Project

General

Profile

Actions

tickets #111902

open

DMARC check failing

Added by sbuchovecka over 1 year ago. Updated over 1 year ago.

Status:
In Progress
Priority:
Normal
Assignee:
-
Category:
Email
Target version:
-
Start date:
2022-06-01
Due date:
2022-06-06 (about 21 months late)
% Done:

0%

Estimated time:

Description

Hello team,

We got couple of reports from SUSE users on emails from openSUSE domain being held by mimecast. The reason for that is DNS Authentication: DMARC Fail.

Some details below:
[cid:image001.png@01D875A3.95603960]
[cid:image002.png@01D875A3.A0D19B40]
It looks like DMARC policy is actively asking for quarantining the email on the recipient side.

Could you review configuration on openSUSE mail setup side? Looks like similar issue was already reported in (https://sd.suse.com/browse/SD-87808)

Thank you
Simona

--
Simona Fornusek (Buchovecka)
Cybersecurity Design & Engineering


Files

image001.png (38 KB) image001.png sbuchovecka, 2022-06-01 08:42
image002.png (23.2 KB) image002.png sbuchovecka, 2022-06-01 08:42
Actions #1

Updated by pjessen over 1 year ago

  • Category set to Email
  • Private changed from Yes to No

The DMARC record for opensuse.org is:

v=DMARC1; p=none; pct=100; rua=mailto:admin-auto@opensuse.org!5m; ruf=mailto:admin-auto@opensuse.org!5m

I.e. no policy for all mails.

The SPF record for lists.opensuse.org is:

v=spf1 mx a:proxy-nue1.opensuse.org a:proxy-nue2.opensuse.org ip6:2001:67c:2178:8::/64 ~all

A mail from mailman (lists.opensuse.org) should get an SPF PASS. I don't see how it could get a SOFTFAIL.

Actions #2

Updated by sbuchovecka over 1 year ago

It is probably the policy of pm.me (as from Header From).

Simona

From: redmine@opensuse.org redmine@opensuse.org
Date: Wednesday, 1 June 2022 11:18
To:
Subject: [openSUSE admin - tickets #111902] DMARC check failing
[openSUSE Tracker]
Issue #111902 has been updated by pjessen.

Category set to Email
Private changed from Yes to No

The DMARC record for opensuse.org is:

v=DMARC1; p=none; pct=100; rua=mailto:admin-auto@opensuse.org!5m; ruf=mailto:admin-auto@opensuse.org!5m

I.e. no policy for all mails.

The SPF record for lists.opensuse.org is:

v=spf1 mx a:proxy-nue1.opensuse.org a:proxy-nue2.opensuse.org ip6:2001:67c:2178:8::/64 ~all

A mail from mailman (lists.opensuse.org) should get an SPF PASS. I don't see how it could get a SOFTFAIL.


tickets #111902: DMARC check failing
https://progress.opensuse.org/issues/111902#change-524792

  • Author: sbuchovecka
  • Status: New
  • Priority: Normal
  • Assignee:
  • Category: Email

* Target version:

Hello team,

We got couple of reports from SUSE users on emails from openSUSE domain being held by mimecast. The reason for that is DNS Authentication: DMARC Fail.

Some details below:
[cid:image001.png@01D875A3.95603960]
[cid:image002.png@01D875A3.A0D19B40]
It looks like DMARC policy is actively asking for quarantining the email on the recipient side.

Could you review configuration on openSUSE mail setup side? Looks like similar issue was already reported in (https://sd.suse.com/browse/SD-87808)

Thank you
Simona

--
Simona Fornusek (Buchovecka)
Cybersecurity Design & Engineering

---Files--------------------------------
image001.png (38 KB)
image002.png (23.2 KB)

--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account

Actions #3

Updated by pjessen over 1 year ago

I see the initial mail on the factory list, when received on my own system, it has SPF_PASS (from spamassassin). The follow-up at 20:20 also has SPF_PASS. However, when the mail was sent to gmail recipients, Google also said '250 2.0.0 OK DMARC:Quarantine'.

It is probably the policy of pm.me (as from Header From).

Confirm, "pm.me" has 'v=DMARC1; p=quarantine;' ....

Actions #4

Updated by pjessen over 1 year ago

  • Due date set to 2022-06-06
  • Status changed from New to In Progress

Mailman does have the option of "DMARC mitigation" which involves munging the From: header, for instance. It may be activated in general or only for domains which have a DMARC policy of reject or quarantine.
In the past 90 days, some 6615 deliveries were quarantined by Google, although only 321 actual mails. Because it is based on the From: header, I can't tell what the actual sending domains were. Remarkably, no one has complained before :-)

I guess it won't hurt too activate DMARC mitigation for e.g. factory.lists and see what happens. I won't do it right now, as I am away for the next few days.

Actions

Also available in: Atom PDF