Incorrect bounce address: failing DKIM and SPF

M

matthiasvd

New Member
Jan 31, 2022
6
0
1
17
Hi!

I am a Proxmox Mail Gateway user, and a happy one. I have used PMG for the past 3 weeks with hMailserver, and it has worked perfectly. There is however an issue that recently started occuring, the bounce-address is incorrect. Instead of having user@mydomain.com as bounce address, I am having postmaster@reverse-dns.com. Due to this issue, SPF and DKIM are failing, causing mail deliverability to be 0. I was wondering if any of you have a fix or a workaround for this issue.
Schermafbeelding 2022-01-31 om 22.52.46.png
Schermafbeelding 2022-01-31 om 22.53.27.png

Thank you in advance!
 

Attachments

  • Schermafbeelding 2022-01-31 om 22.51.40.png
    Schermafbeelding 2022-01-31 om 22.51.40.png
    29.8 KB · Views: 6
Sorry I have a hard time understanding what the exact issue is based on the screenshots you post - could you please share
- the logs of such a mail
- the headers of the mail

I think the term 'bounce address' is used in multiple contexts:
https://en.wikipedia.org/wiki/Bounce_address
 
Hi!

I have my spam filter set very strictly, rejecting mails if the spam level is >= 2 for inbound and outbound mails. The issue is that DKIM and SPF fails, causing a 3 on my spam score.

1643731438850.png
I looked into the issue using "mail-tester.com". As soon as I did a test, I received a 0/10 score.
The reason I got this score is the following: 1643731872207.png
My message has a "bounce address" of "postmaster@rDNS (d515313f9.static.telenet.be)" instead of the e-mail address of the user.
1643731913689.png
The issue with this is that the person that receives my mail does an SPF and DKIM lookup on "d515313f9.static.telenet.be" instead of "vanduysen.be". Due to this, the e-mail gets rejected because no SPF/DKIM policy is found on the d515313f9.static.telenet.be address, and the mail is DKIM signed.


To be honest, I am a 15 year old who is learning how to use technology, so I don't have the most experience.


This is the log file of such an e-mail (FYI, 10.61.0.56 is my hMailServer):
Code: 
Jan 31 22:38:32 d515313f9 postfix/smtpd[2054]: connect from unknown[10.61.0.56]
Jan 31 22:38:32 d515313f9 postfix/smtpd[2054]: 31F3EC0478: client=unknown[10.61.0.56]
Jan 31 22:38:32 d515313f9 postfix/cleanup[2057]: 31F3EC0478: message-id=<8b58e85c-397a-da94-6daa-ec8797c40237@vanduysen.be>
Jan 31 22:38:32 d515313f9 postfix/qmgr[782]: 31F3EC0478: from=<matthias@vanduysen.be>, size=6995, nrcpt=1 (queue active)
Jan 31 22:38:32 d515313f9 postfix/smtpd[2054]: disconnect from unknown[10.61.0.56] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 31 22:38:32 d515313f9 pmg-smtp-filter[816]: C052761F856D845702: new mail message-id=<8b58e85c-397a-da94-6daa-ec8797c40237@vanduysen.be>#012
Jan 31 22:38:36 d515313f9 pmg-smtp-filter[816]: C052761F856D845702: SA score=2/5 time=4.300 bayes=undefined autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),AWL(0.005),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_MESSAGE(0.001),KAM_DMARC_REJECT(3),KAM_DMARC_STATUS(0.01),URIBL_BLOCKED(0.001)
Jan 31 22:38:36 d515313f9 pmg-smtp-filter[816]: C052761F856D845702: notify <pmg@vanduysen.be> (rule: Miserie, B81E3C06BB)
Jan 31 22:38:36 d515313f9 pmg-smtp-filter[816]: C052761F856D845702: notify <matthias@vanduysen.be> (rule: Miserie, BD6E8C06BC)
Jan 31 22:38:36 d515313f9 pmg-smtp-filter[816]: C052761F856D845702: moved mail for <test-gdmq72xz5@srv1.mail-tester.com> to spam quarantine - C06C761F856DCC0F74 (rule: Miserie)
Jan 31 22:38:36 d515313f9 pmg-smtp-filter[816]: C052761F856D845702: processing time: 4.515 seconds (4.3, 0.1, 0)
Jan 31 22:38:36 d515313f9 postfix/lmtp[2058]: 31F3EC0478: to=<test-gdmq72xz5@srv1.mail-tester.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=4.6, delays=0.04/0.05/0.01/4.5, dsn=2.5.0, status=sent (250 2.5.0 OK (C052761F856D845702))
Jan 31 22:38:36 d515313f9 postfix/qmgr[782]: 31F3EC0478: removed




The HTML-version of my message:
HTML: 
Content-Type: multipart/alternative;
 boundary="------------EQl4vAOkzrqn5Rc8so1692E0"
Message-ID: <8b58e85c-397a-da94-6daa-ec8797c40237@vanduysen.be>
Date: Mon, 31 Jan 2022 22:38:28 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
 Gecko/20100101 Thunderbird/91.2.1
Content-Language: nl
To: test-gdmq72xz5@srv1.mail-tester.com
From: Matthias Van Duysen <matthias@vanduysen.be>
Subject: Testmail

This is a multi-part message in MIME format.
--------------EQl4vAOkzrqn5Rc8so1692E0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Proxmox Notification:

Sender:matthias@vanduysen.be
Receiver:test-9i9mgpvu5@srv1.mail-tester.com
Targets:test-9i9mgpvu5@srv1.mail-tester.com

Subject: Testmail


Matching Rule: Miserie

Rule: Miserie
   Receiver:test-9i9mgpvu5@srv1.mail-tester.com
   Action: modify field: X-SPAM-LEVEL:Spam detection results:  2
ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
DKIM_INVALID              0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
HTML_MESSAGE            0.001 HTML included in message
KAM_DMARC_REJECT            3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  Seehttp://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block  for more information. [vanduysen.be,cloudron.io]

   Action: modify field: subject:SPAM: __SUBJECT__
   Action: Move to quarantine.
   Action: notifypmg@vanduysen.be
   Action: notifymatthias@vanduysen.be



Spam detection results:  2
ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
DKIM_INVALID              0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
HTML_MESSAGE            0.001 HTML included in message
KAM_DMARC_REJECT            3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  Seehttp://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block  for more information. [vanduysen.be,cloudron.io]


--------------EQl4vAOkzrqn5Rc8so1692E0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>
    </p>
    <div class="moz-text-plain" wrap="true" style="font-family:
      -moz-fixed; font-size: 12px;" lang="x-unicode">
      <pre class="moz-quote-pre" wrap="">Proxmox Notification:

Sender:   <a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:matthias@vanduysen.be">matthias@vanduysen.be</a>
Receiver: <a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:test-9i9mgpvu5@srv1.mail-tester.com">test-9i9mgpvu5@srv1.mail-tester.com</a>
Targets:  <a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:test-9i9mgpvu5@srv1.mail-tester.com">test-9i9mgpvu5@srv1.mail-tester.com</a>

Subject: Testmail


Matching Rule: Miserie

Rule: Miserie
  Receiver: <a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:test-9i9mgpvu5@srv1.mail-tester.com">test-9i9mgpvu5@srv1.mail-tester.com</a>
  Action: modify field: X-SPAM-LEVEL:Spam detection results:  2
ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
DKIM_INVALID              0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
HTML_MESSAGE            0.001 HTML included in message
KAM_DMARC_REJECT            3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See <a class="moz-txt-link-freetext" href="http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block">http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block</a> for more information. [vanduysen.be,cloudron.io]

  Action: modify field: subject:SPAM: __SUBJECT__
  Action: Move to quarantine.
  Action: notify <a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:pmg@vanduysen.be">pmg@vanduysen.be</a>
  Action: notify <a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:matthias@vanduysen.be">matthias@vanduysen.be</a>



Spam detection results:  2
ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
DKIM_INVALID              0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
HTML_MESSAGE            0.001 HTML included in message
KAM_DMARC_REJECT            3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See <a class="moz-txt-link-freetext" href="http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block">http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block</a> for more information. [vanduysen.be,cloudron.io]


</pre>
    </div>
  </body>
</html>
--------------EQl4vAOkzrqn5Rc8so1692E0--
 
matthiasvd said:
To be honest, I am a 15 year old who is learning how to use technology, so I don't have the most experience.
Click to expand...
Cool - actively trying to get something running is quite a good way to learn :)

matthiasvd said:
I looked into the issue using "mail-tester.com". As soon as I did a test, I received a 0/10 score.
The reason I got this score is the following:
Click to expand...
Ok - this is a combination of the following (if I understood the setup correctly):
* your PMG puts the mail in Quarantine (because it scores more than 2)
* when PMG releases mail from Quarantine it does not use the original envelope sender (see https://en.wikipedia.org/wiki/Bounce_address for a bit of background) but 'postmaster@hostname_of_your_pmg' (the source for this is here [0]) - this has a few reasons - one is to not inform a spammer that an e-mail address exists (or does not exist) - since Quarantine is (usually) used for inbound mail
* hostname_of_your_pmg in your case seems to be d515313f9.static.telenet.be. (matching the PTR record of the public IP) - you can configure this (by setting the appropriate names in /etc/hostname, /etc/hosts) - however
* an SMTP server needs (in the sense that else many other SMTP servers will refuse to accept mail from it) an matching hostname to it's ip address
* so unless you can change the reverse PTR of your IP (probably won't be possible for a residential line, but in any case you'd need to ask your ISP) - chances are that e-mail will not work too reliably from that IP (e.g. PMG has the 'Reject Unknown Clients' setting for precisely this situation)

* I guess the DMARC and bounce-address check would work out if you would let the mail through.

Regarding DMARC and DKIM failing - this is the result from PMG running the same tests on outbound mails as on inbound mails -
* the mail comes from your private IP mailserver 10.61.0.56 - so this will not be part of your SPF record
* additionally I assume you do the DKIM signing on PMG (so naturally the mail is not signed when it enters PMG)
* one option in this situation is to create a different view on your domain for PMG (without SPF and DKIM and DMARC records)

Also having a spamscore of 2 will create many false positive matches (I do get quite a few mails which are not spam and even score above 3)

I guess you would get better results if you setup a dedicated DNS server for PMG - as this would make URIBL work again (which yields enough points so that you can set the limit a bit higher (I'd start with 4)) - just check out the Getting Started Page on the wiki:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope that explains it (partially)!


[0] https://git.proxmox.com/?p=pmg-api....cc519b5a1d1c866913d634ea5422f5d4;hb=HEAD#l100
 
  • Like
Reactions: matthiasvd
Stoiko Ivanov said:
Cool - actively trying to get something running is quite a good way to learn :)


Ok - this is a combination of the following (if I understood the setup correctly):
* your PMG puts the mail in Quarantine (because it scores more than 2)
* when PMG releases mail from Quarantine it does not use the original envelope sender (see https://en.wikipedia.org/wiki/Bounce_address for a bit of background) but 'postmaster@hostname_of_your_pmg' (the source for this is here [0]) - this has a few reasons - one is to not inform a spammer that an e-mail address exists (or does not exist) - since Quarantine is (usually) used for inbound mail
* hostname_of_your_pmg in your case seems to be d515313f9.static.telenet.be. (matching the PTR record of the public IP) - you can configure this (by setting the appropriate names in /etc/hostname, /etc/hosts) - however
* an SMTP server needs (in the sense that else many other SMTP servers will refuse to accept mail from it) an matching hostname to it's ip address
* so unless you can change the reverse PTR of your IP (probably won't be possible for a residential line, but in any case you'd need to ask your ISP) - chances are that e-mail will not work too reliably from that IP (e.g. PMG has the 'Reject Unknown Clients' setting for precisely this situation)

* I guess the DMARC and bounce-address check would work out if you would let the mail through.

Regarding DMARC and DKIM failing - this is the result from PMG running the same tests on outbound mails as on inbound mails -
* the mail comes from your private IP mailserver 10.61.0.56 - so this will not be part of your SPF record
* additionally I assume you do the DKIM signing on PMG (so naturally the mail is not signed when it enters PMG)
* one option in this situation is to create a different view on your domain for PMG (without SPF and DKIM and DMARC records)

Also having a spamscore of 2 will create many false positive matches (I do get quite a few mails which are not spam and even score above 3)

I guess you would get better results if you setup a dedicated DNS server for PMG - as this would make URIBL work again (which yields enough points so that you can set the limit a bit higher (I'd start with 4)) - just check out the Getting Started Page on the wiki:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope that explains it (partially)!


[0] https://git.proxmox.com/?p=pmg-api....cc519b5a1d1c866913d634ea5422f5d4;hb=HEAD#l100
Click to expand...
Thank you! I fixed my setup using your explanation! I'm very grateful for your help!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back