[opendmarc-users] Fake mail (internal From: ourdomain) passed by opendmarc

Wed Mar 15 05:31:33 PDT 2017

On 15 March 2017 at 11:06, Gary McLean <gary.mclean at instinet.co.uk> wrote:
>> On 15 Mar 2017, at 11:02, Dominic Raferd <dominic at timedicer.co.uk> wrote:
>>
>> I am using opendmarc opendmarc 1.3.2~Beta1-2, and hoping someone can
>> explain why in my setup opendmarc is failing to block an email which
>> is sent from outside and which has an internal 'From' header which
>> purports to be from one of our domains 'ourdomain1.co.uk'. This domain
>> is subject to dmarc policy p=reject but the email is passed by our
>> opendmarc anyway. I have obfuscated our domain and server names below
>> but otherwise the data is genuine:
>>
>> Incoming mail headers after processing through our postfix instance
>> (you can see Authentication-Results added by opendmarc and opendkim
>> milters and by postfix-policyd-spf-python):
>>
>> From wwwciroq at host.thenetshop.co.uk  Tue Mar 14 22:55:06 2017
>> Return-Path: <wwwciroq at host.thenetshop.co.uk>
>> Authentication-Results: ourdomain1.co.uk/E988D3E911; dmarc=none
>> (p=none dis=none) header.from=localhost
>> Authentication-Results: ourdomain1.co.uk; dkim=none; dkim-atps=neutral
>> Authentication-Results: ourdomain1.co.uk; spf=pass (sender SPF
>> authorized) smtp.helo=ciroqu.com (client-ip=178.63.169.147;
>> helo=ciroqu.com; envelope-from=wwwciroq at host.thenetshop.co.uk;
>> receiver=sally at ourdomain2.tld)
>> Received: from ciroqu.com (147.169.63.178-static.thenetshop.co.uk
>> [178.63.169.147])
>> by vps1234567.ourdomain1.co.uk (Postfix) with ESMTPS id E988D3E911
>> for <sally at ourdomain2.tld>; Tue, 14 Mar 2017 22:55:02 +0100 (CET)
>> Received: from wwwciroq by host.thenetshop.co.uk with local (Exim 4.88)
>> (envelope-from <wwwciroq at host.thenetshop.co.uk>)
>> id 1cnu93-0006fY-0d
>> for sally at ourdomain2.tld; Tue, 14 Mar 2017 21:38:17 +0000
>> To: sally at ourdomain2.tld
>> Subject:
>> =?utf-8?Q?=5biTunes=2dConnect=5dSomeone=20has=20been=20logged=20into=20your=20account=20from=20another=20country?=
>> X-PHP-Script: meridian.ciroqu.com/mm.php for 197.3.203.251
>> X-PHP-Originating-Script: 535:mm.php
>> Date: Tue, 14 Mar 2017 21:38:16 +0000
>> From: =?utf-8?Q?AppleID?= <root at ourdomain1.co.uk>
>> Message-ID: <630f3c03dbe36c18c195d61cb58819de at meridian.ciroqu.com>
>> ...
>>
>> The above email passes spf (correctly, based on envelope sender) and
>> opendkim (correctly, because there is no dkim key in the email) but
>> more mysteriously it passes opendmarc - maybe this is related to the
>> opendmarc message 'header.from=localhost' although the email has *not*
>> originated from the localhost (but the 'From:' header does pretend to
>> be from our domain 'ourdomain1.co.uk'). The email is sent on by our
>> postfix system to gmail which responds thus:
>>
>> 2E0A53ED08: to=<sallymailbox at gmail.com>,
>> orig_to=<sally at ourdomain2.tld>,
>> relay=gmail-smtp-in.l.google.com[74.125.195.26]:25, delay=0.5,
>> delays=0.04/0.12/0.13/0.21, dsn=5.7.1, status=bounced (host
>> gmail-smtp-in.l.google.com[74.125.195.26] said: 550-5.7.1
>> Unauthenticated email from ourdomain1.co.uk is not accepted due to
>> 550-5.7.1 domain's DMARC policy. Please contact the administrator of
>> 550-5.7.1 ourdomain1.co.uk domain if this was a legitimate mail.
>> Please 550-5.7.1 visit 550-5.7.1
>> https://support.google.com/mail/answer/2451690 to learn about the 550
>> 5.7.1 DMARC initiative. l62si6701928wrc.6 - gsmtp (in reply to end of
>> DATA command))
>>
>> So gmail correctly bounces the email because of our p=reject policy.
>> But why didn't our opendmarc milter bounce it first? Here are our
>> opendmarc settings:
>>
>> $ cat /etc/opendmarc.conf
>> PidFile /var/run/opendmarc/opendmarc.pid
>> RejectFailures true
>> Syslog true
>> UMask 0002
>> UserID opendmarc:opendmarc
>> PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
>> IgnoreAuthenticatedClients true
>> AuthservID  ourdomain1.co.uk
>> AuthservIDWithJobID yes
>> TrustedAuthservIDs ourdomain1.co.uk
>> IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt
>> Socket inet:8893 at localhost
>>
>> $ cat /etc/postfix/opendmarc-ignorehosts.txt
>> 127.0.0.1
>> 192.168.100.0/23
>>
>> In my mail log I see an entry from opendmarc thus:
>> 2017-03-14 22:55:05 vps1234567 opendmarc[23616]: E988D3E911: localhost
>> none
>>
>> My theory at this stage is that because the email purports to be from
>> root at ourdomain1.co.uk (which is the same domain as the mail server,
>> though not the same FQDN) opendmarc has considered it to be from
>> 'localhost', it has then looked up 'localhost' (not
>> 'ourdomain1.co.uk') in its database, found no dmarc policy for any
>> domain called 'localhost' and hence passed the email. Which if true is
>> bizarre.
>>
>> Thanks for any input
>>
>> Dominic
>
> Carry out a dig txt on your domain from your postfix server and see what
> results you get back for your policy. You may be running a split dns
>
> You need to dig your policy from dns

Thanks, but I had never intended to run a split dns policy and can see
no signs of one. Why has opendmarc run a test based on
'header.from=localhost' instead of 'header.from=ourdomain1.co.uk'? It
was 'ourdomain1.co.uk' that appeared in the From: header. BTW
opendmarc is working fine on this server for other domains AFAIK.