Thanks for all the great advice so far. Currently I'm playing around with opendkim->opendmarc->amavisd on my testserver.
My current postfix setup is using spampd as proxy and thus any opendkim/opendmarc milters won't work in cojunction. I've been planning to switch to amavis and use it as a milter for quite some time now so maybe I should get on with it. So far it's working quite nice, took some time to get all services working together but for now it's running without errors. Compiling opendmarc against libspf2 makes the opendmarc internal SPF checker functional and now the SA SPF checks (triggered by amavis) are firing as well. Cheers o/ On 06.05.17 - 22:54, Matus UHLAR - fantomas wrote: > > > On 06.05.17 15:49, Thore Boedecker wrote: > > > > After looking at the headers it became clear what the issue was: > > > > > > > > It seems that Yahoo (at least yahoo.co.jp) is allowing emails from > > > > @gmail.com senders to be sent through their servers. > > > From: Matus UHLAR - fantomas <[email protected]> > > > @gmail.com From: and envelope from. Sender: was yahoo... > > On 06.05.17 17:55, David Jones wrote: > > The headers imply that this was sent from the Yahoo webmail > > interface which must allow users to setup an "identity" like > > Thunderbird does that allows custom From: and Return-Path: > > headers. They shouldn't allow this in their webmail interface. > > They should not, but this has nothing to do with the DKIM itself. > > > > BTW, their webmail interface should also add an X-Originating-IP: > > header of the client so we could tell which country it was sent > > from. I bet it wasn't Japan. > > Received: header should do that as well: > > Received: from [37.130.224.21] by web101313.mail.kks.yahoo.co.jp via HTTP; > Sat, 06 May 2017 21:41:47 JST > > Hosting Services Inc, GB > > I did test SA run and it did parse the header. > > > > > The funny thing is, that there is a @gmail.com address in both the > > > > 'From:' and 'Return-Path:' headers, but a @yahoo.com address in the > > > > 'Reply-To:' and 'Sender:' headers. > > > > Somehow Yahoo sees no problem in that and is happy to DKIM sign those > > > > emails with a correct *Yahoo* signature. > > > > > I wonder why didn't THE mail hit SPF_SOFTFAIL, since it was supposed to... > > > > The email didn't go through a Google mail server and the envelope-from > > was yahoo.co.jp so SPF should have passed based on IP 183.79.57.110. > > Return-Path: <[email protected]> > > that's not yahoo address (Return-Path is set to envelope from by MTAs). > > Also, the mail SHOULD hit SPF_* rule, if the SPF plugin is loaded, but > there's none. > > maybe because: > > May 6 22:19:09.740 [30047] dbg: spf: relayed through one or more trusted > relays, cannot use header-based Envelope-From, skipping > > ... caused by Received: line containing localhost. the OP should set up spf > policyd on valhalla.nano-srv.net... > > > > > yes: while we can agree that gmail.com is not yahoo's domain, how can DKIM > > > validator know? > > > > Yahoo should stop allowing their webmail interface to control the From: > > and Return-Path: headers. I bet this spammer tried to send the email out > > from Google which blocked it so this is a way to abuse the Yahoo mail > > servers > > that are not good at blocking the outbound spam. > > I doubt Return-Path was set by the sending user, I believe it was set from > envelope from. > > I'm listening if you can proove the opposite. > > > > I don't think this problem lies at DKIM verification, more on > > > trustworthinedd of yahoo who signs such mail, > > > and the fact of missing SPF checks that I pointed out above. > > > > DKIM does authentication and this email was from Yahoo. Note no > > DKIM_VALID_AU since the From: header was gmail.com. > > > > that is in fact change in requirements on DKIM itself... > > > > I bet as we see DMARC gain traction like SPF has this will force these > > major mail hosting providers like Yahoo to shape up. Right now they are > > so big that we can't make them act responsibly. Yahoo should start > > rejecting > > email that is sent through them like this to prevent spammers abusing them. > > > > Google is slowly turning up the heat with DMARC which forces the Internet > > to implement it. I know this is a pain but I went through this pain a few > > years > > ago and now I am glad to see Google using their influence for good. In a > > few > > more years all of our spam filtering will be better because of this. > > Still - this this is not a problem of DKIM itself and comparing DKIM domain > with envelope from will not fix that - it will only break other forwards. > > For now the main problem at receiver's side seems to be missing SPF results. > > -- > Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > M$ Win's are shit, do not use it ! --
signature.asc
Description: PGP signature
