Sendmail - Reject or Quarantine incoming messages based on OpenDMARC result
We've got a Linux server which has been running as a mail server (Sendmail) for years
DNS listings for SPF, DKIM, DMARC and ADSP has been in use for the past 3 months with no issues.
For DKIM we're using OpenDKIM and two days ago we've installed OpenDMARC and are still in the testing phase (We're not sending reports at this time)
BUT
For the life of me I can't figure out what I'm missing
I'm trying to figure out how to get Sendmail via OpenDMARC to follow an established policy of a received email by Rejecting or quarantining a email (as specified) if the message alignment fails .
DNS listings for SPF, DKIM, DMARC and ADSP has been in use for the past 3 months with no issues.
For DKIM we're using OpenDKIM and two days ago we've installed OpenDMARC and are still in the testing phase (We're not sending reports at this time)
BUT
For the life of me I can't figure out what I'm missing
I'm trying to figure out how to get Sendmail via OpenDMARC to follow an established policy of a received email by Rejecting or quarantining a email (as specified) if the message alignment fails .
ASKER
Thanks, google results are full of pages like that one, and none of them are very useful beyond installation
?? There is no error
OpenDKIM verifies the the DKIM key of the incoming message are existent valid
OpenDMARC will then verify SPF and check the dmarc record for the sending domain as well as it's disposition policy for failures.
if SPF and DKIM match, they're aligned if not they're not aligned.
From there OpenDMARC (if configured) will send reports to the sending domain as requested by policy
The DMARC disposition policy tells the receiver exactly what the "actual" domain wants done with any message that fails
Cisco.com for example what the message rejected (dropped). Others may want the messages quarantined while most want nothing done (deliver them)
And that's where I'm stuck
There is absolutely no information on how to set that up..
What error
?? There is no error
OpenDKIM verifies the the DKIM key of the incoming message are existent valid
OpenDMARC will then verify SPF and check the dmarc record for the sending domain as well as it's disposition policy for failures.
if SPF and DKIM match, they're aligned if not they're not aligned.
From there OpenDMARC (if configured) will send reports to the sending domain as requested by policy
The DMARC disposition policy tells the receiver exactly what the "actual" domain wants done with any message that fails
Cisco.com for example what the message rejected (dropped). Others may want the messages quarantined while most want nothing done (deliver them)
And that's where I'm stuck
There is absolutely no information on how to set that up..
ASKER
Base operation of it all is fine
How to get (Reject/Quarantine/Deliver
How to get (Reject/Quarantine/Deliver
To expand arnold's comment, you seem to be mixing incoming + outgoing DNS records.
For example, you setting up SPF, DKIM, DMARC will have no effect on any received mail.
For received mail, you'll evaluate the SPF, SKIM, DMARC records for the message's envelop sender or From: address + then take action based on the DMARC mode they've set + if score of SPF + DKIM passing or failing.
In other words, you can't effect sender's policy, you can only act on the policy they've setup, so you'll only see changes for received email when the sender changes their policy.
So... your question requires clarification for best answers.
For example, you setting up SPF, DKIM, DMARC will have no effect on any received mail.
For received mail, you'll evaluate the SPF, SKIM, DMARC records for the message's envelop sender or From: address + then take action based on the DMARC mode they've set + if score of SPF + DKIM passing or failing.
In other words, you can't effect sender's policy, you can only act on the policy they've setup, so you'll only see changes for received email when the sender changes their policy.
So... your question requires clarification for best answers.
ASKER
Yes
OpenDKIM and OpenDMARC are setup as milters to process incoming messages
OpenDKIM and OpenDMARC are setup as milters to process incoming messages
ASKER
In other words, you can't effect sender's policy, you can only act on the policy they've setup, so you'll only see changes for received email when the sender changes their policy.
I'm not trying to effect the senders policy? I'm trying to figure out how to act on it
In other words... How do I get Sendmail to Delete or Quarantine (based on policy) a message that OpenDMARC fails for being un-aligned
ok which whose emails should they have quaranteened?
Not clear what your expectation is.
As David noted.
When your users send emails out, the emails are tagged DKIm?DMARC and the receiving end would need to enforce your domain's policy when validating the authentiticity of the message if they have it.
now if you send an email from an unauthorized source using the email address on the sendmail box, what happens to it?
adding on to what David.
DKIm/DMARC is an unofficial agreement between you and the part to whom you send the email if they have a similar setup, to validate the sender before accepting the message into processing.
You define your domain's policy i.e. if an email from someuser@mydomain.com does not meet the rules published reject the message.
The receiving server can be configured as strickt at which point a non-conforming email will be rejected, or it can be configured in a advisory type of mode where it would accept the message, but might tag it as a possible spam with other consideration determine for certain...
How did you configure your side, is it set to strickt enforcement.
i.e. if applying SPF record for mydomain.com which has v=spf1 MX A -all
if you see a message from a mydomain sender not originating from the MX or A recorsd, to reject it.
...
Not clear what your expectation is.
As David noted.
When your users send emails out, the emails are tagged DKIm?DMARC and the receiving end would need to enforce your domain's policy when validating the authentiticity of the message if they have it.
now if you send an email from an unauthorized source using the email address on the sendmail box, what happens to it?
adding on to what David.
DKIm/DMARC is an unofficial agreement between you and the part to whom you send the email if they have a similar setup, to validate the sender before accepting the message into processing.
You define your domain's policy i.e. if an email from someuser@mydomain.com does not meet the rules published reject the message.
The receiving server can be configured as strickt at which point a non-conforming email will be rejected, or it can be configured in a advisory type of mode where it would accept the message, but might tag it as a possible spam with other consideration determine for certain...
How did you configure your side, is it set to strickt enforcement.
i.e. if applying SPF record for mydomain.com which has v=spf1 MX A -all
if you see a message from a mydomain sender not originating from the MX or A recorsd, to reject it.
...
please provide the referenced log entries so that I can see what ....
ASKER
please provide the referenced log entries so that I can see wha
Actually that might help me clear things up...
Here you go
job wB7GVfUM004495
reporter sub.MY-domain.com
received 1544200303
ipaddr xxx.xxx.xx.xxx <-- NOT MY IP ADDRESS
from MY-domain.com
mfrom MY-domain.com
spf 7
pMY-domain.com
policy 16 <-- POLICY TO ENFORCE - REJECT
rua mailto:postmaster@MY-domain.com
pct 100
adkim 114
aspf 114
p 114
sp 0
align_dkim 5 <-- NOT ALIGNED
align_spf 5 <-- NOT ALIGNED
action 2The above is from a live test of a spoofed email dkim and spf failed DMARC Alignment and per policy the message (in this case) should be dropped (Rejected) .. But it's not It's getting delivered
The only option available (that I've found) trough the OpenDMARC configuration file is rejection of ALL failures
This leads me to believe there's more
But What
Documentation for this project is less than stellar
It seems it responds, "action 2" what is your milter's setting when it sees action 2?
Not sure which log entries these are.
Not sure which log entries these are.
ASKER
Not sure which log entries these are.
It's a processing log entry for 1 email by OpenDMARC
action 2
"action 2" means accept... Everything is accepted that's the point of the question ;)
Check the config under which open dmarc assesses on what to do.
What is your domain's dmarc related setting says.
Double check whether it has a fall through rule,
What is your domain's dmarc related setting says.
Double check whether it has a fall through rule,
Might be helpful if you provide one of the sender addresses you're having problems with.
Best to start by debugging the sender's DNS setup to have a good starting point.
Best to start by debugging the sender's DNS setup to have a good starting point.
ASKER
Check the config under which open dmarc assesses on what to do.
No such luck
What is your domain's dmarc related setting says.
Double check whether it has a fall through rule,
The only option (currently disabled) is :
## RejectFailures { true | false }
## default "false"
##
## If set, messages will be rejected if they fail the DMARC evaluation, or
## temp-failed if evaluation could not be completed. By default, no message
## will be rejected or temp-failed regardless of the outcome of the DMARC
## evaluation of the message. Instead, an Authentication-Results header
## field will be added.
#
# RejectFailures falseBased on the information it appears that "RejectFailures" will reject "all" failures regardless of the senders disposition setting.
I've been unable to find any information pointing otherwise which makes it useless
Everything else is for reports, headers, ignore lists, etc
I've attached a sample config if you want a peak
Ken
opendmarc.conf.sample
ASKER
Might be helpful if you provide one of the sender addresses you're having problems with.
It's my DNS my Mail Server There are no problems Every thing works fine except Disposition handling (Reject/Quarantine/Pass) based on sending Domains DMARC record by Sendmail and/or OpenDMARC
I forged my own email from an external server to test
Everything worked except handling based on our policy (it got delivered instead of rejected)
DNS and outgoing mail is fine
ASKER
After finally finding a little information on the process, it appears that setting
The only thing I hate more than poorly documented software, is poorly worded comments regarding functions :\
I'm testing now, but given it's Saturday mail flow is low so it'll take a while until I get enough traffic to verify variances
Ken
RejectFailures falseRejectFailures trueThe only thing I hate more than poorly documented software, is poorly worded comments regarding functions :\
I'm testing now, but given it's Saturday mail flow is low so it'll take a while until I get enough traffic to verify variances
Ken
ASKER
Yea... That was it :\
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://www.stevejenkins.com/blog/2015/03/installing-opendmarc-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
What error
DKIM handles outgoing ...
What do you have setup when the message is coming in, do you have milter ? what is processing the inbound message before it hits the queue for local delivery?