Skip to content

fix: order of DKIM/DMARC milters matters#3082

Merged
georglauterbach merged 2 commits intodocker-mailserver:masterfrom
casperklein:fix-3078
Feb 12, 2023
Merged

fix: order of DKIM/DMARC milters matters#3082
georglauterbach merged 2 commits intodocker-mailserver:masterfrom
casperklein:fix-3078

Conversation

@casperklein
Copy link
Copy Markdown
Member

@casperklein casperklein commented Feb 10, 2023
edited
Loading

Description

This PR fixes a regression introduced with #3016, where the postfix setting smtpd_milters changed the order of the values
from smtpd_milters = $dkim_milter $dmarc_milter
to smtpd_milters = $dmarc_milter $dkim_milter.

The changed order led to this kind of DMARC failures:

Details 
Jan 31 21:00:05 mail postfix/postscreen[22649]: CONNECT from [209.85.128.51]:53204 to [172.19.0.2]:25
Jan 31 21:00:11 mail postfix/postscreen[22649]: PASS NEW [209.85.128.51]:53204
Jan 31 21:00:11 mail postfix/smtpd[22650]: connect from mail-wm1-f51.google.com[209.85.128.51]
Jan 31 21:00:11 mail postfix/smtpd[22650]: Anonymous TLS connection established from mail-wm1-f51.google.com[209.85.128.51]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan 31 21:00:11 mail postfix/smtpd[22650]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Jan 31 21:00:11 mail policyd-spf[22655]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.128.51; helo=mail-wm1-f51.google.com; [email protected]; receiver=<UNKNOWN>
Jan 31 21:00:11 mail postfix/smtpd[22650]: A9F9335803BE: client=mail-wm1-f51.google.com[209.85.128.51]
Jan 31 21:00:11 mail postfix/cleanup[22656]: A9F9335803BE: message-id=<[email protected]>
Jan 31 21:00:11 mail opendmarc[2523]: A9F9335803BE ignoring Authentication-Results at 15 from mx.google.com
Jan 31 21:00:11 mail opendmarc[2523]: A9F9335803BE: google.com fail
Jan 31 21:00:11 mail postfix/cleanup[22656]: A9F9335803BE: milter-reject: END-OF-MESSAGE from mail-wm1-f51.google.com[209.85.128.51]: 5.7.1 rejected by DMARC policy for google.com; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-wm1-f51.google.com>
Jan 31 21:00:44 mail postfix/smtpd[22650]: disconnect from mail-wm1-f51.google.com[209.85.128.51] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=0/1 rset=1 quit=1 commands=7/8

I switched back the order of the two conditions:

  1. [[ ${ENABLE_OPENDMARC} -eq 1 ]]
  2. [[ ${ENABLE_OPENDKIM} -eq 1 ]]

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (non-breaking change that does improve existing functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (README.md or the documentation under docs/)
  • If necessary I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@casperklein casperklein self-assigned this Feb 10, 2023
@casperklein casperklein added this to the v12.0.0 milestone Feb 10, 2023
@ap-wtioit ap-wtioit mentioned this pull request Feb 10, 2023
Closed
10 tasks
@ap-wtioit
Copy link
Copy Markdown
Contributor

ap-wtioit commented Feb 10, 2023

As mentioned in #3078 this fix looks good to me (and necessary), but it doesn't fix #3078.

It should fix the issue that opendmarc doesn't take into account the DKIM signatures into the DMARC check. (Which is an issue that also happens on our servers)

ap-wtioit
ap-wtioit reviewed Feb 10, 2023
View reviewed changes
Comment thread target/scripts/startup/setup-stack.sh
function _setup_dkim_dmarc
{
if [[ ${ENABLE_OPENDMARC} -eq 1 ]]
if [[ ${ENABLE_OPENDKIM} -eq 1 ]]
Copy link
Copy Markdown
Contributor

@ap-wtioit ap-wtioit Feb 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it works for our servers (opendkim + opendmarc enabled) but the return 0 is lost here.

which syntactically was useless just preventing an error in the current state of the code (after lot's of refactoring) but made me think why it was there in the first place.

should opendmarc be enabled without opendkim (and policyd-spf) or should there be at least a warning that all mails for domains with DMARC enable are incorrectly rejected if you run opendmarc without policyd-spf or without opendkim?

for a RFC 7489 compliant mail receiver setup if opendmarc is enabled (ENABLE_OPENDMARC), policyd-spf (always enabled) and opendkim (ENABLE_OPENDKIM) must be enabled.

Copy link
Copy Markdown
Member Author

@casperklein casperklein Feb 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should opendmarc be enabled without opendkim (and policyd-spf) or should there be at least a warning that all mails for domains with DMARC enable are incorrectly rejected if you run opendmarc without policyd-spf or without opendkim?

There is definitely room for improvements. This PR only aims to fix the current regression. At the moment, I don't have much spare time. So looking into it, will take same weeks.

@casperklein casperklein marked this pull request as ready for review February 10, 2023 17:47
@casperklein casperklein requested a review from a team February 10, 2023 17:47
@casperklein casperklein marked this pull request as draft February 10, 2023 17:52
@casperklein casperklein marked this pull request as ready for review February 10, 2023 19:00
polarathene
polarathene approved these changes Feb 11, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@polarathene polarathene left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will conflict with a related PR by @georglauterbach

One could also probably just append both milter values to an array and afterwards instead of similar logic for both, just have one edit after both dkim + dmarc options are handled to add enabled milters. That way the existing dmarc first would still keep dmarc first in the array, then dkim (probably worth noting order is important with a comment though).

@georglauterbach
Copy link
Copy Markdown
Member

georglauterbach commented Feb 11, 2023
edited
Loading

Yeah, I had actually hoped to get my PR merged before, but I'm lacking the reviews 😅

I can take care of the merge conflicts, but I'd really love to merge my PRs then :)

I can also add a comment about the order.

@georglauterbach georglauterbach changed the title Fix dkim/dmarc order fix: dkim/dmarc order Feb 11, 2023
@georglauterbach georglauterbach changed the title fix: dkim/dmarc order fix: order of DKIM/DMARC milters matter Feb 11, 2023
@georglauterbach georglauterbach changed the title fix: order of DKIM/DMARC milters matter fix: order of DKIM/DMARC milters matters Feb 11, 2023
@georglauterbach georglauterbach mentioned this pull request Feb 11, 2023
Merged
7 tasks
@polarathene
Copy link
Copy Markdown
Member

polarathene commented Feb 12, 2023

I can take care of the merge conflicts

You could probably just squeeze in the fix in that PR technically and we could close this one.

No need to swap the order like this PR is doing with moving conditional blocks. Just append to an array and after the two update the config like I said? (although I recall you changing opendkim conditional into an early return guard instead, which I wasn't a fan of to skip some indentation since it wasn't consistent with the related dmarc conditional 😅 )

@georglauterbach
Copy link
Copy Markdown
Member

georglauterbach commented Feb 12, 2023

I can take care of the merge conflicts

You could probably just squeeze in the fix in that PR technically and we could close this one.

I will just go ahead and merge this one so it's out on master.

No need to swap the order like this PR is doing with moving conditional blocks. Just append to an array and after the two update the config like I said? (although I recall you changing opendkim conditional into an early return guard instead, which I wasn't a fan of to skip some indentation since it wasn't consistent with the related dmarc conditional 😅 )

I will resolve the conflicts and adapt your strategy :) This way the work @casperklein has put into the PR is not wasted IMO :)

@georglauterbach georglauterbach merged commit 26861dd into docker-mailserver:master Feb 12, 2023
georglauterbach added a commit that referenced this pull request Feb 13, 2023
@georglauterbach
Merge remote-tracking branch 'origin/master' into rspamd/5
06f5ae6 
I resolved the conflicts and after looking at the code, I decided
against the proposed solution of using an array/string that is appended
to Postfix's milters at the end due to unnecessarry complexity it would
add IMO. The current solution is absolutely fine when proper comments
are in place (which I also added).

Moreover, I added a warning to the log that enabling OpenDMARC but
disabling OpenDKIM is not compliant with RFC 7489 (see
#3082 (comment)).
@casperklein casperklein deleted the fix-3078 branch March 13, 2023 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@polarathene polarathene polarathene approved these changes

@georglauterbach georglauterbach georglauterbach approved these changes

+1 more reviewer

@ap-wtioit ap-wtioit ap-wtioit approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@casperklein casperklein

Labels

area/scripts

Projects

None yet

Milestone

v12.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@casperklein @ap-wtioit @georglauterbach @polarathene