Re: sanity-check postfix XCLIENT usage ?

Thu, 22 Oct 2020 00:24:58 -0700 

Hi name less

On Wed, Oct 21, 2020 at 10:13:54AM -0700, PGNet Dev wrote:
> I've online-checked SPF/DMARC records for 'intuit.com'; all _seems_ to be ok.
> I've cranked up opendmarc logging level to
>       MilterDebug 5
> with that, on failed attempt, I see only an unhelpful
>       Oct 21 09:43:39 mx.example.com opendmarc[7977]: 4CGbb3aX1Pz2N: 
> intuit.com fail

This is not Postfix!

> Trying 1st from @gmail.com (or any domain i've tried _other_ than 
> 'intuit.com')

Please see the DMARC policy of gmail.com, especially the "none" policy:

| _dmarc.gmail.com. IN TXT "v=DMARC1; p=none; sp=quarantine; […]"

> using data pulled from postfix logs for a SUCCESSFUL fr...@gmail.com delivery,
> @ an opened 'openssl s_client' session to my postfix external IP, injecting
> 
>       XCLIENT NAME=mail-vs1-f46.google.com ADDR=209.85.217.46 PORT=40169 
> PROTO=ESMTP HELO=mail-vs1-f46.google.com DESTADDR=203.0.113.1 DESTPORT=25
>       MAIL FROM:<randomu...@gmail.com>
>       RCPT TO:<testu...@example.com>
>       DATA
>       test message
>       (CR/LF)
>       .
>       (CR/LF)

This mail is not signed by gmail.com!  But as the policy is none, it's
not rejected or otherwise handled.

> Switching to the data pulled from postfix logs for a FAILED fr...@intuit.com 
> delivery,
> again @ an opened 'openssl s_client' session to my postfix external IP, 
> injecting

Please see the DMARC policy of intuit.com, especially the "reject" policy:

| _dmarc.intuit.com. IN TXT "v=DMARC1; p=reject; […]"

>       XCLIENT NAME=55.57.138.139.in-addr.arpa.iphmx.com ADDR=139.138.57.55 
> PORT=62440 PROTO=ESMTP HELO=esa3.hc3812-35.iphmx.com DESTADDR=203.0.113.1 
> DESTPORT=25
>       MAIL FROM:<randomu...@intuit.com>
>       RCPT TO:<testu...@example.com>
>       DATA
>       test message
>       (CR/LF)
>       .
>       (CR/LF)
> 
> fails in the session with
> 
>       550 5.7.1 rejected by DMARC policy for intuit.com
> 
> and is not delivered.

This mail is not signed by intuit.com!  And SPF interaction is pretty
weird for the HELO-only case.  So you _must_ use a real signed e-mail to
check DMARC interaction.

> (1) Is there anything obviously wrong/missing in that^ XCLIENT usage 
> generally, or in the specific intuit.com case above, that would suggest a 
> cause for the dmarc/milter FAIL, that 1st needs fixing?

No, but it changes almost nothing for DMARC interactions, as DMARC looks
on header information, not envelope in almost all cases.

Bastian

-- 
Virtue is a relative term.
                -- Spock, "Friday's Child", stardate 3499.1

Reply via email to