DKIM/SPF failure with sender_bcc

M

michabbs

Active Member
May 5, 2020
134
19
38
I use postfix feature sender_bcc. Basically it means that all mails sent by a chosen user are automatically cc'd to someone else (to be archived, for supervision, etc...)

Problem: The auto-generated copies do not pass DKIM/SPF test and I have no idea why. I get such messages:
Code: 
Proxmox Notification:

Sender:   x
Receiver: x
Targets:  x

Subject: x


Matching Rule: Notify outgoing Spam

Rule: Notify outgoing Spam
  Receiver: x
  Action: notify __ADMIN__



Spam detection results:  3
ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
AWL                    -1.471 Adjusted score from AWL reputation of From: address
HTML_IMAGE_ONLY_24      1.282 HTML: images with 2000-2400 bytes of words
HTML_MESSAGE            0.001 Wiadomo¶æ zawiera kod HTML
HTML_SHORT_LINK_IMG_3   0.328 HTML is very short with a linked image
KAM_DMARC_REJECT            3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_NUMSUBJECT            0.5 Subject ends in numbers excluding current years
TVD_FW_GRAPHIC_NAME_LONG  0.648 Long image attachment name

The original mails are delivered correctly and pass validation at target. Problem is only with "my" carbon copies.
Any ideas?

I suppose maybe copies have some headers changed, so effectively validation does wrong, but... I do not see any difference in headers. :-(
 
michabbs said:
I use postfix feature sender_bcc
Click to expand...
Have not looked into sender_bcc - but on a hunch - could it be that postfix sends the bcc directly - and that the mails do not pass through pmg-smtp-filter (I assume here that the issue is with outbound mails and that PMG is doing the DKIM signing)?

Possible fixes:
* use a BCC action object (these mails should get signed)

if this does not work - please:
* show the changes to the postfix config
* explain how the mails get send
* share the logs of such a mail, which does not pass validation

I hope this helps!
 
I completely missed BCC action! Thank you!

...but no success. :-(
* I removed my extra postfix config.
* I created rule with From condition and BCC action.
* Nothing changed: the original mail is delivered correctly to its recipient and pass verification without problems. The BBC copy triggers "Notify outgoing Spam" rule:

Code: 
Proxmox Notification:

Sender:   *
Receiver: *
Targets:  *

Subject: *


Matching Rule: Notify outgoing Spam

Rule: SklepOut
  Receiver: *
  Action: send bcc to: * (original)
Rule: Notify outgoing Spam
  Receiver: *
  Action: *



Spam detection results:  4
ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
HTML_IMAGE_ONLY_24      1.282 HTML: images with 2000-2400 bytes of words
HTML_MESSAGE            0.001 Wiadomo¶æ zawiera kod HTML
HTML_SHORT_LINK_IMG_3   0.328 HTML is very short with a linked image
KAM_DMARC_REJECT            3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_NUMSUBJECT            0.5 Subject ends in numbers excluding current years
TVD_FW_GRAPHIC_NAME_LONG  0.648 Long image attachment name

In order to minimize interference from another software - I sent mail directly from Thunderbird to port 26, so it should be considered "safe". Here is log:

Code: 
Nov 4 17:20:23 garibaldi postfix/smtpd[212564]: connect from unknown[192.168.2.250]
Nov 4 17:20:23 garibaldi postfix/smtpd[212564]: NOQUEUE: client=unknown[192.168.2.250]
Nov 4 17:20:24 garibaldi pmg-smtp-filter[142936]: 1C66E618408480FFD6: new mail message-id=<4802549d-5ab8-2924-91f4-52afeb011c6b@*>#012
Nov 4 17:20:25 garibaldi pmg-smtp-filter[142936]: 1C66E618408480FFD6: SA score=4/5 time=0.913 bayes=undefined autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),HTML_IMAGE_ONLY_24(1.282),HTML_MESSAGE(0.001),HTML_SHORT_LINK_IMG_3(0.328),KAM_DMARC_REJECT(3),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),TVD_FW_GRAPHIC_NAME_LONG(0.648)
Nov 4 17:20:25 garibaldi pmg-smtp-filter[142936]: 1C66E618408480FFD6: notify <*> (rule: Notify outgoing Spam, 10D40265A3)
Nov 4 17:20:25 garibaldi pmg-smtp-filter[142936]: 1C66E618408480FFD6: bcc to <*> (rule: SklepOut, 18EAD265A5)
Nov 4 17:20:25 garibaldi postfix/smtpd[212571]: connect from *[127.0.0.1]
Nov 4 17:20:25 garibaldi postfix/smtpd[212571]: 1F645265AA: client=*[127.0.0.1], orig_client=unknown[192.168.2.250]
Nov 4 17:20:25 garibaldi postfix/cleanup[212572]: 1F645265AA: message-id=<4802549d-5ab8-2924-91f4-52afeb011c6b@*>
Nov 4 17:20:25 garibaldi postfix/qmgr[207757]: 1F645265AA: from=<*>, size=9973, nrcpt=1 (queue active)
Nov 4 17:20:25 garibaldi pmg-smtp-filter[142936]: 1C66E618408480FFD6: accept mail to <*@dkimvalidator.com> (1F645265AA) (rule: default-accept)
Nov 4 17:20:25 garibaldi postfix/smtpd[212571]: disconnect from *[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 4 17:20:25 garibaldi pmg-smtp-filter[142936]: 1C66E618408480FFD6: processing time: 1.069 seconds (0.913, 0.046, 0)
Nov 4 17:20:25 garibaldi postfix/smtpd[212564]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (1C66E618408480FFD6); from=<*> to=<*@dkimvalidator.com> proto=ESMTP helo=<[192.168.2.250]>
Nov 4 17:20:25 garibaldi postfix/smtpd[212564]: disconnect from unknown[192.168.2.250] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 4 17:20:27 garibaldi postfix/smtp[212575]: 1F645265AA: to=<*@dkimvalidator.com>, relay=31045262.in1.mandrillapp.com[54.245.105.162]:25, delay=2.2, delays=0.01/0.05/1.6/0.61, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CB0DA20E20)
Nov 4 17:20:27 garibaldi postfix/qmgr[207757]: 1F645265AA: removed

The original message was delivered to dkimvalidator.com and passed:

Code: 
Message is NOT marked as spam
Points breakdown:
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.3 HTML_IMAGE_ONLY_24     BODY: HTML: images with 2000-2400 bytes of
                            words
 0.6 TVD_FW_GRAPHIC_NAME_LONG BODY: Long image attachment name
 0.0 HTML_MESSAGE           BODY: HTML included in message
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                            author's domain
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid
 0.3 HTML_SHORT_LINK_IMG_3  HTML is very short with a linked image
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom