[opendmarc-users] Fake mail (internal From: ourdomain) passed by opendmarc

Dominic Raferd dominic at timedicer.co.uk
Wed Mar 15 03:55:42 PDT 2017 

I am using opendmarc opendmarc 1.3.2~Beta1-2, and hoping someone can
explain why in my setup opendmarc is failing to block an email which
is sent from outside and which has an internal 'From' header which
purports to be from one of our domains 'ourdomain1.co.uk'. This domain
is subject to dmarc policy p=reject but the email is passed by our
opendmarc anyway. I have obfuscated our domain and server names below
but otherwise the data is genuine:

Incoming mail headers after processing through our postfix instance
(you can see Authentication-Results added by opendmarc and opendkim
milters and by postfix-policyd-spf-python):

>From wwwciroq at host.thenetshop.co.uk  Tue Mar 14 22:55:06 2017
Return-Path: <wwwciroq at host.thenetshop.co.uk>
Authentication-Results: ourdomain1.co.uk/E988D3E911; dmarc=none
(p=none dis=none) header.from=localhost
Authentication-Results: ourdomain1.co.uk; dkim=none; dkim-atps=neutral
Authentication-Results: ourdomain1.co.uk; spf=pass (sender SPF
authorized) smtp.helo=ciroqu.com (client-ip=178.63.169.147;
helo=ciroqu.com; envelope-from=wwwciroq at host.thenetshop.co.uk;
receiver=sally at ourdomain2.tld)
Received: from ciroqu.com (147.169.63.178-static.thenetshop.co.uk
[178.63.169.147])
by vps1234567.ourdomain1.co.uk (Postfix) with ESMTPS id E988D3E911
for <sally at ourdomain2.tld>; Tue, 14 Mar 2017 22:55:02 +0100 (CET)
Received: from wwwciroq by host.thenetshop.co.uk with local (Exim 4.88)
(envelope-from <wwwciroq at host.thenetshop.co.uk>)
id 1cnu93-0006fY-0d
for sally at ourdomain2.tld; Tue, 14 Mar 2017 21:38:17 +0000
To: sally at ourdomain2.tld
Subject: =?utf-8?Q?=5biTunes=2dConnect=5dSomeone=20has=20been=20logged=20into=20your=20account=20from=20another=20country?=
X-PHP-Script: meridian.ciroqu.com/mm.php for 197.3.203.251
X-PHP-Originating-Script: 535:mm.php
Date: Tue, 14 Mar 2017 21:38:16 +0000
From: =?utf-8?Q?AppleID?= <root at ourdomain1.co.uk>
Message-ID: <630f3c03dbe36c18c195d61cb58819de at meridian.ciroqu.com>
...

The above email passes spf (correctly, based on envelope sender) and
opendkim (correctly, because there is no dkim key in the email) but
more mysteriously it passes opendmarc - maybe this is related to the
opendmarc message 'header.from=localhost' although the email has *not*
originated from the localhost (but the 'From:' header does pretend to
be from our domain 'ourdomain1.co.uk'). The email is sent on by our
postfix system to gmail which responds thus:

2E0A53ED08: to=<sallymailbox at gmail.com>,
orig_to=<sally at ourdomain2.tld>,
relay=gmail-smtp-in.l.google.com[74.125.195.26]:25, delay=0.5,
delays=0.04/0.12/0.13/0.21, dsn=5.7.1, status=bounced (host
gmail-smtp-in.l.google.com[74.125.195.26] said: 550-5.7.1
Unauthenticated email from ourdomain1.co.uk is not accepted due to
550-5.7.1 domain's DMARC policy. Please contact the administrator of
550-5.7.1 ourdomain1.co.uk domain if this was a legitimate mail.
Please 550-5.7.1 visit 550-5.7.1
https://support.google.com/mail/answer/2451690 to learn about the 550
5.7.1 DMARC initiative. l62si6701928wrc.6 - gsmtp (in reply to end of
DATA command))

So gmail correctly bounces the email because of our p=reject policy.
But why didn't our opendmarc milter bounce it first? Here are our
opendmarc settings:

$ cat /etc/opendmarc.conf
PidFile /var/run/opendmarc/opendmarc.pid
RejectFailures true
Syslog true
UMask 0002
UserID opendmarc:opendmarc
PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
IgnoreAuthenticatedClients true
AuthservID  ourdomain1.co.uk
AuthservIDWithJobID yes
TrustedAuthservIDs ourdomain1.co.uk
IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt
Socket inet:8893 at localhost

$ cat /etc/postfix/opendmarc-ignorehosts.txt
127.0.0.1
192.168.100.0/23

In my mail log I see an entry from opendmarc thus:
2017-03-14 22:55:05 vps1234567 opendmarc[23616]: E988D3E911: localhost none

My theory at this stage is that because the email purports to be from
root at ourdomain1.co.uk (which is the same domain as the mail server,
though not the same FQDN) opendmarc has considered it to be from
'localhost', it has then looked up 'localhost' (not
'ourdomain1.co.uk') in its database, found no dmarc policy for any
domain called 'localhost' and hence passed the email. Which if true is
bizarre.

Thanks for any input

Dominic

More information about the opendmarc-users mailing list