Zimbra Forums

Zimbra Collaboration & Zimbra Desktop Forums
https://forums.zimbra.org/

[v8.8.11_GA_FOSS] Problem with DMARC_FAIL_REJECT from different mailserver in own DMZ

https://forums.zimbra.org/viewtopic.php?t=65524

Page 1 of 1

[v8.8.11_GA_FOSS] Problem with DMARC_FAIL_REJECT from different mailserver in own DMZ

Posted: Thu Jan 31, 2019 8:47 pm
by zcs8user
Hi to all of you,

recently (2018 december) I set up a new Zimbra mail server on Ubuntu 16.04 x64 as an ESXi guest.
Everything is working fine, except one thing I noticed.

When a second mailserver (ESXi guest, Ubuntu 18.04 x64), completely built on my own (also 2018 december) holding multiple domains with SPF, DKIM and DMARC configured is sending mail to my zimbra server, I always get DMARC_FAIL_REJECT and the mail goes into spam folder.

Both servers are on the same ESXi host in my own DMZ. Both are configured for SPF, DKIM and DMARC.
I have no idea where to start to explore the problem and how to solve it, if there is any chance to.
First I had a look at the mail header of the mail my zimbra server received and tagged as spam.

Here are the headers of the last mail.

Code: Select all

Return-Path: <customer@customerdomain.com>
Received: from myzimbraserver.mydomain.com (LHLO myzimbraserver.mydomain.com) (123.123.123.123) by
 myzimbraserver.mydomain.com with LMTP; Thu, 31 Jan 2019 13:30:47 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by myzimbraserver.mydomain.com (Postfix) with ESMTP id 8C8AD4E2432
	for <myaddress@mydomain.com>; Thu, 31 Jan 2019 13:30:47 +0100 (CET)
X-Spam-Flag: YES
X-Spam-Score: 8.111
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.111 required=4 tests=[ALL_TRUSTED=-1,
	DKIM_SIGNED=0.1, DMARC_FAIL_REJECT=9, HTML_MESSAGE=0.001,
	T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: myzimbraserver.mydomain.com (amavisd-new); dkim=fail (1024-bit key)
	reason="fail (body has been altered)"
	header.d=customerdomain.com
Received: from myzimbraserver.mydomain.com ([127.0.0.1])
	by localhost (myzimbraserver.mydomain.com [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id jA1j8LALkavH for <myaddress@mydomain.com>;
	Thu, 31 Jan 2019 13:30:45 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by myzimbraserver.mydomain.com (Postfix) with ESMTP id 2B16C4E2521
	for <myaddress@mydomain.com>; Thu, 31 Jan 2019 13:30:45 +0100 (CET)
X-Virus-Scanned: amavisd-new at mydomain.com
Received: from myzimbraserver.mydomain.com ([127.0.0.1])
	by localhost (myzimbraserver.mydomain.com [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id D2sZ7s0OkAM0 for <myaddress@mydomain.com>;
	Thu, 31 Jan 2019 13:30:44 +0100 (CET)
Received: from mydmzmailserver.example.com (mydmzmailserver.example.com [234.234.234.234])
	by myzimbraserver.mydomain.com (Postfix) with ESMTPS id D8E954E2432
	for <myaddress@mydomain.com>; Thu, 31 Jan 2019 13:30:44 +0100 (CET)
Received: from [172.16.191.101] (unknown [193.124.78.213])
	by mydmzmailserver.example.com (Postfix) with ESMTPSA id 4E79DA009A
	for <myaddress@mydomain.com>; Thu, 31 Jan 2019 13:30:42 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=customerdomain.com; s=2018120901; t=1548937842;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tie8EqLUo34K3JQ2nNi3LSIoHzS8XXj9gmhotTB7j+A=;
	b=fNSjIH5FX00i+eF1AWIP3NIldw8SPdB0InWniglMpYKguAWJHEBA5V0SrQslttSdZ9VJHq
	5cZjJ3Yl0Dggxi6qV1V9XL/qZoHxH4z2UYn9+FUr1907uI4hqu26NtBvdu9lORpUfIf/1L
	gDVSbuceIxMwOmuyVEfWojVUFYlF77o=
Subject: ***SPAM***Re: MYSUBJECT
To: "My Name" <myaddress@mydomain.com>
References: <1848167268.153.1548089646185.JavaMail.zimbra@mydomain.com>
 <f6d80334-c320-55a6-b947-94cbc77e8a53@customerdomain.com>
 <140732545.233.1548108981148.JavaMail.zimbra@mydomain.com>
 <ac7a383d-caf5-745d-8d4f-689f22f30c26@customerdomain.com>
 <692566585.351.1548162073813.JavaMail.zimbra@mydomain.com>
 <bb30d0b5-ee2c-1c4d-2c95-3b662475887d@customerdomain.com>
 <230009407.564.1548877935412.JavaMail.zimbra@mydomain.com>
From: "Name" <customer@customerdomain.com>
Message-ID: <2d6c6e41-538f-f8e0-e25e-f460f6be5487@customerdomain.com>
Disposition-Notification-To: "Name" <customer@customerdomain.com>
Date: Thu, 31 Jan 2019 13:30:40 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <230009407.564.1548877935412.JavaMail.zimbra@mydomain.com>
Content-Type: multipart/alternative;
 boundary="------------308496321BC6FE8A7C24B94A"

This is a multi-part message in MIME format.
--------------308496321BC6FE8A7C24B94A
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

--------------308496321BC6FE8A7C24B94A--

Really hoping we can do something about it. ;)

Michael

Re: [v8.8.11_GA_FOSS] Problem with DMARC_FAIL_REJECT from different mailserver in own DMZ

Posted: Fri Feb 01, 2019 8:40 am
by DualBoot
Hello,

seems to be the DKIM :
dkim=fail (1024-bit key)

Regards,

Re: [v8.8.11_GA_FOSS] Problem with DMARC_FAIL_REJECT from different mailserver in own DMZ

Posted: Tue Feb 12, 2019 1:38 pm
by zcs8user
Hi,

thank you for answering.
I am afraid I don't get the point. What do you mean?

Michael

Re: [v8.8.11_GA_FOSS] Problem with DMARC_FAIL_REJECT from different mailserver in own DMZ

Posted: Wed Feb 13, 2019 7:22 pm
by luca_2186
in the header of your email i read

Code: Select all

Authentication-Results: myzimbraserver.mydomain.com (amavisd-new); dkim=fail (1024-bit key)
   reason="fail (body has been altered)"
This mean that the content of the email has been altered after the dkim signing

The headers of the mail that are signed are reported in the header itself in the dkim signature h value:

Code: Select all

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
   d=customerdomain.com; s=2018120901; t=1548937842;
   h=from:from:sender:reply-to:subject:subject:date:date:
    message-id:message-id:to:to:cc:mime-version:mime-version:
    content-type:content-type:content-transfer-encoding:
    in-reply-to:in-reply-to:references:references;
This not necessarily means that the hader has been altered, it may also be cause by a wrong configuration of open dkim (for example when there are some OversignHeaders that are not present in SignHeaders) but I don't know what is your case

Re: [v8.8.11_GA_FOSS] Problem with DMARC_FAIL_REJECT from different mailserver in own DMZ

Posted: Fri Feb 15, 2019 8:39 am
by zcs8user
Hello,
luca_2186 wrote:This not necessarily means that the hader has been altered, it may also be cause by a wrong configuration of open dkim (for example when there are some OversignHeaders that are not present in SignHeaders) but I don't know what is your case
a little bit of research later I found out that it could be my sending Ubuntu 18.04 mail server.
DKIM_FAIL_REJECT does not occur if a mail originated from a users mail address on my Ubuntu 18.04 mail server.
It occurs when I reply to that mail with Zimbra Ubuntu 16.04 and then, on the next reply from the users address on Ubu 18.04 server something weird is happening with character translation.

Code: Select all

Content-Type: multipart/alternative;
 boundary="------------907A441A827236CB1EEF6B43"

This is a multi-part message in MIME format.
--------------907A441A827236CB1EEF6B43
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

[...]
w=C3=BC
[...]
Could it be that the sending Ubu 18.04 can do that? Is it allowed to alter the mails body and change encodings?
Above example shows the german Umlaut "ΓΌ" has been changed.

I hope somebody has an idea on what could be going on here.
Any hints are appreciated.

Michael

Re: [v8.8.11_GA_FOSS] Problem with DMARC_FAIL_REJECT from different mailserver in own DMZ

Posted: Fri Feb 15, 2019 10:07 am
by luca_2186
The string C3=BC is the correct quted-printable encoding for the umlaut.
I see thet the final reply is from the server mydmzmailserver.example.com to the server myzimbraserver.mydomain.com so the problem should be on mydmzmailserver.example.com
Since a reply to a messagge should be the same thing of writing a new email I think you should have a dkim fail also when you write new email.
Can you check this and post here the headers of the mail using the same sender and recipient anddress of the original test?

Re: [v8.8.11_GA_FOSS] Problem with DMARC_FAIL_REJECT from different mailserver in own DMZ

Posted: Fri Feb 15, 2019 11:23 am
by luca_2186
You should also remove all OversignHeaders from opendkim configurarion and than make som test.
For example I see that you have signed the header reply-to but this header is not present in the email. Since reply-to is present only one time in the dkim h tag I suspect (but I'm not sure) that it is present only in OversignHeaders and not in SignHeaders and this is a problem.
For more info about opendkim configuration: http://opendkim.org/opendkim.conf.5.html
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited