[pfx] gmail failing SPF/DKIM
I maintain several web sites containing at least one web form. Forms are sent to my established postfix server to be turned into properly constructed email and sent on. The server is used for many conventional emails per day and set up to provide suitable dkim etc. All domains have correct SPF, DKIM and DMARC records. No problem with receiving these forms at relevant clients' and my own mailboxes. The forms also send a copy to the sender as confirmation. Most of these, as far as I know, get delivered but recently gmail has been rejecting them with the message: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF = did not pass I have sent a form confirmation to my protonmail account and it passes with no problem; spf, dkim and dmarc are all valid/pass. Anyone know why this could be so, please? If someone wishes to check this, a typical form (which is sent to me with copy to "you") is at https://www.linkcheck.co.uk/ under menu option Contact & Enquiries. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
(Sorry, Wietse, I always forget to change the To field) > gmail rejects all messsages Seemingly only from web forms. We are in daily contact with at least one gmail user, with no problem, using the example domain I posted and with which I'm posting this. We do get a small number of genuine bounces from google due to spammers but I'll make a note of your suggestion. Thank you ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] gmail failing SPF/DKIM
Thank you, Ralf; I got the form ok. > Looking good if you ask me Thanks. I couldn't fault it, either. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] gmail failing SPF/DKIM
I know that comment was not aimed at me but: I meant to include the protonmail header at the outset but forgot. Sorry. Below is all the header except protonmail's anti-spam section; I hope it helps. == Return-Path: X-Original-To: linkch...@protonmail.com Delivered-To: linkch...@protonmail.com Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=linkcheck.co.uk header.a=rsa-sha256 Authentication-Results: mail.protonmail.ch; dmarc=pass (p=reject dis=none) header.from=linkcheck.co.uk Authentication-Results: mail.protonmail.ch; spf=pass smtp.mailfrom=linkcheck.co.uk Authentication-Results: mail.protonmail.ch; arc=none smtp.remote-ip=185.35.151.121 Authentication-Results: mail.protonmail.ch; dkim=pass (2048-bit key) header.d=linkcheck.co.uk header.i=@linkcheck.co.uk header.b="aME9BZCV" Received: from mail.bristolweb.net (mail.bristolweb.net [185.35.151.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin029.protonmail.ch (Postfix) with ESMTPS id 4Sf5mk3JF0z9vNQc for ; Mon, 27 Nov 2023 13:20:22 + (UTC) Received: from bristolweb.net (unknown [185.35.148.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.bristolweb.net (Postfix) with ESMTPSA id 3C22E320306 for ; Mon, 27 Nov 2023 13:20:13 + (GMT) Dkim-Filter: OpenDKIM Filter v2.10.3 mail.bristolweb.net 3C22E320306 Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkcheck.co.uk; s=mail; t=1701091213; bh=S5/3sqlIYmgIYOvNb2ssVfXYaWT2GE56yHcXn92FzLc=; h=Date:To:From:Reply-To:Subject:From; b=aME9BZCVwQl1Dqp2qfjODGJpk6O40QkJVPwTd8lYpx2RJIbCgQxga0bDZQPeP/HQv t7TcyAC3spO0qI0STwEqgDTdv26WsLMNtKNP2Bwjy/WtKqA0PAKIQ3ccQo8pWE1OvL 0DgCcd+vvGea8x+xej8E4lxVNOcLRapqgIW9Rosocjo5MlQ0pRiREbL4Bbth9gIXTr dL1VCSHA9ihF/aiRI+zIhehL+sA0tqoZOH1j+LNOjSVnMuaO6Mnph/gyR9de8aGZtc h/YgRaT2MVLNf6ntsk6qRKzuTJ2/9XKr71uotxbKAHLn6HzzB9nXoPPRvxGMn2obRR Fif83WWl/CJ7w== Date: Mon, 27 Nov 2023 13:20:13 + To: Dave Stiles From: EnquiryForm Reply-To: EnquiryForm Subject: Linkcheck Enquiry: Ref LK_XK27131943E Message-Id: X-Mailer: BW-4 X-Originating-Ip: 46.33.129.43 X-Form-Host: www.linkcheck.co.uk X-Complaints-To: abuse (at) bristolweb.net Mime-Version: 1.0 Content-Type: text/plain == ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
Thanks, Shawn, appreciated. Hadn't thought of the dmarc report; I'll check it out. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail-headers
Thanks for that, Matthew. So not all gmail ones fail. Hmm. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
The dmarc results are ambiguous: r pass although dkim fails both tests. = google.com noreply-dmarc-supp...@google.com https://support.google.com/a/answer/2466580 10845692433607357330 1701043200 1701129599 bristolweb.net r r reject reject 100 reject 185.35.151.121 1 none fail pass mail.bristolweb.net mail.bristolweb.net pass = ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] gmail failing SPF/DKIM
If it's only "largely redundant" I would expect G to possibly ignore it but not fail on it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] gmail failing SPF/DKIM
> ipv6 I have... inet_protocols = ipv4 ... with no AAA record But thanks anyway, Peter. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
On 28/11/2023 3:07 pm, Bill Cole via Postfix-users wrote: That's not a result, that's part of the DMARC policy Oh. Thank you for the correction, Bill. :) > That should not be enough... Something is wrong. I wonder if there is a DNS-resolving delay but I guess Im not going to easily discover that. :( ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
> ... soft_bounce turned on. Thanks, Wietse, I'll look into it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
> GMAIL From: address From and replyto adresses are all based on the sender domain, so not appropriate. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
Thanks for all your help, guys. Appreciated! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Not all errors are postfix's fault
Saturday morning I put my new postfix mail server into operation,
replacing a years-old previous incarnation (about 15 user domains). The
new one, which has been under test for a long time, seemed to work with
no problems.
Monday morning I had two user complaints - could not send mail from
Thunderbird. Panic! Then a pause for thought and analysis. The problem?
For some reason BOTH Thunderbirds had been set up to send authenticated
via port 25. The old server, unknown to me, was ok with that. I advised
them to change to port 587 and they were up and running again. Case
solved...
Sort of. I now have a problem where (it seems) ALL authenticated mail is
not being dkim signed and spamassassin is complaining that the only
Received: from header is the sender's dynamic sending address. When
testing, this did not show up because my own sending IP is static with a
fqdn and rdns. SPF and DMARC on the receiving mail server, after passing
through mine, show valid/pass, just no dkim.
I have cross-checked the new setup against the old one and cannot
discover the problem. Could someone here help, please?
postconf -n...
==
2bounce_notice_recipient = boun...@ssph.org.uk
address_verify_map = proxy:btree:/var/lib/postfix/verify_cache
address_verify_sender_ttl = 237m
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_notice_recipient = ad...@ssph.org.uk
bounce_queue_lifetime = 5d
broken_sasl_auth_clients = yes
compatibility_level = 3.6
confirm_delay_cleared = no
delay_notice_recipient = ad...@ssph.org.uk
delay_warning_time = 2h
disable_vrfy_command = yes
error_notice_recipient = serv...@ssph.org.uk
header_checks = pcre:/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY
DISPLAY LANG=C RESOLV_MULTI=on
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
mailbox_size_limit = 0
maximal_queue_lifetime = 5d
message_size_limit = 4096
milter_connect_macros = j {daemon_name} {daemon_addr} v _
milter_default_action = accept
milter_mail_macros = i b
milter_protocol = 6
milter_rcpt_macros = i b
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
mua_milters = unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/clamav/clamav-milter.ctl
mydestination = $myhostname, localhost
mydomain = bristolweb.net
myhostname = mail.bristolweb.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 46.33.129.43
185.35.151.92 185.35.151.93 185.35.151.97 185.35.151.100 185.35.151.102
185.35.148.202
mynetworks_style = host
myorigin = $myhostname
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock
notify_classes = software, delay, bounce, 2bounce, resource, protocol, data
policy-spf_time_limit = 3600s
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-relay-domains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql_relay_recipients.cf
relayhost =
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks.pcre
smtp_host_lookup = dns
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unknown_client_hostname reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_hard_error_limit = 6
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/white_bypass.pcre check_helo_access
cidr:/etc/postfix/ip_check_whitelist reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
check_helo_access cidr:/etc/postfix/ip_check_blacklist check_helo_access
pcre:/etc/postfix/helo_checks.pcre reject_unauth_pipelining permit
smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/opendmarc/opendmarc.sock,
unix:/var/run/spamass/spamass.sock, unix:/var/run/clamav/clamav-milter.ctl
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
reject_non_fqdn_hostname reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_invalid_hostname
reject_unauth_pipelining reject_unverified_recipient
reject_unlisted_recipient check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre check_policy_service
unix:private/policy-spf reject_rbl_client
zen.spamhaus.org=127.0.0.[2..11] reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2..99] reject_rhsbl_helo
dbl.spamhaus.org=127.0.1.[2..99] reject_rhsbl_reverse_client
dbl.spamhaus.org=127.0.1.[2..99] warn_if_reject reject_rbl_client
zen.spamhaus.org=127.255.255.[1..255] permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_au
[pfx] Re: Not all errors are postfix's fault
Thank you for your response, Viktor. > How does your milter decide which messages to sign? Does it perhaps look for: > milter_macro_daemon_name=ORIGINATING I originally had this in place but could find no reason for it online nor any sufficient reason to use it, so I removed it, with no apparent change in performance. It was in use on the old server but no sign of a macro it could refer to. I have now replaced it but am unsure what to do to satisfy its inclusion. > which should then be set for the submission service in master.cf? Or > does it have a set of client IP CIDR blocks that it considers internal? No CIDR that I'm aware of. How do I implement this, please? > "postconf -Mf" output My apologies. I was unaware of the f switch. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Not all errors are postfix's fault
Thanks, I've now enabled that. I'm ptrty sure the reason, though, is the single Received line, which does (can) not give the domain's signing key from DNS. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling short & long term fixes
On 20/12/2023 3:51 pm, Wietse Venema via Postfix-users wrote: "smtpd_forbid_unauth_pipelining = yes I tried that (3.7.6) and got... warning: unknown smtpd restriction: "smtpd_forbid_unauth_pipelining" Where should I have placed it? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling short & long term fixes'
I assumed it should be in main.cf. I meant which section. I tried to redefine it in smtpd_helo_restrictions since that seemed reasonable. Running postconf shows it, as you say set to no but I cannot set it to yes. -- Dave Stiles Linkcheck Bristol Web Design Tel: 0117 9248413 https://www.bristolweb.net https://www.linkcheck.co.uk ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SMTP Smuggling short & long term fixes
Thanks, Bill. That did it. :) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Not all errors are postfix's fault
Victor, thank you for your help. It prompted me first to look again at
opendkim.conf and the various files of hosts, which were not entirely
correct. Still one problem left after the corrections which, with your
prompt re: macros, I tracked down to milter_mail_macros = i b in
main.cf, which I replaced with:
milter_mail_macros = i {mail_addr} {client_addr} {client_name}
{auth_authen} {auth_type}
The milter_mail_macros keyword was not in the old server's setup, a
difference I had overlooked.
Thank you again!
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Blocking by IP using check_helo_access
Thank you for your reply, Viktor. So I've been wrong for the past few years in thinking it was working. Surprising (to me!) but yet another warning to not pick up "working configurations" from web sites (and possibly mis-read them). :( I understand what you're saying. I may have mistaken check_helo_a_access as a mis-print for check_helo_access. I'll look more carefully at the options. Again, thank you for your response. :) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] mail.log and mail.info
I am recently seeing an almost exact similarity between mail.log and mail.info, to the extent I am now querying the usefulness of looking at mail.info at all. Am I missing something? In main.cf I have smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1 and no other obvious log control. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mail.log and mail.info
Ah, thanks. Yes, of course. 🙁 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mail.log and mail.info
Ok, thanks, yes, debian. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
