Wolfgang Agnes
2024-11-12 17:56:12 UTC
I've been able to see my spf, dkim and opendmarc policy working with
SMTPs that are not my own. My problem has been with the filters on my
own system. Even though my SMTP seems to add the SPF header and the
DKIM headers, it seems that opendmarc on my system never seems satisfied
and so it seems to always fail every message I send out. I describe my
entire system further below, but I think I should begin with the
symptoms first. I appreciate any help on this. Thanks!
(*) A test message sent to a remote site
%swaks --to ***@remote.site --from ***@antartida.xyz \
--auth CRAM-MD5 --auth-user me \
--header-X-Test "test email" \
--server antartida.xyz
Password: <secret>
=== Trying antartida.xyz:25...
=== Connected to antartida.xyz.
<- 220 antartida.xyz ESMTP Sendmail 8.18.1/8.18.1; Tue, 12 Nov 2024 14:34:50 -0300 (-03)
-> EHLO antartida.xyz
<- 250-antartida.xyz Hello mx.antartida.xyz [195.88.57.140], pleased to meet you
<- 250-ENHANCEDSTATUSCODES
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE
<- 250-DSN
<- 250-ETRN
<- 250-AUTH DIGEST-MD5 CRAM-MD5
<- 250-STARTTLS
<- 250-DELIVERBY
<- 250 HELP
-> AUTH CRAM-MD5
<- 334 PDIxNTE2NjU4MTUuMzM3OTc0NUBhbnRhcnRpZGEueHl6Pg==
-> ZGJhc3RvcyAyOGMzNzcyN2IzZWYxNDgzNDc1MzhmYTM4MjI1MjQyNQ==
<- 235 2.0.0 OK Authenticated
-> MAIL FROM:<***@antartida.xyz>
<- 250 2.1.0 <***@antartida.xyz>... Sender ok
-> RCPT TO:<***@remote.site>
<- 250 2.1.5 <***@.remote.site>... Recipient ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Tue, 12 Nov 2024 14:34:47 -0300
-> To: ***@remote.site
-> From: ***@antartida.xyz
-> Subject: test Tue, 12 Nov 2024 14:34:47 -0300
-> Message-Id: <***@antartida.xyz>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
-> X-Test: test email
->
-> This is a test mailing
->
->
-> .
<- 250 2.0.0 4ACHYoGx077594 Message accepted for delivery
-> QUIT
<- 221 2.0.0 antartida.xyz closing connection
=== Connection closed with remote host.
(*) The local maillog
This is long because I had LogLevel=15. You'll see below that opendmarc
adds the authentication-results header with a failure, but the spf and
dkim headers appear to be correct. I show these two relevant log lines
first and then I show the entire set of log lines in case it's useful.
--8<-------------------------------------------------------->8---
Nov 12 14:34:51 antartida opendmarc[53126]: 4ACHYoGx077594:
antartida.xyz fail
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter
(opendmarc) insert (1): header: Authentication-Results: antartida.xyz;
dmarc=fail (p=reject dis=none) header.from=antartida.xyz
--8<-------------------------------------------------------->8---
Now the entire SMTP session:
Nov 12 14:34:50 antartida sm-mta[77594]: NOQUEUE: connect from mx.antartida.xyz [195.88.57.140]
Nov 12 14:34:50 antartida sm-mta[77594]: AUTH: available mech=SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256 SCRAM-SHA-224 SCRAM-SHA-1 DIGEST-MD5 OTP CRAM-MD5 NTLM ANONYMOUS, allowed mech=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (spfmilter): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (dkim-filter): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (opendmarc): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: connect to filters
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 220 antartida.xyz ESMTP Sendmail 8.18.1/8.18.1; Tue, 12 Nov 2024 14:34:50 -0300 (-03)
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- EHLO antartida.xyz
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=helo, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=helo, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-antartida.xyz Hello mx.antartida.xyz [195.88.57.140], pleased to meet you
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-ENHANCEDSTATUSCODES
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-PIPELINING
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-8BITMIME
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-SIZE
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-DSN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-ETRN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-AUTH DIGEST-MD5 CRAM-MD5
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-STARTTLS
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-DELIVERBY
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 HELP
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- AUTH CRAM-MD5
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 334 PDIxNTE2NjU4MTUuMzM3OTc0NUBhbnRhcnRpZGEueHl6Pg==
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 235 2.0.0 OK Authenticated
Nov 12 14:34:50 antartida sm-mta[77594]: AUTH=server, relay=mx.antartida.xyz [195.88.57.140], authid=me, mech=CRAM-MD5, bits=0
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- MAIL FROM:<***@antartida.xyz>
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: sender: <***@antartida.xyz>
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.1.0 <***@antartida.xyz>... Sender ok
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- RCPT TO:<***@remote.site>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: rcpts: <***@remote.site>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.1.5 <***@remote.site>... Recipient ok
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: <-- DATA
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 354 End data with <CR><LF>.<CR><LF>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: from=<***@antartida.xyz>, size=287, class=0, nrcpts=1, msgid=<***@antartida.xyz>, proto=ESMTPA, daemon=IPv4, relay=mx.antartida.xyz [195.88.57.140]
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 6 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=eoh, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (spfmilter) insert (0): header: Received-SPF: pass (antartida.xyz: authenticated connection) receiver=antartida.xyz; client-ip=195.88.57.140; helo=antartida.xyz; envelope-from=***@antartida.xyz; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.11;
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 7 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=eoh, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=body, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (dkim-filter) insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antartida.xyz;\n\ts=default; t=1731432891;\n\tbh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=;\n\th=Date:To:From:Subject;\n\tb=IDOMq8KnwMb7bgpeMGJOuiW/i9PbmFi9UE4df2u07P6agEeuGAbzepdq9tUmYc5w8\n\t gv5J9u2x8iALPN/6TEzVuDLBhhLfO8XCpWcuK+i5fLKKajo5cpGNVkoMI0cB36zCO3\n\t AwH/wK5f2K8YOgUbQbHYZQBLDdneC1Cp45wYmK0o=
Nov 12 14:34:51 antartida opendkim[35443]: 4ACHYoGx077594: DKIM-Signature field added (s=default, d=antartida.xyz)
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 8 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=eoh, continue
Nov 12 14:34:51 antartida opendmarc[53126]: 4ACHYoGx077594: antartida.xyz fail
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (opendmarc) insert (1): header: Authentication-Results: antartida.xyz; dmarc=fail (p=reject dis=none) header.from=antartida.xyz
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter accept: message
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.0.0 4ACHYoGx077594 Message accepted for delivery
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoH0077594: <-- QUIT
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoH0077594: --- 221 2.0.0 antartida.xyz closing connection
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: --- 050 <***@remote.site>... Connecting to aspmx.l.google.com. via esmtp...
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: makeconnection (aspmx.l.google.com. [IPv6:2607:f8b0:400c:c36:0:0:0:1b].25 (28)) failed: No route to host
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: SMTP outgoing connect on mx.antartida.xyz
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS: CRLFile missing
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, init=1
Nov 12 14:34:51 antartida sm-mta[77596]: tls_clt_features=(null), relay=aspmx.l.google.com [74.125.139.26]
Nov 12 14:34:51 antartida sm-mta[77596]: tls_clt_features=empty, stat=0, relay=aspmx.l.google.com [74.125.139.26]
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, start=ok
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, info: fds=8/5, err=2
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS: TLS cert verify: depth=2 /C=US/O=Google Trust Services LLC/CN=GTS Root R1, state=0, reason=unable to get issuer certificate
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, get_verify: 2 get_peer: 0x37afc4c39780
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, cert-subject=/CN=mx.google.com, cert-issuer=/C=US/O=Google+20Trust+20Services/CN=WR2, verifymsg=unable to get issuer certificate
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=read, info: fds=8/5, err=2
Nov 12 14:34:52 antartida syslogd: last message repeated 4 times
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: --- 050 <***@remote.site>... Sent (OK 1731432897 ada2fe7eead31-4aaa7bac85asi3247497137.420 - gsmtp)
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: to=<***@remote.site>, ctladdr=<***@antartida.xyz> (1003/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30287, relay=aspmx.l.google.com. [74.125.139.26], dsn=2.0.0, stat=Sent (OK 1731432897 ada2fe7eead31-4aaa7bac85asi3247497137.420 - gsmtp)
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: done; delay=00:00:01, ntries=1
Nov 12 14:34:52 antartida sm-mta[77596]: NOQUEUE: --- 050 Closing connection to aspmx.l.google.com.
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=read, info: fds=8/5, err=2
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, SSL_shutdown failed: -1
(*) What opendmarc notices
You'll see in my opendmarc configuration below that I'm using a
history.txt file for debugging purposes. In history.txt, relative to
the test message above, I find in history.txt:
job 4ACHYoGx077594
reporter antartida.xyz
received 1731432891
ipaddr 195.88.57.140
from antartida.xyz
mfrom antartida.xyz
spf 3
pdomain antartida.xyz
policy 16
rua mailto:***@antartida.xyz
pct 100
adkim 115
aspf 115
p 114
sp 0
align_dkim 5
align_spf 5
arc 7
arc_policy 2 json:[]
action 2
The meaning of these numbers can be found in the OpenDMARC source code.
For example,
https://raw.githubusercontent.com/trusteddomainproject/OpenDMARC/refs/heads/master/opendmarc/README
says that align_dkim and align_spf of 5 means that there's no alignment
between mailfrom and the spf and dkim headers. I didn't expect that
because the domain antartida.xyz seems to be the only domain involved
here. But I ask myself---is OpenDMARC seeing the same headers as I do
when I look at the final message?
Before I had installed the spfmilter, that value ``spf 3'' was ``spf
-1'' and -1 means the spf header was not even evaluated. (It's what the
README at the URL above says.) Now that the spf header really is
present, it says 3 but the README doesn't say what 3 means.
I provide the information below in case it's useful at all.
--8<-------------------------------------------------------->8---
--8<-------------------------------------------------------->8---
(*) My policies (in the DNS records)
%host -t txt antartida.xyz
antartida.xyz descriptive text "v=spf1 a mx ip4:195.88.57.140 -all"
%host -t txt default._domainkey.antartida.xyz
default._domainkey.antartida.xyz descriptive text "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9yjHh4+28QGxMOXOVIxQM5kpESx1ILsdtVRwqwVEmnNozOgPdx8N42iHPlpvYALsDdHxX/sY6AYurdZCgtRSlnieoCFu2eeA7KczpO8o8evpqzUqEUnxH7YIFbi4ZqP+FMocNal4WCPWr5XLdsyQ7mQacVb3L/AxUOIyUvclPnQIDAQAB"
%host -t txt _dmarc.antartida.xyz
_dmarc.antartida.xyz descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:***@antartida.xyz;"
(*) My system
On a FreeBSD, I installed spfmilter-2.001_2, opendkim and opendmarc with
Sendmail 8.18.1. The milter sendmail.mc-configuration looks like this:
INPUT_MAIL_FILTER(`spfmilter',`S=unix:/var/run/spfmilter.sock')
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:***@localhost', F=T, T=R:2m)
INPUT_MAIL_FILTER(`opendmarc', `S=inet:***@localhost')
The command-line arguments for spfmilter are
/usr/local/libexec/spfmilter \
--user mailnull \
unix:/var/run/spfmilter.sock
For opendkim:
/usr/local/sbin/opendkim -l -u mailnull:mailnull \
-P /var/run/opendkim/opendkim.pid \
-x /usr/local/etc/mail/opendkim.conf
For opendmarc:
/usr/local/sbin/opendmarc -l -P /var/run/opendmarc/pid \
-c /usr/local/etc/mail/opendmarc.conf \
-p inet:***@localhost \
-u mailnull:mailnull
(*) OpenDKIM configuration
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/mail/dkim/TrustedHosts
InternalHosts refile:/etc/mail/dkim/TrustedHosts
KeyTable refile:/etc/mail/dkim/KeyTable
SigningTable refile:/etc/mail/dkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID mailnull:mailnull
Socket inet:***@127.0.0.1
Domain antartida.xyz
Selector default
(*) OpenDMARC configuration:
%grep -v '^#' opendmarc.conf | grep -v '^$'
AuthservID antartida.xyz
HistoryFile /var/run/opendmarc/history.txt
RecordAllMessages true
SMTPs that are not my own. My problem has been with the filters on my
own system. Even though my SMTP seems to add the SPF header and the
DKIM headers, it seems that opendmarc on my system never seems satisfied
and so it seems to always fail every message I send out. I describe my
entire system further below, but I think I should begin with the
symptoms first. I appreciate any help on this. Thanks!
(*) A test message sent to a remote site
%swaks --to ***@remote.site --from ***@antartida.xyz \
--auth CRAM-MD5 --auth-user me \
--header-X-Test "test email" \
--server antartida.xyz
Password: <secret>
=== Trying antartida.xyz:25...
=== Connected to antartida.xyz.
<- 220 antartida.xyz ESMTP Sendmail 8.18.1/8.18.1; Tue, 12 Nov 2024 14:34:50 -0300 (-03)
-> EHLO antartida.xyz
<- 250-antartida.xyz Hello mx.antartida.xyz [195.88.57.140], pleased to meet you
<- 250-ENHANCEDSTATUSCODES
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE
<- 250-DSN
<- 250-ETRN
<- 250-AUTH DIGEST-MD5 CRAM-MD5
<- 250-STARTTLS
<- 250-DELIVERBY
<- 250 HELP
-> AUTH CRAM-MD5
<- 334 PDIxNTE2NjU4MTUuMzM3OTc0NUBhbnRhcnRpZGEueHl6Pg==
-> ZGJhc3RvcyAyOGMzNzcyN2IzZWYxNDgzNDc1MzhmYTM4MjI1MjQyNQ==
<- 235 2.0.0 OK Authenticated
-> MAIL FROM:<***@antartida.xyz>
<- 250 2.1.0 <***@antartida.xyz>... Sender ok
-> RCPT TO:<***@remote.site>
<- 250 2.1.5 <***@.remote.site>... Recipient ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Tue, 12 Nov 2024 14:34:47 -0300
-> To: ***@remote.site
-> From: ***@antartida.xyz
-> Subject: test Tue, 12 Nov 2024 14:34:47 -0300
-> Message-Id: <***@antartida.xyz>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
-> X-Test: test email
->
-> This is a test mailing
->
->
-> .
<- 250 2.0.0 4ACHYoGx077594 Message accepted for delivery
-> QUIT
<- 221 2.0.0 antartida.xyz closing connection
=== Connection closed with remote host.
(*) The local maillog
This is long because I had LogLevel=15. You'll see below that opendmarc
adds the authentication-results header with a failure, but the spf and
dkim headers appear to be correct. I show these two relevant log lines
first and then I show the entire set of log lines in case it's useful.
--8<-------------------------------------------------------->8---
Nov 12 14:34:51 antartida opendmarc[53126]: 4ACHYoGx077594:
antartida.xyz fail
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter
(opendmarc) insert (1): header: Authentication-Results: antartida.xyz;
dmarc=fail (p=reject dis=none) header.from=antartida.xyz
--8<-------------------------------------------------------->8---
Now the entire SMTP session:
Nov 12 14:34:50 antartida sm-mta[77594]: NOQUEUE: connect from mx.antartida.xyz [195.88.57.140]
Nov 12 14:34:50 antartida sm-mta[77594]: AUTH: available mech=SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256 SCRAM-SHA-224 SCRAM-SHA-1 DIGEST-MD5 OTP CRAM-MD5 NTLM ANONYMOUS, allowed mech=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (spfmilter): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (dkim-filter): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (opendmarc): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: connect to filters
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 220 antartida.xyz ESMTP Sendmail 8.18.1/8.18.1; Tue, 12 Nov 2024 14:34:50 -0300 (-03)
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- EHLO antartida.xyz
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=helo, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=helo, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-antartida.xyz Hello mx.antartida.xyz [195.88.57.140], pleased to meet you
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-ENHANCEDSTATUSCODES
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-PIPELINING
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-8BITMIME
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-SIZE
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-DSN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-ETRN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-AUTH DIGEST-MD5 CRAM-MD5
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-STARTTLS
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-DELIVERBY
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 HELP
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- AUTH CRAM-MD5
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 334 PDIxNTE2NjU4MTUuMzM3OTc0NUBhbnRhcnRpZGEueHl6Pg==
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 235 2.0.0 OK Authenticated
Nov 12 14:34:50 antartida sm-mta[77594]: AUTH=server, relay=mx.antartida.xyz [195.88.57.140], authid=me, mech=CRAM-MD5, bits=0
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- MAIL FROM:<***@antartida.xyz>
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: sender: <***@antartida.xyz>
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.1.0 <***@antartida.xyz>... Sender ok
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- RCPT TO:<***@remote.site>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: rcpts: <***@remote.site>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.1.5 <***@remote.site>... Recipient ok
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: <-- DATA
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 354 End data with <CR><LF>.<CR><LF>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: from=<***@antartida.xyz>, size=287, class=0, nrcpts=1, msgid=<***@antartida.xyz>, proto=ESMTPA, daemon=IPv4, relay=mx.antartida.xyz [195.88.57.140]
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 6 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=eoh, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (spfmilter) insert (0): header: Received-SPF: pass (antartida.xyz: authenticated connection) receiver=antartida.xyz; client-ip=195.88.57.140; helo=antartida.xyz; envelope-from=***@antartida.xyz; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.11;
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 7 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=eoh, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=body, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (dkim-filter) insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antartida.xyz;\n\ts=default; t=1731432891;\n\tbh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=;\n\th=Date:To:From:Subject;\n\tb=IDOMq8KnwMb7bgpeMGJOuiW/i9PbmFi9UE4df2u07P6agEeuGAbzepdq9tUmYc5w8\n\t gv5J9u2x8iALPN/6TEzVuDLBhhLfO8XCpWcuK+i5fLKKajo5cpGNVkoMI0cB36zCO3\n\t AwH/wK5f2K8YOgUbQbHYZQBLDdneC1Cp45wYmK0o=
Nov 12 14:34:51 antartida opendkim[35443]: 4ACHYoGx077594: DKIM-Signature field added (s=default, d=antartida.xyz)
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 8 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=eoh, continue
Nov 12 14:34:51 antartida opendmarc[53126]: 4ACHYoGx077594: antartida.xyz fail
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (opendmarc) insert (1): header: Authentication-Results: antartida.xyz; dmarc=fail (p=reject dis=none) header.from=antartida.xyz
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter accept: message
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.0.0 4ACHYoGx077594 Message accepted for delivery
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoH0077594: <-- QUIT
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoH0077594: --- 221 2.0.0 antartida.xyz closing connection
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: --- 050 <***@remote.site>... Connecting to aspmx.l.google.com. via esmtp...
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: makeconnection (aspmx.l.google.com. [IPv6:2607:f8b0:400c:c36:0:0:0:1b].25 (28)) failed: No route to host
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: SMTP outgoing connect on mx.antartida.xyz
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS: CRLFile missing
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, init=1
Nov 12 14:34:51 antartida sm-mta[77596]: tls_clt_features=(null), relay=aspmx.l.google.com [74.125.139.26]
Nov 12 14:34:51 antartida sm-mta[77596]: tls_clt_features=empty, stat=0, relay=aspmx.l.google.com [74.125.139.26]
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, start=ok
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, info: fds=8/5, err=2
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS: TLS cert verify: depth=2 /C=US/O=Google Trust Services LLC/CN=GTS Root R1, state=0, reason=unable to get issuer certificate
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, get_verify: 2 get_peer: 0x37afc4c39780
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, cert-subject=/CN=mx.google.com, cert-issuer=/C=US/O=Google+20Trust+20Services/CN=WR2, verifymsg=unable to get issuer certificate
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=read, info: fds=8/5, err=2
Nov 12 14:34:52 antartida syslogd: last message repeated 4 times
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: --- 050 <***@remote.site>... Sent (OK 1731432897 ada2fe7eead31-4aaa7bac85asi3247497137.420 - gsmtp)
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: to=<***@remote.site>, ctladdr=<***@antartida.xyz> (1003/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30287, relay=aspmx.l.google.com. [74.125.139.26], dsn=2.0.0, stat=Sent (OK 1731432897 ada2fe7eead31-4aaa7bac85asi3247497137.420 - gsmtp)
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: done; delay=00:00:01, ntries=1
Nov 12 14:34:52 antartida sm-mta[77596]: NOQUEUE: --- 050 Closing connection to aspmx.l.google.com.
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=read, info: fds=8/5, err=2
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, SSL_shutdown failed: -1
(*) What opendmarc notices
You'll see in my opendmarc configuration below that I'm using a
history.txt file for debugging purposes. In history.txt, relative to
the test message above, I find in history.txt:
job 4ACHYoGx077594
reporter antartida.xyz
received 1731432891
ipaddr 195.88.57.140
from antartida.xyz
mfrom antartida.xyz
spf 3
pdomain antartida.xyz
policy 16
rua mailto:***@antartida.xyz
pct 100
adkim 115
aspf 115
p 114
sp 0
align_dkim 5
align_spf 5
arc 7
arc_policy 2 json:[]
action 2
The meaning of these numbers can be found in the OpenDMARC source code.
For example,
https://raw.githubusercontent.com/trusteddomainproject/OpenDMARC/refs/heads/master/opendmarc/README
says that align_dkim and align_spf of 5 means that there's no alignment
between mailfrom and the spf and dkim headers. I didn't expect that
because the domain antartida.xyz seems to be the only domain involved
here. But I ask myself---is OpenDMARC seeing the same headers as I do
when I look at the final message?
Before I had installed the spfmilter, that value ``spf 3'' was ``spf
-1'' and -1 means the spf header was not even evaluated. (It's what the
README at the URL above says.) Now that the spf header really is
present, it says 3 but the README doesn't say what 3 means.
I provide the information below in case it's useful at all.
--8<-------------------------------------------------------->8---
--8<-------------------------------------------------------->8---
(*) My policies (in the DNS records)
%host -t txt antartida.xyz
antartida.xyz descriptive text "v=spf1 a mx ip4:195.88.57.140 -all"
%host -t txt default._domainkey.antartida.xyz
default._domainkey.antartida.xyz descriptive text "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9yjHh4+28QGxMOXOVIxQM5kpESx1ILsdtVRwqwVEmnNozOgPdx8N42iHPlpvYALsDdHxX/sY6AYurdZCgtRSlnieoCFu2eeA7KczpO8o8evpqzUqEUnxH7YIFbi4ZqP+FMocNal4WCPWr5XLdsyQ7mQacVb3L/AxUOIyUvclPnQIDAQAB"
%host -t txt _dmarc.antartida.xyz
_dmarc.antartida.xyz descriptive text "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:***@antartida.xyz;"
(*) My system
On a FreeBSD, I installed spfmilter-2.001_2, opendkim and opendmarc with
Sendmail 8.18.1. The milter sendmail.mc-configuration looks like this:
INPUT_MAIL_FILTER(`spfmilter',`S=unix:/var/run/spfmilter.sock')
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:***@localhost', F=T, T=R:2m)
INPUT_MAIL_FILTER(`opendmarc', `S=inet:***@localhost')
The command-line arguments for spfmilter are
/usr/local/libexec/spfmilter \
--user mailnull \
unix:/var/run/spfmilter.sock
For opendkim:
/usr/local/sbin/opendkim -l -u mailnull:mailnull \
-P /var/run/opendkim/opendkim.pid \
-x /usr/local/etc/mail/opendkim.conf
For opendmarc:
/usr/local/sbin/opendmarc -l -P /var/run/opendmarc/pid \
-c /usr/local/etc/mail/opendmarc.conf \
-p inet:***@localhost \
-u mailnull:mailnull
(*) OpenDKIM configuration
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/mail/dkim/TrustedHosts
InternalHosts refile:/etc/mail/dkim/TrustedHosts
KeyTable refile:/etc/mail/dkim/KeyTable
SigningTable refile:/etc/mail/dkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID mailnull:mailnull
Socket inet:***@127.0.0.1
Domain antartida.xyz
Selector default
(*) OpenDMARC configuration:
%grep -v '^#' opendmarc.conf | grep -v '^$'
AuthservID antartida.xyz
HistoryFile /var/run/opendmarc/history.txt
RecordAllMessages true