On Tue, Jan 17, 2023 at 07:55:08PM +0100, Maurizio Caloro <mauri...@caloro.ch> wrote:
> > Am 17.01.2023 um 03:34 schrieb Scott Kitterman: > > > > On January 17, 2023 2:25:34 AM UTC, raf<post...@raf.org> wrote: > > > On Mon, Jan 16, 2023 at 08:01:10PM +0100, Maurizio > > > Caloro<mauri...@caloro.ch> wrote: > > > > > > > Hello > > > > > > > > Please one more thing about Opendmarc, if send any email to any where > > > > i see in log SPF fail, domain.ch fail ? > > > > > > > > Jan 16 19:43:39 nmail opendkim[16490]: B6090404C3: DKIM-Signature field > > > > added (s=nmail, d=caloro.ch) > > > > Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: SPF(mailfrom): > > > > caloro.ch > > > > fail > > > > Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: caloro.ch fail > > > > > > > > if recieve any mail from any where, any thing pass > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: mailc-bb.linkedin.com > > > > [A.B.C.D] not internal > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: not authenticated > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: message has > > > > signatures > > > > from linkedin.com, mailc.linkedin.com > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: signature=muv88Rcz > > > > domain=linkedin.com selector=d2048-201806-01 result="no signature > > > > error"; > > > > signature=IKaXoyzS domain=mailc.linkedin.com selector=proddkim1024 > > > > result="no signature error" > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: DKIM verification > > > > successful > > > > Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: s=d2048-201806-01 > > > > d=linkedin.com SSL > > > > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3 ignoring > > > > Authentication-Results at 2 from nmail.caloro.ch > > > > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: SPF(mailfrom): > > > > bounce.linkedin.com pass > > > > Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: linkedin.com pass > > > > > > > > -- > > > > on the header from any mail that i send will appair following > > > > Authentication-Results-Original: caloro.ch, calm-ness.ch; spf=fail > > > > > > > > # cat opendmarc.conf > > > > AuthservID caloro.ch, calm-ness.ch > > > > AuthservIDWithJobID false > > > > AutoRestart false > > > > AutoRestartRate 10/1h > > > > Background true > > > > DNSTimeout 5 > > > > HistoryFile > > > > /var/spool/postfix/opendmarc/opendmarc.dat > > > > *IgnoreAuthenticatedClients true* > > > > IgnoreHosts /etc/opendmarc/ignore.hosts > > > > PidFile /var/run/opendmarc/opendmarc.pid > > > > RejectFailures false > > > > RequiredHeaders true > > > > PublicSuffixList /etc/opendmarc/effective_tld_names.dat > > > > Socketinet:8892@127.0.0.1 > > > > SoftwareHeader true > > > > SPFSelfValidate true > > > > SPFIgnoreResults false > > > > Syslog true > > > > SyslogFacility mail > > > > # TrustedAuthservIDs nmail.caloro.ch, nmail.calm-ness.ch > > > > TrustedAuthservIDs caloro.ch, calm-ness.ch > > > > UMask 077 > > > > UserID opendmarc:opendmarc > > > > > > > > if checking online dmarc, dkim, spf from domain appair anything correct! > > > > please why me email will fail? > > > > > > > > thanks for any hint > > > > Mauri > > > I could be wrong, but I suspect that the problem is > > > that you haven't configured OpenDMARC to not check > > > locally originating mail. According to the first > > > Received: header, the mail is coming from 37.120.190.188 > > > (which is mentioned in multiple ways in the SPF record), > > > but your mail server at that IP address shouldn't be > > > performing this check on outgoing mail. > > > > > > Perhaps you need to add this to your /etc/opendmarc.conf: > > > > > > IgnoreAuthenticatedClients true > > > > > > Unfortunately, the code doing the SPF check doesn't > > > explain why it failed. Some do. For example, the > > package on debian would > > > probably show the IP address that caused the failure. > > > Maybe it's 127.0.0.1 (or the IP address of an > > > authenticated submission client). > > > > The internal SPF implementation in OpenDMARC is not a full > > implementation of the protocol. In general, you are likely to be > > better off having something SPF specific check SPF and then have > > OpenDMARC consume that result for it's DMARC processing. If you > > are inclined towards Perl, then postfix-policyd-spf-perl is a good > > choice. SPF Engine supports either a milter (pyspf-milter) or > > policy server (postfix-policyd-spf-python) interface with Postfix, > > depending on which you prefer, if you're up for a Python based > > solution. > > > > Scott K > this was bevor always in opendmarc.conf present > IgnoreAuthenticatedClients true > > # opendmarc-check caloro.ch > DMARC record for caloro.ch: > Sample percentage: 100 > DKIM alignment: strict > SPF alignment: relaxed > Domain policy: none > Subdomain policy: unspecified > Aggregate report URIs: > mailto:etczb...@ag.dmarcian-eu.com > Failure report URIs: > (none) > > but please why "fail" appair, i think this will post from opendmarc > > Jan 17 19:17:50 nmail opendkim[801]: 6A2F040132: DKIM-Signature field added > (s=nmail, d=caloro.ch) > Jan 17 19:17:50 nmail opendmarc[766]: 6A2F040132: SPF(mailfrom): caloro.ch > fail > Jan 17 19:17:50 nmail opendmarc[766]: 6A2F040132: caloro.ch fail > > [...] > > how i can this trace so that i can find the right solution? > > thanks > Mauri If you had already added "IgnoreAuthenticatedClients true" to your /etc/opendmarc.conf, then the next thing to try is to install postfix-policyd-spf-python or postfix-policyd-spf-perl (or the equivalent package on your operating system), and then configure postfix to use it. See https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf for details. Then, you might get more information in your SPF-related authentication headers. If that doesn't help, I'd consider adding some debugging to OpenDMARC to get it to include its reasons for failing in a log message (or in the authentication header itself). But hopefully, that won't be necessary. cheers, raf
