Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DMARC settings seemingly not working as described in documentation #783

Closed
laerm opened this issue Nov 6, 2019 · 10 comments · Fixed by #805
Closed

DMARC settings seemingly not working as described in documentation #783

laerm opened this issue Nov 6, 2019 · 10 comments · Fixed by #805
Labels
bug ready A PR is waiting to be merged. Close to be solved
Milestone
6.2.50

Comments

@laerm
Copy link

laerm commented Nov 6, 2019
edited
Loading

Version

6.2.48 on RHEL 7.6

Installation method

Via http://Sympa-JA.org/ repo

Expected behavior

According to the documentation here: https://sympa-community.github.io/manual/customize/dmarc-protection.html, setting dmarc_protection_mode dmarc_reject should:

  1. their DKIM and DomainKey signatures will be removed

  2. the From: field will be changed to a value you will set in the dmarc_protection_other_email parameter. You can define a value for this email or leave it blank. If so, the list email address will be set instead of the original sender address.

  3. previous value of the From: header field is saved in an X-Original-From: header field for later inspection

  4. previous value of the DKIM signature is saved in X-Original-DKIM-Signature: field for later inspection.

For emails from domains whose policy is to reject any mail not respecting its DMARC policy.

My sympa.conf configuration contains the following lines:
dmarc_protection_mode dmarc_reject
dmarc_protection_phrase name_via_list

Actual behavior

From: header no longer modified to be mailing list email, like point 2 above specifies (I've tested with a yahoo.com email for example), no X-Original-From: or X-Original-DKIM-Signature headers added. Emails sent from domains whose policy is to reject any mail not respecting its DMARC policy are being rejected.

Additional information

This seems to be a recent change, since 6.2.44 to 6.2.48 possibly.

Thanks for looking into it!
@ikedas
Copy link
Member

ikedas commented Nov 9, 2019

Hi @laerm,

Could you please show us the setting related to DKIM/DMARC/ARC of the list you checked?

@ikedas ikedas added the question label Nov 9, 2019
@laerm
Copy link
Author

laerm commented Nov 9, 2019

Hi @ikedas

The settings of both lists I tested are identical. No DKIM setting, No ARC setting, and for DMARC they are set to dmarc_reject and name_via_list.

@laerm
Copy link
Author

laerm commented Nov 13, 2019

I've tried changing the DMARC setting to dmarc_signature, or dmarc_any and same thing, the from is not rewritten.

@pkissman
Copy link

Hi @ikedas and @laerm ,

I updated from 6.2.44 via 6.2.46 to 6.2.48 a couple of weeks ago and now am seeing similar behavior. Emails originating from yahoo or aol are being bounced for gmail, comcast, verizon, recipients. I have made no changes to my config files or my lists.

It appears that the from address is not being rewritten at all, just the sender address.
I install from source on Debian squeeze.

@Philippe34
Copy link

Hi,

My sympa version : 6.2.44
I had configured sympa with DKIM and arc, but not the dmarc protection.
In this configuration, a Yahoo subscriber who was sending an email did not receive his posted message. The other subscribers, yes.

Now, as suggested by laerm, I added in sympa.conf : dmarc_protection_mode dmarc_reject
I did not know before dmarc protection.
Now for me, it works very well with yahoo subscriber. He can receive the message he sent to the list !

I can see the added headers :
X-Original-DMARC-Record: domain=yahoo.com; _dmarc.yahoo.com. 1800 IN TXT "v=DMARC1; p=reject; pct=100; r....
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1573749286; b...
X-Original-From: PX PX pX.pX@yahoo.com

If it helps ...

@pkissman
Copy link

@ikedas and @laerm ,

I eventually changed my dmarc protection "mode" selection from "dmarc_reject" to "all" And that seems to have solved my immediate problem with mail being rejected from major providers such as gmail, comcast and yahoo.

However, I want to reiterate that there definitely has been a change in behavior between 6.2.44 and 6.2.48 if dmarc configuration settings have not been touched.

6.2.44 was fine for me with a mode of dmarc_reject and 6.2.48 was not.

@ikedas ikedas mentioned this issue Nov 21, 2019
Merged
@ikedas ikedas added bug ready A PR is waiting to be merged. Close to be solved and removed question labels Nov 21, 2019
@ikedas
Copy link
Member

ikedas commented Nov 21, 2019

Hi @pkissman, could you please apply this patch and check if the problem with "dmarc_reject" mode will be solved?

@ikedas ikedas added this to the 6.2.50 milestone Nov 21, 2019
@laerm
Copy link
Author

laerm commented Nov 21, 2019

Hello @ikedas ,

The patch has fixed the issue for me. I'll let @pkissman confirm! Thank you again for your work!

@pkissman
Copy link

Hi @ikedas and @laerm ,

Yes! The patch worked for me as well. Thanks for sorting this out.

@ikedas
Copy link
Member

ikedas commented Nov 22, 2019

Thanks @laerm and @pkissman for confirming fixes! I'll merge it with additional changes.

Thanks again for improving Sympa!

ikedas added a commit that referenced this issue Nov 22, 2019
@ikedas
Merge pull request #805 from ikedas/issue-783 by ikedas
7567766 
Fixing #783
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug ready A PR is waiting to be merged. Close to be solved
Projects
None yet
Milestone
6.2.50
Development

Successfully merging a pull request may close this issue.

Fixing #783 ikedas/sympa
4 participants
@laerm @ikedas @Philippe34 @pkissman