Hi therem
Hoping someone can help me get to the bottom of this one. I'm in the process of configuring Exim to process inbound DMARC validation and hope to configure DMARC reporting using the Exim DMARC history file in combination with OpenDmarc.
Exim is validating SPF/DKIM and DMARC as expected in inbound email (well as far as I can tell), however for some reason our DMARC history file isn't being populated with complete authentication results. Below is a example DMARC history log entry for message 1q6haa-00FZGj-13, as you can see Exim hasn't populated the SPF and DKIM authentication results:
job 1q6haa-00FZGj-13
reporter test.hostname.com.au
received 1686099833
ipaddr 209.85.210.41
from gmail.com
mfrom gmail.com
spf 0
dkim gmail.com 0
pdomain gmail.com
policy 15
rua
mailto:mailauth-reports@google.com
pct 100
adkim 114
aspf 114
p 110
sp 113
align_dkim 4
align_spf 4
action 2
Here is the main.log entry for the delivery 1q6haa-00FZGj-13:
2023-06-07 11:03:52.180 [3710497] SPF validation passed
2023-06-07 11:03:52.522 [3710497] 1q6haa-00FZGj-13 DKIM validation passed
2023-06-07 11:03:52.522 [3710497] 1q6haa-00FZGj-13 DKIM: d=gmail.com s=20221208 c=relaxed/relaxed a=rsa-sha256 b=2048 t=1686099829 x=1688691829 [verification succeeded]
2023-06-07 11:03:53.120 [3710497] 1q6haa-00FZGj-13 H=mail-ot1-f41.google.com [209.85.210.41]:57397 I=[103.209.24.57]:25 Warning: "SpamAssassin as sslreservedsite detected message as NOT spam (-0.2)"
2023-06-07 11:03:53.122 [3710497] 1q6haa-00FZGj-13 DMARC results: spf_domain=gmail.com dmarc_domain=gmail.com spf_align=yes dkim_align=yes enforcement='Accept'
2023-06-07 11:03:53.125 [3710497] 1q6haa-00FZGj-13 H=mail-ot1-f41.google.com [209.85.210.41]:57397 I=[103.209.24.57]:25 Warning: DMARC STATUS: accept gmail.com
2023-06-07 11:03:53.137 [3710497] 1q6haa-00FZGj-13 <= mackenzie@??? H=mail-ot1-f41.google.com [209.85.210.41]:57397 I=[103.209.24.57]:25 P=esmtps L.- X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no SNI=mail.testdomain.com S=4762 M8S=0 DKIM=gmail.com RT=0.193s id=CAD2o6GwSZLrehVOiQDzw7PB9Z1jZsH9RjT=MmYfS31Xj-nmWWg@??? T="test" from <mackenzie@???> for mackenzie@???
2023-06-07 11:03:53.162 [3710506] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1q6haa-00FZGj-13
2023-06-07 11:03:53.342 [3710506] 1q6haa-00FZGj-13 => mackenzie <mackenzie@???> F=<mackenzie@???> P=<mackenzie@???> R=virtual_user T=dovecot_virtual_delivery S=4986 C="250 2.0.0 <mackenzie@???> LJHTEHnXf2QunjgAK/qN0w Saved" QT=0.822s DT=0.083s
2023-06-07 11:03:53.343 [3710506] 1q6haa-00FZGj-13 Completed QT=1.016s
Relevant mail headers:
X-DKIM: DKIM validation passed: (address=mackenzie@??? domain=gmail.com), signature is good
Received-SPF: pass (test.hostname.com.au: domain of gmail.com designates 209.85.210.41 as permitted sender) client-ip=209.85.210.41; envelope-from=mackenzie@???; helo=mail-ot1-f41.google.com;
Authentication-Results: test.hostname.com.au;
iprev=pass (mail-ot1-f41.google.com) smtp.remote-ip=209.85.210.41;
spf=pass smtp.mailfrom=gmail.com;
dkim=pass header.d=gmail.com header.s=20221208 header.a=rsa-sha256;
dmarc=pass header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1686099829; x=1688691829;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=bSHuoI85Pm9RxcaYBalhLZ/eEUMmxQvUFo5ZMye14lQ=;
b=Z+XJpdyQKNQeLkIFbFuKVq53sq3X0gzmrukK+LoU1JWuXHiQCcC0Wz3GJJxSo26cBJ
bB/iQxu4zodOA6zXBacsEucHuYez+gt1aGj9jq9kiwtS9Ny0tTiXqF2zFAubf64gxGDl
mH4EsIdlRNnY3uR6x/+ct/OywqlpfaCGD06QBnqmmnV1jPlCEnvp7OyL8RIb51pnwbQj
cUswDRh9lVzps6GgcFItkj3sdInD2T7jp4JOHLREHJQlfeyYt1vZ6yraE3x4cZO/ltOx
Nhmg0bo6tvBgC7q2TLejud3ZK/1DKAgs0iu2H+xGEsQsdD2MFm3GTqBzt8AH5cmeH5/z
aD8A==
Received-SPF: pass (test.hostname.com.au: domain of gmail.com designates 209.85.210.41 as permitted sender) client-ip=209.85.210.41; envelope-from=mackenzie@???; helo=mail-ot1-f41.google.com;
Exim version details:
Exim version 4.96 #2 built 22-Nov-2022 14:41:01
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL TLS_resume Content_Scanning DANE DKIM DMARC DNSSEC Event OCSP PIPECONNECT PRDR PROXY Queue_Ramp SOCKS SPF TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 nisplus passwd sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
2023-06-07 10:49:23.444 [3709262] cwd=/etc/mail/spamassassin 2 args: exim -bV
Configuration file is /etc/exim/exim.conf
In exim.conf we have the following relevant configurations (I've listed these in no particular order):
Main options
dmarc_tld_file = /usr/share/publicsuffix/public_suffix_list.dat
dmarc_history_file = /var/spool/exim/opendmarc.dat
dmarc_forensic_sender = noreply-dmarc@???
acl_smtp_data:
warn
dmarc_status = accept : none : off
!authenticated = *
log_message = DMARC STATUS: $dmarc_status $dmarc_used_domain
warn
dmarc_status = !accept
!authenticated = *
log_message = DMARC STATUS: '$dmarc_status' for $dmarc_used_domain
warn
dmarc_status = quarantine
!authenticated = *
set acl_m_quarantine = 1
deny
dmarc_status = reject
!authenticated = *
message = Message from $dmarc_used_domain failed sender's DMARC policy, REJECT
warn
add_header = :at_start:${authresults {$primary_hostname}}
acl_smtp_dkim:
acl_smtp_dkim:
deny dkim_status = fail
message = DKIM validation failed: $dkim_verify_status
log_message = DKIM validation failed: $dkim_verify_status \
(address=$sender_address, domain=$dkim_cur_signer), \
signature is bad
defer dkim_status = invalid
message = DKIM signature invalid: $dkim_verify_status
log_message = DKIM signature invalid: $dkim_verify_status \
(address=$sender_address, domain=$dkim_cur_signer), \
invalid signature
accept
# Add an X-DKIM header to the message
add_header = :at_start: X-DKIM: DKIM validation passed: \
(address=$sender_address domain=$dkim_cur_signer), \
signature is good
logwrite = DKIM validation passed
acl_smtp_rcpt:
accept hosts = :
control = dkim_disable_verify
control = dmarc_disable_verify
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
control = dmarc_disable_verify
accept authenticated = *
control = submission
control = dkim_disable_verify
control = dmarc_disable_verify
acl_smtp_mail:
# SPF validation
deny spf = fail : softfail
message = SPF validation failed: \
$sender_host_address is not allowed to send mail from \
${if def:sender_address_domain \
{$sender_address_domain}{$sender_helo_name}}
log_message = SPF validation failed\
${if eq{$spf_result}{softfail} { (softfail)}{}}: \
$sender_host_address is not allowed to send mail from \
${if def:sender_address_domain \
{$sender_address_domain}{$sender_helo_name}}
deny spf = permerror
message = SPF validation failed: \
syntax error in SPF record(s) for \
${if def:sender_address_domain \
{$sender_address_domain}{$sender_helo_name}}
log_message = SPF validation failed (permerror): \
syntax error in SPF record(s) for \
${if def:sender_address_domain \
{$sender_address_domain}{$sender_helo_name}}
defer spf = temperror
message = temporary error during SPF validation; \
please try again later
log_message = SPF validation failed temporary; deferred
# Log SPF none/neutral result
warn spf = none : neutral
log_message = SPF validation none/neutral
accept
# Add an SPF-Received header to the message
add_header = :at_start: $spf_received
logwrite = SPF validation passed
From my understanding Exim's dmarc_history_file provides all data required to generate DMARC reports using OpenDmarc however the data logged by Exim in my example is not enough information for DMARC report generation, so I suspect the issue is within my Exim configuration although I'm at a complete loss to where this configuration is incomplete or inaccurate. What am I missing here? Please help!
All the best,
Mackenzie
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
