Package: opendmarc
Version: 1.3.2-6+deb10u1
Severity: grave
Justification: renders package unusable
Dear Maintainer,
I started using DMARC and DKIM using both opendkim for signing and verification
of DKIM Signatures
and opendmarc to check policies regarding domain alignment, report failurs,
reject failed emails.
As I added myself in the CC I started wondering about the many failures. So I
removed reject go get
the emails and check myself why they failed.
Example:
Return-Path: <supp...@infomaniak.com>
Received: from smtp-8fb4.mail.infomaniak.ch (smtp-8fb4.mail.infomaniak.ch
[IPv6:2001:1600:4:17:0:0:0:8fb4])
by magma.woody.ch (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTPS id
0558TFJS016651
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
for <nob...@woody.ch>; Fri, 5 Jun 2020 10:29:16 +0200
Authentication-Results: magma.woody.ch;
dkim=pass (1024-bit key; secure) header.d=infomaniak.com
header.i=@infomaniak.com header.b="CbZg5UxD";
dkim-atps=neutral
Authentication-Results: OpenDMARC; dmarc=fail (p=reject dis=none)
header.from=infomaniak.com
Received: from h2dmu11.infomaniak.ch (unknown [128.65.195.40])
by smtp-3-1000.mail.infomaniak.ch (Postfix) with ESMTP id
49dbQr0WTqzlhZQ3;
Fri, 5 Jun 2020 10:29:08 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=infomaniak.com;
s=s1024; t=1591345748;
bh=HHIYggwIYZM6Vv4Bqgw/PkqYPHF6PS4+bI/YdDSwMTI=;
h=Date:Subject:From:To:References:In-Reply-To:From;
b=CbZg5UxD8cVHlHVrsN2hDsaQrLFuflU8C9FQUQtyiBENgVwOjBvkvs7kIlUdFeJLK
FZxplJjqTuBHGEny4W6zaaQJOcABz7dmPJbESItpdaHMPjFX+vfm/g5aKxEr1FJJLT
F9lSw+3D/0+l+IhQ84TiwbXVXfSm5MktamR/Q3gk=
Received: from tickets.infomaniak.ch (localhost [127.0.0.1])
by h2dmu11.infomaniak.ch (8.14.5/8.14.5) with ESMTP id 0558T7lD002901;
Fri, 5 Jun 2020 10:29:08 +0200
Message-ID: <d5db58d1a6340f2d752780d2a2477...@tickets.infomaniak.ch>
Date: Fri, 05 Jun 2020 10:29:07 +0200
Subject: Re: [support #INK-ZIB-19449-823] Abuse report about 128.65.195.112
From: Support Infomaniak Network <supp...@infomaniak.com>
To: nicolask...@hotmail.com, nob...@woody.ch
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
X-Mailer: Cerb 9.3.8 (Build 2019112401)
References:
<am6pr02mb4738d591f662f84221765193af...@am6pr02mb4738.eurprd02.prod.outlook.com>
In-Reply-To:
<am6pr02mb4738d591f662f84221765193af...@am6pr02mb4738.eurprd02.prod.outlook.com>
[...]
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.5.11
(magma.woody.ch [IPv6:2001:4060:dead:beef:0:0:0:1]); Fri, 05 Jun 2020 10:29:16
+0200 (CEST)
[...]
X-SNCH-Report: ---- Start der SNCH-SpamAssassin Auswertung
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from
author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature
from
envelope-from domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
---- Ende der SNCH-SpamAssassin Auswertung
As you see, opendkim verified the signature and this passed.
Milter-Greylist passed SPF Test
SpamAssassin passed SPF and DKIM Tests
opendmarc would have rejected this email because of a policy failure (yes,
another one of that source got rejected)
So let's check that:
Envelope Sender: supp...@infomaniak.com
From Header: supp...@infomaniak.com
Allignment strict!
infomaniak.com descriptive text "v=spf1 include:spf.infomaniak.ch
include:_spf.mailrelay.rrpproxy.net -all"
relay.mail.infomaniak.ch descriptive text "v=spf1 ip4:45.157.188.8/29
ip4:185.125.25.8/29 ip4:83.166.143.168/29 ip4:84.16.66.168/29
ip6:2001:1600:3:17::/64 ip6:2001:1600:4:17::/64 -all"
Sender IP ist part of the SPF entry.
I come to no other conclusion, that email should have passed SFP / DKIM and the
whole DMARC Test.
So I have to assume, opendmarc has a serious bug which causes those tests to
fail in many cases.
Unfortunately i have not found any debug options which would lead to an outpout
showing WHY exactly opendmarc is failing
on such emails.
Please advise.
-Benoît-
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8),
LANGUAGE=de_CH:de (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages opendmarc depends on:
ii adduser 3.118
ii dbconfig-mysql 2.0.11+deb10u1
ii debconf [debconf-2.0] 1.5.71
ii libbsd0 0.9.1-2
ii libc6 2.28-10
ii libmilter1.0.1 8.15.2-14~deb10u1
ii libopendmarc2 1.3.2-6+deb10u1
ii libspf2-2 1.2.10-7+b5
ii lsb-base 10.2019051400
ii publicsuffix 20190415.1030-1
Versions of packages opendmarc recommends:
ii libdbd-mysql-perl 4.050-2
ii libdbi-perl 1.642-1+b1
ii libhttp-message-perl 6.18-1
ii libopendbx1 1.4.6-13+b1
ii libopendbx1-mysql 1.4.6-13+b1
ii libswitch-perl 2.17-2
ii perl 5.28.1-6
Versions of packages opendmarc suggests:
ii libmime-tools-perl 5.509-1
pn libxml-simple-perl <none>
ii python 2.7.16-1
pn python-mysqldb <none>
-- Configuration Files:
/etc/opendmarc.conf changed:
AuthservID OpenDMARC
FailureReports true
PidFile /var/run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix
RejectFailures false
Socket inet6:8891
Syslog true
UMask 0002
UserID opendmarc
IgnoreAuthenticatedClients true
FailureReportsBcc paniz...@woody.ch
HistoryFile /run/opendmarc/opendmarc.dat
CopyFailuresTo paniz...@woody.ch
FailureReportsSentBy paniz...@woody.ch
IgnoreHosts /etc/opendmarc/ignore.hosts
-- debconf information:
opendmarc/mysql/app-pass: (password omitted)
opendmarc/mysql/admin-pass: (password omitted)
opendmarc/password-confirm: (password omitted)
opendmarc/app-password-confirm: (password omitted)
opendmarc/remote/newhost:
opendmarc/dbconfig-upgrade: true
opendmarc/mysql/admin-user:
opendmarc/install-error: abort
opendmarc/database-type: mysql
opendmarc/remote/host: localhost
opendmarc/upgrade-backup: true
* opendmarc/dbconfig-install: false
opendmarc/internal/reconfiguring: false
opendmarc/remove-error: abort
opendmarc/db/app-user:
opendmarc/upgrade-error: abort
opendmarc/remote/port: 3306
opendmarc/mysql/method: Unix socket
opendmarc/internal/skip-preseed: false
opendmarc/dbconfig-reinstall: false
opendmarc/passwords-do-not-match:
opendmarc/db/dbname: opendmarc
opendmarc/missing-db-package-error: abort
opendmarc/dbconfig-remove: true
opendmarc/purge: false
