Possible buggy postfix?

sojic

Member
Jul 8, 2022
20
1
8
While testing my domain against mail spoofing, I have noticed strange behaviour of PMG (postfix as well I guess).

Tool used: https://dmarc-tester.com/

Tried to spoof my mail.

Test 1:
From: my corporate mail
to: my private gmail.
Mail didn't arrived.

Test 2:
From: my corporate mail
To: my corporate mail (over PMG)
Mail arrived.

Test 3:
easydmarc.com
Non-compliantIs your brand domain protected by DMARC?


My SPF record:
v=spf1 ip4:157.90.xx.yy ip4:88.198.xx.yy -all

DMARC:
v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:xxx@yyy.com;ruf=mailto:xxx@yyy.com;fo=0:1:d:s


my SPF record allow only this 2 IP addresses to be used to send mail. DMARC record policy is to reject all non-complaint messages.

Here are the headers

Code:
From user@domain.mk Wed Jun 29 20:09:28 2022
Return-Path: <bounces-51598306-user=domain.mk@aa.d.sender-sib.com>
X-Original-To: user@domain.mk
Delivered-To: user-domain.mk@sao.live.net.mk
Received: from thanatos.live.net.mk (thanatos.live.net.mk [157.90.204.74])
    by sao.live.net.mk (Postfix) with ESMTPS id 270F91C0280
    for <user@domain.mk>; Wed, 29 Jun 2022 20:09:28 +0000 (UTC)
Authentication-Results: sao.live.net.mk; dkim=pass (1024-bit key;
 unprotected) header.d=sendinblue.com header.i=@sendinblue.com
 header.a=rsa-sha256 header.s=mail header.b=kWU+GuMC; dkim-atps=neutral
Received: from thanatos.live.net.mk (localhost.localdomain [127.0.0.1])
    by thanatos.live.net.mk (Proxmox) with ESMTP id 0BECB60F3E
    for <user@domain.mk>; Wed, 29 Jun 2022 22:09:28 +0200 (CEST)
Received-SPF: pass (aa.d.sender-sib.com: Sender is authorized to use
 'bounces-#-user=domain.mk@aa.d.sender-sib.com' in 'mfrom' identity
 (mechanism 'include:spf.sendinblue.com' matched))
 receiver=thanatos.live.net.mk; identity=mailfrom;
 envelope-from="bounces-#-user=domain.mk@aa.d.sender-sib.com";
 helo=aa.d.sender-sib.com; client-ip=185.41.28.128
Received: from aa.d.sender-sib.com (aa.d.sender-sib.com [185.41.28.128])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested) by thanatos.live.net.mk (Proxmox)
 with ESMTPS id 7099360F2B for <user@domain.mk>; Wed, 29 Jun 2022
 22:09:24 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendinblue.com;
 q=dns/txt; s=mail; bh=bWNIRE/OIQJ8GsfVscnBOkPpvbU+1adgDpnjCPXH604=;
 h=from:subject:date:to:mime-version:content-type:list-unsubscribe:x-csa-complaints:list-unsubscribe-post;
 b=kWU+GuMCDvYMA7w3GgADGsxP2T0S/TP1dDdjlDLrAZ6puLsmMUfC6BG0dGUtc4paFQQ6wsSq+6d2
 Gd0NBEspMz//MLQbiaoR4uzaIIlO32fxMQh1bYzCIFLOuqXMv5S+AAaxCA8Ogj+jvpIN4toQzs6I
 8tNF3QRvHaAW+Gf2poM=
X-Mailin-EID:
 NTE1OTgzMDZ%2Bc29qaWNAbGl2ZW5ldHdvcmtzLm1rfjwyMDIyMDYyOTIyMDkuMjkwNjIwODYyNjZAc210cC1yZWxheS5tYWlsaW4uZnI%2BfmFhLmQuc2VuZGVyLXNpYi5jb20%3D
To: <user@domain.mk>
Date: Wed, 29 Jun 2022 20:09:16 +0000
Subject: Is your brand domain protected by DMARC?
Message-Id: <348a15b3-8dc7-4fe7-8728-363b61fa1fd1@smtp-relay.sendinblue.com>
Origin-messageId: <202206292209.29062086266@smtp-relay.mailin.fr>
Content-Type: multipart/alternative; boundary="--_SiB-755f3ec5a3f89a6d-Part_1"
MIME-Version: 1.0
X-sib-id:
 NvL6Oww6UqzJPXBn1rHeFibLs9XNv9P40HdQhkbl6cR7uFoUgV0taOCRum-AvbUEhNJh6_F5fWDBhiz_Bdmbi148Wwg9QE2e9FRTg9IeZWDV292Jy2JYIv15X9oMQ3Nt4ODKxH8wicqJbUL8LQClCzggb_ZTFWq4wh-lwlBeNm-C2kc
X-CSA-Complaints: whitelist-complaints@eco.de
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Feedback-ID: 185.41.28.128:1534416_-1:1534416:Sendinblue
From: "My Name" <user@domain.mk>
List-Unsubscribe:
 <mailto:unsubscribe-t@aa.d.sender-sib.com?subject=unsub-NTE1OTgzMDZ-c29qaWNAbGl2ZW5ldHdvcmtzLm1rfjwyMDIyMDYyOTIyMDkuMjkwNjIwODYyNjZAc210cC1yZWxheS5tYWlsaW4uZnI-fkRhbGlib3IgU29qaWMgPHNvamljQGxpdmVuZXR3b3Jrcy5taz5-MzQ4YTE1YjMtOGRjNy00ZmU3LTg3MjgtMzYzYjYxZmExZmQx&body=NTE1OTgzMDZ-c29qaWNAbGl2ZW5ldHdvcmtzLm1rfjwyMDIyMDYyOTIyMDkuMjkwNjIwODYyNjZAc210cC1yZWxheS5tYWlsaW4uZnI-fkRhbGlib3IgU29qaWMgPHNvamljQGxpdmVuZXR3b3Jrcy5taz5-MzQ4YTE1YjMtOGRjNy00ZmU3LTg3MjgtMzYzYjYxZmExZmQx>,
 <https://bfdeebg.r.bh.d.sendibt3.com/tr/un/li/gPvlMzPy9CwRImzRl0hxgSzrg0aZO9FYPMvkG3o4mJKGindtpZwgJtnoYVf53RJUvlQiRSAy8GyzB1mUuVMa-O6TgXrvDXDxVUISU7a9W8kaUcONrnkDBWUaVm1kqayWEeBCwxioPQUzNHpy8Ch4ZWi088NQgALDJzq28ZR8TSVzj6BvQeYfgi3JxwC1sWPyDzTNOSOSMF60MtoAca1kOSZ3SPwyy_SreNMcyMtepeNB1tXNfzElsn1z7TG_36ia3VqSw0w>
X-SPAM-STATUS: Spam detection results:  1 BAYES_00                 -1.9
 Bayes spam probability is 0 to 1% DKIMWL_WL_MED          -0.001 DKIMwl.org
 - Medium trust sender DKIM_SIGNED               0.1 Message has a DKIM or
 DK signature, not necessarily valid DKIM_VALID               -0.1 Message
 has at least one valid DKIM or DK signature HEADER_FROM_DIFFERENT_DOMAINS
 0.249 From and EnvelopeFrom 2nd level mail domains are different
 HTML_MESSAGE              0.2 HTML included in message HTTPS_HTTP_MISMATCH
      0.1 - KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure
 with Strict Alignment KAM_REALLYHUGEIMGSRC      0.5 Spam with image tags
 with ridiculously huge http urls RCVD_IN_MSPIKE_H2      -0.001 Average
 reputation (+2) RCVD_IN_UCEPROTECT1       1.5 Listed at
 dnsbl-1.uceprotect.net RCVD_IN_UCEPROTECT2         1 Network listed at
 dnsbl-2.uceprotect.net SPF_HELO_PASS          -0.001 SPF: HELO matches SPF
 record SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
X-SPAM-SCORE: 1
X-SPAM-LEVEL: *

How PMG validated the DMARC/SPF?
 
please share the logs of those mails
 
Please advice which log do you need.
the ones from the tracking center - alternatively (and preferred) /var/log/mail.log (and rotated variants) around the time these mails were sent
 
Code:
Jul 18 21:00:29 thanatos postfix/smtpd[626318]: connect from gw.d.sender-sib.com[77.32.148.23]

Jul 18 21:00:29 thanatos postfix/smtpd[626318]: Anonymous TLS connection established from gw.d.sender-sib.com[77.32.148.23]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256

Jul 18 21:00:29 thanatos postfix/smtpd[626318]: F401660C0B: client=gw.d.sender-sib.com[77.32.148.23]

Jul 18 21:00:30 thanatos postfix/cleanup[626323]: F401660C0B: message-id=<e9c25bd7-46ce-4a6a-b4e8-c2127a3afc78@smtp-relay.sendinblue.com>

Jul 18 21:00:30 thanatos postfix/qmgr[326390]: F401660C0B: from=<bounces-51598306-jon=domain.mk@gw.d.sender-sib.com>, size=9628, nrcpt=1 (queue active)

Jul 18 21:00:30 thanatos pmg-smtp-filter[623824]: 408FF62D5ADCE408CF: new mail message-id=<e9c25bd7-46ce-4a6a-b4e8-c2127a3afc78@smtp-relay.sendinblue.com>#012

Jul 18 21:00:33 thanatos pmg-smtp-filter[623824]: 408FF62D5ADCE408CF: SA score=0/5 time=3.287 bayes=0.00 autolearn=no autolearn_force=no hits=AWL(-0.010),BAYES_00(-1.9),DKIMWL_WL_MED(-0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(0.249),HTML_MESSAGE(0.2),HTTPS_HTTP_MISMATCH(0.1),KAM_DMARC_STATUS(0.01),KAM_REALLYHUGEIMGSRC(0.5),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001)

Jul 18 21:00:33 thanatos postfix/smtpd[626333]: connect from localhost.localdomain[127.0.0.1]

Jul 18 21:00:33 thanatos postfix/smtpd[626333]: 9646E60DBB: client=localhost.localdomain[127.0.0.1], orig_client=gw.d.sender-sib.com[77.32.148.23]

Jul 18 21:00:33 thanatos postfix/cleanup[626323]: 9646E60DBB: message-id=<e9c25bd7-46ce-4a6a-b4e8-c2127a3afc78@smtp-relay.sendinblue.com>

Jul 18 21:00:33 thanatos postfix/qmgr[326390]: 9646E60DBB: from=<bounces-51598306-jon=domain.mk@gw.d.sender-sib.com>, size=10842, nrcpt=1 (queue active)

Jul 18 21:00:33 thanatos pmg-smtp-filter[623824]: 408FF62D5ADCE408CF: accept mail to <jon@domain.mk> (9646E60DBB) (rule: default-accept)

Jul 18 21:00:33 thanatos postfix/smtpd[626333]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5

Jul 18 21:00:33 thanatos postfix/smtp[626281]: Trusted TLS connection established to sao.domain.net.mk[88.xx.98.xx]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)

Jul 18 21:00:33 thanatos pmg-smtp-filter[623824]: 408FF62D5ADCE408CF: processing time: 3.505 seconds (3.287, 0.037, 0)

Jul 18 21:00:33 thanatos postfix/lmtp[626324]: F401660C0B: to=<jon@domain.mk>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.1, delays=0.45/0.02/0/3.6, dsn=2.5.0, status=sent (250 2.5.0 OK (408FF62D5ADCE408CF))

Jul 18 21:00:33 thanatos postfix/qmgr[326390]: F401660C0B: removed

Jul 18 21:00:33 thanatos postfix/smtp[626281]: 9646E60DBB: to=<jon@livenetworks.mk>, relay=sao.domain.net.mk[88.xx.98.xx]:25, delay=0.38, delays=0.15/0/0.05/0.18, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CD7611C0009)

Jul 18 21:00:33 thanatos postfix/qmgr[326390]: 9646E60DBB: removed
 
Last edited:
Gmail SPF validator is working:

host gmail-smtp-in.l.google.com[142.251.5.27]
said: 550-5.7.26 This message does not pass authentication checks (SPF and
DKIM both 550-5.7.26 do not pass). SPF check for [glecer.eu.mk] does not
pass with ip: 550-5.7.26 [213.136.74.126].To best protect our users from
spam, the message 550-5.7.26 has been blocked. Please visit 550-5.7.26
https://support.google.com/mail/answer/81126#authentication for more 550
5.7.26 information. k1-20020a5d5181000000b0021e32dad88csi4159994wrv.22 -
gsmtp (in reply to end of DATA command)
 
+1 here

Code:
Jul 21 13:42:57 smtp25 postfix/postscreen[11177]: CONNECT from [77.32.148.24]:62646 to [91.XX.YY.ZZ]:25
Jul 21 13:43:03 smtp25 postfix/postscreen[11177]: PASS NEW [77.32.148.24]:62646
Jul 21 13:43:03 smtp25 postfix/smtpd[11179]: connect from gx.d.sender-sib.com[77.32.148.24]
Jul 21 13:43:03 smtp25 pmgpolicy[3711]: SPF says pass
Jul 21 13:43:03 smtp25 postfix/smtpd[11179]: 6CC4422B9D: client=gx.d.sender-sib.com[77.32.148.24]
Jul 21 13:43:03 smtp25 postfix/cleanup[12160]: 6CC4422B9D: message-id=<278508b1-0b15-48bf-beff-2d1a253b4735@smtp-relay.sendinblue.com>
Jul 21 13:43:03 smtp25 postfix/qmgr[4581]: 6CC4422B9D: from=<bounces-51598306-rrrr.gggg=gmail.com@gx.d.sender-sib.com>, size=9404, nrcpt=1 (queue active)
Jul 21 13:43:03 smtp25 pmg-smtp-filter[9279]: 2022/07/21-13:43:03 CONNECT TCP Peer: "[127.0.0.1]:39896" Local: "[127.0.0.1]:10024"
Jul 21 13:43:03 smtp25 pmg-smtp-filter[9279]: 126F62D93BC771DD7: new mail message-id=<278508b1-0b15-48bf-beff-2d1a253b4735@smtp-relay.sendinblue.com>#012
Jul 21 13:43:04 smtp25 pmg-smtp-filter[9279]: 126F62D93BC771DD7: SA score=1/5 time=1.017 bayes=0.00 autolearn=no autolearn_force=no hits=BAYES_00(-1.9),DKIM_ADSP_CUSTOM_MED(0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),FORGED_GMAIL_RCVD(1),FREEMAIL_FORGED_FROMDOMAIN(0.248),FREEMAIL_FROM(0.001),HEADER_FROM_DIFFERENT_DOMAINS(0.249),HTML_MESSAGE(0.001),HTTPS_HTTP_MISMATCH(0.1),KAM_REALLYHUGEIMGSRC(0.5),NML_ADSP_CUSTOM_MED(0.9),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001)
Jul 21 13:43:04 smtp25 postfix/smtpd[12165]: connect from localhost.localdomain[127.0.0.1]
Jul 21 13:43:04 smtp25 postfix/smtpd[12165]: 8787C22BA2: client=localhost.localdomain[127.0.0.1], orig_client=gx.d.sender-sib.com[77.32.148.24]
Jul 21 13:43:04 smtp25 postfix/cleanup[12160]: 8787C22BA2: message-id=<278508b1-0b15-48bf-beff-2d1a253b4735@smtp-relay.sendinblue.com>
Jul 21 13:43:04 smtp25 postfix/qmgr[4581]: 8787C22BA2: from=<bounces-51598306-rrrr.gggg=gmail.com@gx.d.sender-sib.com>, size=10782, nrcpt=1 (queue active)
Jul 21 13:43:04 smtp25 pmg-smtp-filter[9279]: 126F62D93BC771DD7: accept mail to <r.gggg@mycorporate.com> (8787C22BA2) (rule: default-accept)
Jul 21 13:43:04 smtp25 postfix/smtpd[12165]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jul 21 13:43:04 smtp25 pmg-smtp-filter[9279]: 126F62D93BC771DD7: processing time: 1.136 seconds (1.017, 0.041, 0)
Jul 21 13:43:04 smtp25 postfix/lmtp[12161]: 6CC4422B9D: to=<r.gggg@mycorporate.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.06/0/0/1.1, dsn=2.5.0, status=sent (250 2.5.0 OK (126F62D93BC771DD7))
Jul 21 13:43:04 smtp25 postfix/qmgr[4581]: 6CC4422B9D: removed
Jul 21 13:43:04 smtp25 postfix/smtp[12166]: 8787C22BA2: to=<r.gggg@mycorporate.com>, relay=mail.mycorporate.com[91.XX.YY.ZZ]:25, delay=0.06, delays=0.05/0/0.01/0, dsn=2.0.0, status=sent (250 ok 1658403784 qp 7606)
Jul 21 13:43:04 smtp25 postfix/qmgr[4581]: 8787C22BA2: removed
Jul 21 13:43:38 smtp25 postfix/smtpd[11179]: disconnect from gx.d.sender-sib.com[77.32.148.24] ehlo=1 mail=1 rcpt=1 data=1 commands=4
 
Last edited:
I have tried https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx as well. SPF Aligment OK, SPF Authenticated OK, DKIM Error.

So, how to protect from spoofing?

The tested domain was with following record

SPF: v=spf1 ip4:157.xx.78.xx -all

DMARC: v=DMARC1; p=reject; sp=reject; pct=100; adkim=s; aspf=s; rua=mailto:xxx; ruf=mailto:xxx; fo=0:1:d:s

As I realize, it is saying: you can receive @domain emails only from the 157.xx.78.xx. All others should be rejected.
 
Last edited:
sorry - overlooked this thread...
Any update on this?
for your original question:

just to be on the same page - your issue here is that the mail that dmarc-tester.com sends gets delivered by PMG?

If I understand their tests right (sadly I did not find a technical explanation on their page of what they're testing only got the alarmist email about brand names not being protected)... the test is whether strict-alignment is checked for a particular domain
(I found the explanation at https://dmarcly.com/blog/what-is-dmarc-identifier-alignment-domain-alignment quite approachable)

strict alingment checking is something that is not done by default by PMG (in that case by SpamAssassin as the relevant component)

usually if something is not done by default in SpamAssassin I take this as an indicator that it might lead to many false positives, due to those anti-spam technologies that come up every few years not being completely thought through (most of them do not work well with many mailinglists for example), or not deployed widely enough to warrant a hard blocking

In any case from a quick look at the headers I think that the SpamAssassin rule
KAM_DMARC_STATUS
should catch this particular thing - if you really want to block mails for domains which have a correct dmarc record with strict alignment configured - just create a custom score for that rule and set it to something high (10 or so)

If possible please update us after a while how this worked for you in practice (I think you might run into quite a few false positives - but would be happy to be proven wrong)

Apart from that - consider disabling bayes
BAYES_00 -1.9
as this usually is not really helping unless you put in quite some effort to train it

in general I can recommend the getting started page of the PMG wiki - which gives a few hints:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
 
almost - as far as your logs show - you used a '@gmail.com' address as sender ...
and gmails dmarc policy is (for very good reasons) not strict:
Code:
 dig txt _dmarc.gmail.com +short
"v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"

I hope this explains it
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!