#61 Problem parsing headers added by enma
Hi, I sent this message on the user-ml as well, but it seems abandoned in the last months...
Hi, I'm using enma (http://enma.sourceforge.net/) to add authentication
headers and after that opendmarc to check dmarc compliance.
Here are the headers added by enma and opendmarc:
Authentication-Results: mail.bzone.it; spf=pass smtp.mailfrom=c.mammoli@apra.it; sender-id=pass
header.From=c.mammoli@apra.it; dkim=pass header.i=@apra.it; dkim-adsp=pass
header.From=c.mammoli@apra.it
Authentication-Results: mail.bzone.it; dmarc=fail header.from=apra.it
And the relevant maillog lines:
Nov 8 14:32:37 mail enma[17807]: DKIM-Signature[1]: domain=apra.it, selector=default, pubkeyalg=rsa, digestalg=sha1, hdrcanon=relaxed, bodycanon=simple
Nov 8 14:32:37 mail enma[17807]: [EB19A14C017E] [SPF-auth] ipaddr=89.97.236.28, eval=smtp.mailfrom, helo=mail.apra.it, envfrom=c.mammoli@apra.it, score=pass
Nov 8 14:32:37 mail enma[17807]: [EB19A14C017E] [SIDF-auth] ipaddr=89.97.236.28, header.From=c.mammoli@apra.it, score=pass
Nov 8 14:32:37 mail enma[17807]: [EB19A14C017E] [DKIM-auth] header.i=@apra.it, score=pass
Nov 8 14:32:37 mail enma[17807]: [EB19A14C017E] [DKIM-ADSP-auth] header.From=c.mammoli@apra.it, score=pass
Nov 8 14:32:37 mail postfix/pickup[17622]: 2A60A14C0200: uid=489 from=<opendmarc>
Nov 8 14:32:37 mail opendmarc[11598]: EB19A14C017E: apra.it fail
On 08/11/2013 13:39, opendmarc-users-request@trusteddomain.org wrote:
As you can see opendmarc returns fail, even if all the checks in the Authentication-Results header are "pass".
If I use enma only for spf and opendkim to check dkim signatures
the dmarc check passes:
Headers added by opedkim+enma:
Authentication-Results: mail.bzone.it; spf=pass smtp.mailfrom=c.mammoli@apra.it; sender-id=pass
header.From=c.mammoli@apra.it
Authentication-Results: mail.bzone.it; dmarc=pass header.from=apra.it
Authentication-Results: mail.bzone.it; dkim=pass
reason="1024-bit key; unprotected key"
header.d=apra.it header.i=@apra.it header.b=NCQz5XFI; dkim-adsp=pass
But with this configuration it seems that headers added from enma are ignored:
if I send an email from an host not listed in the spf records this is what happens:
Authentication-Results: mail.bzone.it; spf=hardfail smtp.mailfrom=c.mammoli@apra.it;
sender-id=hardfail header.From=c.mammoli@apra.it
Authentication-Results: mail.bzone.it; dmarc=pass header.from=apra.it
Authentication-Results: mail.bzone.it; dkim=pass
reason="1024-bit key; unprotected key"
Of course the milters are in the correct order (opendmarc last) and the
domain policy is reject:
[root@mail cur]# opendmarc-check apra.it
DMARC record for apra.it:
Sample percentage: 100
DKIM alignment: strict
SPF alignment: strict
Domain policy: reject
Subdomain policy: reject
Aggregate report URIs:
mailto:527b6e6f6f@rep.dmarcanalyzer.com
Forensic report URIs:
mailto:527b6e6f6f@for.dmarcanalyzer.com
The rule is that DMARC passes only if:
a) SPF and/or DKIM pass;
b) Those results are recorded in Authentication-Results fields;
c) The authserv-id is one of the ones opendmarc trusts.
By default, the trusted set contains only the value of the AuthservID setting, which by default contains the name of the MTA processing the message, as provided by the "j" milter macro. I can't tell from your samples whether those match; if they don't, those Authentication-Results fields would be ignored.
We should probably add some additional logging (optional) to make it clear that these things are (or are not) lined up.
This logging will appear in 1.2.0, which is now in development. Betas should start in early January.
v1.2.0 released.