[exim] dmarc_history_file - incomplete data logged for spf a…

Top Page
Delete this message
Reply to this message
Author: Mackenzie via Exim-users
Date:  
To: exim-users
Subject: [exim] dmarc_history_file - incomplete data logged for spf and dkim
Hi therem

Hoping someone can help me get to the bottom of this one. I'm in the process of configuring Exim to process inbound DMARC validation and hope to configure DMARC reporting using the Exim DMARC history file in combination with OpenDmarc.

Exim is validating SPF/DKIM and DMARC as expected in inbound email (well as far as I can tell), however for some reason our DMARC history file isn't being populated with complete authentication results. Below is a example DMARC history log entry for message 1q6haa-00FZGj-13, as you can see Exim hasn't populated the SPF and DKIM authentication results:

job 1q6haa-00FZGj-13
reporter test.hostname.com.au
received 1686099833
ipaddr 209.85.210.41
from gmail.com
mfrom gmail.com
spf 0
dkim gmail.com 0
pdomain gmail.com
policy 15
rua mailto:mailauth-reports@google.com
pct 100
adkim 114
aspf 114
p 110
sp 113
align_dkim 4
align_spf 4
action 2

Here is the main.log entry for the delivery 1q6haa-00FZGj-13:

2023-06-07 11:03:52.180 [3710497] SPF validation passed
2023-06-07 11:03:52.522 [3710497] 1q6haa-00FZGj-13 DKIM validation passed
2023-06-07 11:03:52.522 [3710497] 1q6haa-00FZGj-13 DKIM: d=gmail.com s=20221208 c=relaxed/relaxed a=rsa-sha256 b=2048 t=1686099829 x=1688691829 [verification succeeded]
2023-06-07 11:03:53.120 [3710497] 1q6haa-00FZGj-13 H=mail-ot1-f41.google.com [209.85.210.41]:57397 I=[103.209.24.57]:25 Warning: "SpamAssassin as sslreservedsite detected message as NOT spam (-0.2)"
2023-06-07 11:03:53.122 [3710497] 1q6haa-00FZGj-13 DMARC results: spf_domain=gmail.com dmarc_domain=gmail.com spf_align=yes dkim_align=yes enforcement='Accept'
2023-06-07 11:03:53.125 [3710497] 1q6haa-00FZGj-13 H=mail-ot1-f41.google.com [209.85.210.41]:57397 I=[103.209.24.57]:25 Warning: DMARC STATUS: accept gmail.com
2023-06-07 11:03:53.137 [3710497] 1q6haa-00FZGj-13 <= mackenzie@??? H=mail-ot1-f41.google.com [209.85.210.41]:57397 I=[103.209.24.57]:25 P=esmtps L.- X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no SNI=mail.testdomain.com S=4762 M8S=0 DKIM=gmail.com RT=0.193s id=CAD2o6GwSZLrehVOiQDzw7PB9Z1jZsH9RjT=MmYfS31Xj-nmWWg@??? T="test" from <mackenzie@???> for mackenzie@???
2023-06-07 11:03:53.162 [3710506] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1q6haa-00FZGj-13
2023-06-07 11:03:53.342 [3710506] 1q6haa-00FZGj-13 => mackenzie <mackenzie@???> F=<mackenzie@???> P=<mackenzie@???> R=virtual_user T=dovecot_virtual_delivery S=4986 C="250 2.0.0 <mackenzie@???> LJHTEHnXf2QunjgAK/qN0w Saved" QT=0.822s DT=0.083s
2023-06-07 11:03:53.343 [3710506] 1q6haa-00FZGj-13 Completed QT=1.016s

Relevant mail headers:

X-DKIM: DKIM validation passed: (address=mackenzie@??? domain=gmail.com), signature is good
Received-SPF: pass (test.hostname.com.au: domain of gmail.com designates 209.85.210.41 as permitted sender) client-ip=209.85.210.41; envelope-from=mackenzie@???; helo=mail-ot1-f41.google.com;

Authentication-Results: test.hostname.com.au;
        iprev=pass (mail-ot1-f41.google.com) smtp.remote-ip=209.85.210.41;
        spf=pass smtp.mailfrom=gmail.com;
        dkim=pass header.d=gmail.com header.s=20221208 header.a=rsa-sha256;
        dmarc=pass header.from=gmail.com


DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1686099829; x=1688691829;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=bSHuoI85Pm9RxcaYBalhLZ/eEUMmxQvUFo5ZMye14lQ=;
        b=Z+XJpdyQKNQeLkIFbFuKVq53sq3X0gzmrukK+LoU1JWuXHiQCcC0Wz3GJJxSo26cBJ
         bB/iQxu4zodOA6zXBacsEucHuYez+gt1aGj9jq9kiwtS9Ny0tTiXqF2zFAubf64gxGDl
         mH4EsIdlRNnY3uR6x/+ct/OywqlpfaCGD06QBnqmmnV1jPlCEnvp7OyL8RIb51pnwbQj
         cUswDRh9lVzps6GgcFItkj3sdInD2T7jp4JOHLREHJQlfeyYt1vZ6yraE3x4cZO/ltOx
         Nhmg0bo6tvBgC7q2TLejud3ZK/1DKAgs0iu2H+xGEsQsdD2MFm3GTqBzt8AH5cmeH5/z
         aD8A==


Received-SPF: pass (test.hostname.com.au: domain of gmail.com designates 209.85.210.41 as permitted sender) client-ip=209.85.210.41; envelope-from=mackenzie@???; helo=mail-ot1-f41.google.com;

Exim version details:

Exim version 4.96 #2 built 22-Nov-2022 14:41:01
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2022
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL TLS_resume Content_Scanning DANE DKIM DMARC DNSSEC Event OCSP PIPECONNECT PRDR PROXY Queue_Ramp SOCKS SPF TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 nisplus passwd sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
2023-06-07 10:49:23.444 [3709262] cwd=/etc/mail/spamassassin 2 args: exim -bV
Configuration file is /etc/exim/exim.conf

In exim.conf we have the following relevant configurations (I've listed these in no particular order):

Main options

dmarc_tld_file = /usr/share/publicsuffix/public_suffix_list.dat
dmarc_history_file = /var/spool/exim/opendmarc.dat
dmarc_forensic_sender = noreply-dmarc@???

acl_smtp_data:

  warn
    dmarc_status         = accept : none : off
    !authenticated       = *
    log_message          = DMARC STATUS: $dmarc_status $dmarc_used_domain


  warn
    dmarc_status         = !accept
    !authenticated       = *
    log_message          = DMARC STATUS: '$dmarc_status' for $dmarc_used_domain


  warn
    dmarc_status         = quarantine
    !authenticated       = *
    set acl_m_quarantine = 1


  deny
    dmarc_status         = reject
    !authenticated       = *
    message              = Message from $dmarc_used_domain failed sender's DMARC policy, REJECT


  warn
    add_header           = :at_start:${authresults {$primary_hostname}}


acl_smtp_dkim:

acl_smtp_dkim:
  deny dkim_status = fail
    message = DKIM validation failed: $dkim_verify_status
    log_message = DKIM validation failed: $dkim_verify_status \
                 (address=$sender_address, domain=$dkim_cur_signer), \
                 signature is bad
  defer dkim_status = invalid
    message = DKIM signature invalid: $dkim_verify_status
    log_message = DKIM signature invalid: $dkim_verify_status \
                  (address=$sender_address, domain=$dkim_cur_signer), \
                  invalid signature


accept

# Add an X-DKIM header to the message

  add_header = :at_start: X-DKIM: DKIM validation passed: \
               (address=$sender_address domain=$dkim_cur_signer), \
               signature is good
  logwrite = DKIM validation passed


acl_smtp_rcpt:

  accept hosts = :
    control = dkim_disable_verify
    control = dmarc_disable_verify
  accept hosts = +relay_from_hosts
    control = submission
    control = dkim_disable_verify
    control = dmarc_disable_verify
  accept authenticated = *
    control = submission
    control = dkim_disable_verify
    control = dmarc_disable_verify


acl_smtp_mail:

    # SPF validation
    deny spf = fail : softfail
            message = SPF validation failed: \
                    $sender_host_address is not allowed to send mail from \
                    ${if def:sender_address_domain \
                        {$sender_address_domain}{$sender_helo_name}}
            log_message =  SPF validation failed\
                    ${if eq{$spf_result}{softfail} { (softfail)}{}}: \
                    $sender_host_address is not allowed to send mail from \
                    ${if def:sender_address_domain \
                        {$sender_address_domain}{$sender_helo_name}}
    deny spf = permerror
            message = SPF validation failed: \
                    syntax error in SPF record(s) for \
                    ${if def:sender_address_domain \
                        {$sender_address_domain}{$sender_helo_name}}
            log_message = SPF validation failed (permerror): \
                    syntax error in SPF record(s) for \
                    ${if def:sender_address_domain \
                        {$sender_address_domain}{$sender_helo_name}}
    defer spf = temperror
            message = temporary error during SPF validation; \
                    please try again later
            log_message = SPF validation failed temporary; deferred


    # Log SPF none/neutral result
    warn spf = none : neutral
            log_message = SPF validation none/neutral


    accept
            # Add an SPF-Received header to the message
            add_header = :at_start: $spf_received
            logwrite = SPF validation passed


From my understanding Exim's dmarc_history_file provides all data required to generate DMARC reports using OpenDmarc however the data logged by Exim in my example is not enough information for DMARC report generation, so I suspect the issue is within my Exim configuration although I'm at a complete loss to where this configuration is incomplete or inaccurate. What am I missing here? Please help!

All the best,
Mackenzie

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/