On Thu, Feb 27, 2014 at 11:34 PM, Michael J. Tubby B.Sc. MBCS G8TIC
<mike.tubby@???> wrote:
> Todd,
>
> That's interesting, but my users are complaining that they get no
> facebook notifications and facebook keeps telling my that my own email
> address is invalid:
>
> http://www.tubby.org/facebook/broken_email.png
>
> presumably because I am rejecting them, i.e. rejecting real facebook
> email rather than bogus ones... this would suggest that facebook is broken?
Considering so many mail servers send you mail that does verify, and
Facebook's mail does not verify, it does seem the problem lies at
interoperability between FB and you. I will point out though, that I
run the same version you do and I properly verify >99% of the email
sent out by FB. Are you behind any kind of filtering firewall or
proxy?
>>> And the killer one... Facebook... they are in my "known signers" but
>>> appear to be broken:
>>>
>>> 2014-02-27 10:30:16 MAIL: SPF Result=pass (facebookmail.com /
>>> outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150])
>>> 2014-02-27 10:30:16 MAIL: Accept from:
>>> notification+kjdmd_m7uvpd@??? host:
>>> outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150]
>>> 2014-02-27 10:30:16 RCPT: SPF Result2=pass (facebookmail.com /
>>> outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150])
>>> 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM: d=facebookmail.com
>>> s=s1024-2013-q3 c=relaxed/simple a=rsa-sha256 t=1393497014 [verification
>>> failed - signature did not verify (headers probably modified in transit)]
>>> 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM START: domain=facebookmail.com
>>> possible_signer=facebookmail.com status=fail (reason=signature_incorrect)
>>> 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM DENY: Rejected
>>> facebookmail.com is known signer (in database) but has invalid/missing
>>> signature
>>> 2014-02-27 10:30:16 1WIyEK-0006vE-Fw H=outmail016.ash2.facebook.com
>>> (mx-out.facebook.com) [66.220.155.150] rejected DKIM : Message from
>>> facebookmail.com (known signer) with invalid or missing signature
I realized I didn't address your specific questions with my post yesterday.
>>> * is there anything wrong with my design or implementation?
No, it looks sound to me.
>>> * are there any suggestions for improvements?
You may want to consider implementing DANE, which combines SPF and
DKIM. If either SPF or DKIM passes. Your logging clearly indicates
that the SPF is passing, so those emails would be accepted based on
DANE instead of rejected based on DKIM.
>>> * specifically in the case of faceboomail.com do I have something broken
>>> or is it them?
I don't think it's you, but need to know if the connection is direct
or if it's getting relayed/proxied/filtered in some way before it hits
your server.
I don't think it's related, but do you use openssl or gnutls?
>>> * do I really need to whitelist facebook as a broken DKIM sender to get
>>> their mail in?
I think DANE could be the ultimate solution to your problem.
But having said that, it would be best to figure out WHY a specific
sender is failing. Temporarily change the deny to a warn and save a
few of those messages. If you could send one or more of those
messages (full, raw, unedited message is required) so we can run it
through the code in debug mode and see what's failing, that would be
great. Feel free to send the complete message to me offlist, and I
will dig through it.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
