Sendmail - Reject or Quarantine incoming messages based on OpenDMARC result

kenfcamp
kenfcamp used Ask the Experts™
on
We've got a Linux server which has been running as a mail server (Sendmail) for years

DNS listings for SPF, DKIM, DMARC and ADSP has been in use for the past 3 months with no issues.

For DKIM we're using OpenDKIM and two days ago we've installed OpenDMARC and are still in the testing phase (We're not sending reports at this time)

BUT

For the life of me I can't figure out what I'm missing

I'm trying to figure out how to get Sendmail via OpenDMARC to follow an established policy of a received email by Rejecting or quarantining a email (as specified) if the message alignment fails .
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Unfortunately, you are not providing what you are seeing, your configuration...

https://www.stevejenkins.com/blog/2015/03/installing-opendmarc-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/

What error

DKIM handles outgoing ...
What do you have setup when the message is coming in, do you have milter ? what is processing the inbound message before it hits the queue for local delivery?
Thanks, google results are full of pages like that one, and none of them are very useful beyond installation

What error

?? There is no error

OpenDKIM verifies the the DKIM key of the incoming message are existent valid
OpenDMARC will then verify SPF and check the dmarc record for the sending domain as well as it's disposition policy for failures.

if SPF and DKIM match, they're aligned if not they're not aligned.

From there OpenDMARC (if configured) will send reports to the sending domain as requested by policy

The DMARC disposition policy tells the receiver exactly what the "actual" domain wants done with any message that fails
Cisco.com for example what the message rejected (dropped). Others may want the messages quarantined while most want nothing done (deliver them)

And that's where I'm stuck

There is absolutely no information on how to set that up..
Base operation of it all is fine

How to get (Reject/Quarantine/Deliver) based on policy results working is the issue
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

David FavorFractional CTO
Distinguished Expert 2018

Commented:
To expand arnold's comment, you seem to be mixing incoming + outgoing DNS records.

For example, you setting up SPF, DKIM, DMARC will have no effect on any received mail.

For received mail, you'll evaluate the SPF, SKIM, DMARC records for the message's envelop sender or From: address + then take action based on the DMARC mode they've set + if score of SPF + DKIM passing or failing.

In other words, you can't effect sender's policy, you can only act on the policy they've setup, so you'll only see changes for received email when the sender changes their policy.

So... your question requires clarification for best answers.
Yes

OpenDKIM and OpenDMARC are setup as milters to process incoming messages
In other words, you can't effect sender's policy, you can only act on the policy they've setup, so you'll only see changes for received email when the sender changes their policy.

I'm not trying to effect the senders policy? I'm trying to figure out how to act on it

In other words... How do I get Sendmail to Delete or Quarantine (based on policy) a message that OpenDMARC fails for being un-aligned
Distinguished Expert 2017

Commented:
ok which whose emails should they have quaranteened?

Not clear what your expectation is.

As David noted.
When your users send emails out, the emails are tagged DKIm?DMARC and the receiving end would need to enforce your domain's policy when validating the authentiticity of the message if they have it.

now if you send an email from an unauthorized source using the email address on the sendmail box, what happens to it?

adding on to what David.

DKIm/DMARC is an unofficial agreement between you and the part to whom you send the email if they have a similar setup, to validate the sender before accepting the message into processing.

You define your domain's policy i.e. if an email from someuser@mydomain.com does not meet the rules published reject the message.
The receiving server can be configured as strickt at which point a non-conforming email will be rejected, or it can be configured in a advisory type of mode where it would accept the message, but might tag it as a possible spam with other consideration determine for certain...

How did you configure your side, is it set to strickt enforcement.

i.e. if applying SPF record for mydomain.com which has v=spf1 MX A -all
if you see a message from a mydomain sender not originating from the MX or A recorsd, to reject it.
...
Distinguished Expert 2017

Commented:
please provide the referenced log entries so that I can see what ....
please provide the referenced log entries so that I can see wha

Actually that might help me clear things up...

Here you go

job wB7GVfUM004495
reporter sub.MY-domain.com
received 1544200303
ipaddr  xxx.xxx.xx.xxx  <-- NOT MY IP ADDRESS
from MY-domain.com
mfrom MY-domain.com
spf 7
pMY-domain.com  
policy 16 <-- POLICY TO ENFORCE - REJECT
rua mailto:postmaster@MY-domain.com
pct 100  
adkim 114
aspf 114
p 114 
sp 0
align_dkim 5 <-- NOT ALIGNED
align_spf 5  <-- NOT ALIGNED
action 2

Open in new window


The above is from a live test of a spoofed email dkim and spf failed DMARC Alignment and per policy the message (in this case) should be dropped (Rejected) .. But it's not It's getting delivered

The only option available (that I've found) trough the OpenDMARC configuration file is rejection of ALL failures
This leads me to believe there's more

But What

Documentation for this project is less than stellar
Distinguished Expert 2017

Commented:
It seems it responds, "action 2" what is your milter's setting when it sees action 2?

Not sure which log entries these are.
Not sure which log entries these are.

It's a processing log entry for 1 email by OpenDMARC

action 2

"action 2" means accept... Everything is accepted that's the point of the question ;)
Distinguished Expert 2017

Commented:
Check the config under which open dmarc assesses on what to do.

What is your domain's dmarc related setting says.

Double check whether it has a fall through rule,
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Might be helpful if you provide one of the sender addresses you're having problems with.

Best to start by debugging the sender's DNS setup to have a good starting point.
Check the config under which open dmarc assesses on what to do.

No such luck

What is your domain's dmarc related setting says.

Double check whether it has a fall through rule,

The only option (currently disabled) is :

##  RejectFailures { true | false }
##      default "false"
##  
##  If set, messages will be rejected if they fail the DMARC evaluation, or
##  temp-failed if evaluation could not be completed.  By default, no message
##  will be rejected or temp-failed regardless of the outcome of the DMARC
##  evaluation of the message.  Instead, an Authentication-Results header
##  field will be added.
# 
# RejectFailures false

Open in new window


Based on the information it appears that "RejectFailures" will reject "all" failures regardless of the senders disposition setting.
I've been unable to find any information pointing otherwise which makes it useless

Everything else is for reports, headers, ignore lists, etc

I've attached a sample config if you want a peak

Ken
opendmarc.conf.sample
Might be helpful if you provide one of the sender addresses you're having problems with.

It's my DNS my Mail Server There are no problems Every thing works fine except Disposition handling (Reject/Quarantine/Pass) based on sending Domains DMARC record by Sendmail and/or OpenDMARC

I forged my own email from an external server to test

Everything worked except handling based on our policy (it got delivered instead of rejected)

DNS and outgoing mail is fine
After finally finding a little information on the process, it appears that setting
RejectFailures false

Open in new window

to
RejectFailures true

Open in new window

might actually answer the question

The only thing I hate more than poorly documented software, is poorly worded comments regarding functions :\

I'm testing now, but given it's Saturday mail flow is low so it'll take a while until I get enough traffic to verify variances

Ken
Yea... That was it :\
Despite the wording within the config files comments, un-commenting
RejectFailures

Open in new window

and setting it to true will cause messages to be Rejected or Quarantined based on the Domains DMARC disposition setting "IF" present. If the Disposition is "None" then the message gets delivered

This is the functionality which should be expected

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial