Sendmail - Reject or Quarantine incoming messages based on OpenDMARC result

We've got a Linux server which has been running as a mail server (Sendmail) for years

DNS listings for SPF, DKIM, DMARC and ADSP has been in use for the past 3 months with no issues.

For DKIM we're using OpenDKIM and two days ago we've installed OpenDMARC and are still in the testing phase (We're not sending reports at this time)

BUT

For the life of me I can't figure out what I'm missing

I'm trying to figure out how to get Sendmail via OpenDMARC to follow an established policy of a received email by Rejecting or quarantining a email (as specified) if the message alignment fails .
LVL 16
kenfcampAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Unfortunately, you are not providing what you are seeing, your configuration...

https://www.stevejenkins.com/blog/2015/03/installing-opendmarc-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/

What error

DKIM handles outgoing ...
What do you have setup when the message is coming in, do you have milter ? what is processing the inbound message before it hits the queue for local delivery?
kenfcampAuthor Commented:
Thanks, google results are full of pages like that one, and none of them are very useful beyond installation

What error

?? There is no error

OpenDKIM verifies the the DKIM key of the incoming message are existent valid
OpenDMARC will then verify SPF and check the dmarc record for the sending domain as well as it's disposition policy for failures.

if SPF and DKIM match, they're aligned if not they're not aligned.

From there OpenDMARC (if configured) will send reports to the sending domain as requested by policy

The DMARC disposition policy tells the receiver exactly what the "actual" domain wants done with any message that fails
Cisco.com for example what the message rejected (dropped). Others may want the messages quarantined while most want nothing done (deliver them)

And that's where I'm stuck

There is absolutely no information on how to set that up..
kenfcampAuthor Commented:
Base operation of it all is fine

How to get (Reject/Quarantine/Deliver) based on policy results working is the issue
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
To expand arnold's comment, you seem to be mixing incoming + outgoing DNS records.

For example, you setting up SPF, DKIM, DMARC will have no effect on any received mail.

For received mail, you'll evaluate the SPF, SKIM, DMARC records for the message's envelop sender or From: address + then take action based on the DMARC mode they've set + if score of SPF + DKIM passing or failing.

In other words, you can't effect sender's policy, you can only act on the policy they've setup, so you'll only see changes for received email when the sender changes their policy.

So... your question requires clarification for best answers.
kenfcampAuthor Commented:
Yes

OpenDKIM and OpenDMARC are setup as milters to process incoming messages
kenfcampAuthor Commented:
In other words, you can't effect sender's policy, you can only act on the policy they've setup, so you'll only see changes for received email when the sender changes their policy.

I'm not trying to effect the senders policy? I'm trying to figure out how to act on it

In other words... How do I get Sendmail to Delete or Quarantine (based on policy) a message that OpenDMARC fails for being un-aligned
arnoldCommented:
ok which whose emails should they have quaranteened?

Not clear what your expectation is.

As David noted.
When your users send emails out, the emails are tagged DKIm?DMARC and the receiving end would need to enforce your domain's policy when validating the authentiticity of the message if they have it.

now if you send an email from an unauthorized source using the email address on the sendmail box, what happens to it?

adding on to what David.

DKIm/DMARC is an unofficial agreement between you and the part to whom you send the email if they have a similar setup, to validate the sender before accepting the message into processing.

You define your domain's policy i.e. if an email from someuser@mydomain.com does not meet the rules published reject the message.
The receiving server can be configured as strickt at which point a non-conforming email will be rejected, or it can be configured in a advisory type of mode where it would accept the message, but might tag it as a possible spam with other consideration determine for certain...

How did you configure your side, is it set to strickt enforcement.

i.e. if applying SPF record for mydomain.com which has v=spf1 MX A -all
if you see a message from a mydomain sender not originating from the MX or A recorsd, to reject it.
...
arnoldCommented:
please provide the referenced log entries so that I can see what ....
kenfcampAuthor Commented:
please provide the referenced log entries so that I can see wha

Actually that might help me clear things up...

Here you go

job wB7GVfUM004495
reporter sub.MY-domain.com
received 1544200303
ipaddr  xxx.xxx.xx.xxx  <-- NOT MY IP ADDRESS
from MY-domain.com
mfrom MY-domain.com
spf 7
pMY-domain.com  
policy 16 <-- POLICY TO ENFORCE - REJECT
rua mailto:postmaster@MY-domain.com
pct 100  
adkim 114
aspf 114
p 114 
sp 0
align_dkim 5 <-- NOT ALIGNED
align_spf 5  <-- NOT ALIGNED
action 2

Open in new window


The above is from a live test of a spoofed email dkim and spf failed DMARC Alignment and per policy the message (in this case) should be dropped (Rejected) .. But it's not It's getting delivered

The only option available (that I've found) trough the OpenDMARC configuration file is rejection of ALL failures
This leads me to believe there's more

But What

Documentation for this project is less than stellar
arnoldCommented:
It seems it responds, "action 2" what is your milter's setting when it sees action 2?

Not sure which log entries these are.
kenfcampAuthor Commented:
Not sure which log entries these are.

It's a processing log entry for 1 email by OpenDMARC

action 2

"action 2" means accept... Everything is accepted that's the point of the question ;)
arnoldCommented:
Check the config under which open dmarc assesses on what to do.

What is your domain's dmarc related setting says.

Double check whether it has a fall through rule,
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Might be helpful if you provide one of the sender addresses you're having problems with.

Best to start by debugging the sender's DNS setup to have a good starting point.
kenfcampAuthor Commented:
Check the config under which open dmarc assesses on what to do.

No such luck

What is your domain's dmarc related setting says.

Double check whether it has a fall through rule,

The only option (currently disabled) is :

##  RejectFailures { true | false }
##      default "false"
##  
##  If set, messages will be rejected if they fail the DMARC evaluation, or
##  temp-failed if evaluation could not be completed.  By default, no message
##  will be rejected or temp-failed regardless of the outcome of the DMARC
##  evaluation of the message.  Instead, an Authentication-Results header
##  field will be added.
# 
# RejectFailures false

Open in new window


Based on the information it appears that "RejectFailures" will reject "all" failures regardless of the senders disposition setting.
I've been unable to find any information pointing otherwise which makes it useless

Everything else is for reports, headers, ignore lists, etc

I've attached a sample config if you want a peak

Ken
opendmarc.conf.sample
kenfcampAuthor Commented:
Might be helpful if you provide one of the sender addresses you're having problems with.

It's my DNS my Mail Server There are no problems Every thing works fine except Disposition handling (Reject/Quarantine/Pass) based on sending Domains DMARC record by Sendmail and/or OpenDMARC

I forged my own email from an external server to test

Everything worked except handling based on our policy (it got delivered instead of rejected)

DNS and outgoing mail is fine
kenfcampAuthor Commented:
After finally finding a little information on the process, it appears that setting
RejectFailures false

Open in new window

to
RejectFailures true

Open in new window

might actually answer the question

The only thing I hate more than poorly documented software, is poorly worded comments regarding functions :\

I'm testing now, but given it's Saturday mail flow is low so it'll take a while until I get enough traffic to verify variances

Ken
kenfcampAuthor Commented:
Yea... That was it :\
kenfcampAuthor Commented:
Despite the wording within the config files comments, un-commenting
RejectFailures

Open in new window

and setting it to true will cause messages to be Rejected or Quarantined based on the Domains DMARC disposition setting "IF" present. If the Disposition is "None" then the message gets delivered

This is the functionality which should be expected

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.