.iphmx.com DESTADDR=203.0.113.1 
DESTPORT=25
        MAIL FROM:<[email protected]>
        RCPT TO:<[email protected]>
        DATA
        test message
        (CR/LF)
        .
        (CR/LF)

fails in the session with

        550 5.7.1 rejected by DMARC policy for intuit.com

and is not delivered.

Before I take this up as an opendmarc question (my config &/or bug), & do more 
thorough digging re: intuit's published records,

(1) Is there anything obviously wrong/missing in that^ XCLIENT usage generally, 
or in the specific intuit.com case above, that would suggest a cause for the 
dmarc/milter FAIL, that 1st needs fixing?

I _suspect_ not, given the success with all _other_ domains ...

Reply via email to