Project

General

Profile

tickets #111902

DMARC check failing

Added by sbuchovecka 8 months ago. Updated 8 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
-
Category:
Email
Target version:
-
Start date:
2022-06-01
Due date:
2022-06-06
% Done:

0%

Estimated time:

Description

Hello team,

We got couple of reports from SUSE users on emails from openSUSE domain being held by mimecast. The reason for that is DNS Authentication: DMARC Fail.

Some details below:
[cid:image001.png@01D875A3.95603960]
[cid:image002.png@01D875A3.A0D19B40]
It looks like DMARC policy is actively asking for quarantining the email on the recipient side.

Could you review configuration on openSUSE mail setup side? Looks like similar issue was already reported in (https://sd.suse.com/browse/SD-87808)

Thank you
Simona

--
Simona Fornusek (Buchovecka)
Cybersecurity Design & Engineering

image001.png (38 KB) image001.png sbuchovecka, 2022-06-01 08:42
image002.png (23.2 KB) image002.png sbuchovecka, 2022-06-01 08:42
13331
13334

History

#1 Updated by pjessen 8 months ago

  • Category set to Email
  • Private changed from Yes to No

The DMARC record for opensuse.org is:

v=DMARC1; p=none; pct=100; rua=mailto:admin-auto@opensuse.org!5m; ruf=mailto:admin-auto@opensuse.org!5m

I.e. no policy for all mails.

The SPF record for lists.opensuse.org is:

v=spf1 mx a:proxy-nue1.opensuse.org a:proxy-nue2.opensuse.org ip6:2001:67c:2178:8::/64 ~all

A mail from mailman (lists.opensuse.org) should get an SPF PASS. I don't see how it could get a SOFTFAIL.

#2 Updated by sbuchovecka 8 months ago

It is probably the policy of pm.me (as from Header From).

Simona

From: redmine@opensuse.org redmine@opensuse.org
Date: Wednesday, 1 June 2022 11:18
To:
Subject: [openSUSE admin - tickets #111902] DMARC check failing
[openSUSE Tracker]
Issue #111902 has been updated by pjessen.

Category set to Email
Private changed from Yes to No

The DMARC record for opensuse.org is:

v=DMARC1; p=none; pct=100; rua=mailto:admin-auto@opensuse.org!5m; ruf=mailto:admin-auto@opensuse.org!5m

I.e. no policy for all mails.

The SPF record for lists.opensuse.org is:

v=spf1 mx a:proxy-nue1.opensuse.org a:proxy-nue2.opensuse.org ip6:2001:67c:2178:8::/64 ~all

A mail from mailman (lists.opensuse.org) should get an SPF PASS. I don't see how it could get a SOFTFAIL.


tickets #111902: DMARC check failing
https://progress.opensuse.org/issues/111902#change-524792

  • Author: sbuchovecka
  • Status: New
  • Priority: Normal
  • Assignee:
  • Category: Email

* Target version:

Hello team,

We got couple of reports from SUSE users on emails from openSUSE domain being held by mimecast. The reason for that is DNS Authentication: DMARC Fail.

Some details below:
[cid:image001.png@01D875A3.95603960]
[cid:image002.png@01D875A3.A0D19B40]
It looks like DMARC policy is actively asking for quarantining the email on the recipient side.

Could you review configuration on openSUSE mail setup side? Looks like similar issue was already reported in (https://sd.suse.com/browse/SD-87808)

Thank you
Simona

--
Simona Fornusek (Buchovecka)
Cybersecurity Design & Engineering

---Files--------------------------------
image001.png (38 KB)
image002.png (23.2 KB)

--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account

#3 Updated by pjessen 8 months ago

I see the initial mail on the factory list, when received on my own system, it has SPF_PASS (from spamassassin). The follow-up at 20:20 also has SPF_PASS. However, when the mail was sent to gmail recipients, Google also said '250 2.0.0 OK DMARC:Quarantine'.

It is probably the policy of pm.me (as from Header From).

Confirm, "pm.me" has 'v=DMARC1; p=quarantine;' ....

#4 Updated by pjessen 8 months ago

  • Due date set to 2022-06-06
  • Status changed from New to In Progress

Mailman does have the option of "DMARC mitigation" which involves munging the From: header, for instance. It may be activated in general or only for domains which have a DMARC policy of reject or quarantine.
In the past 90 days, some 6615 deliveries were quarantined by Google, although only 321 actual mails. Because it is based on the From: header, I can't tell what the actual sending domains were. Remarkably, no one has complained before :-)

I guess it won't hurt too activate DMARC mitigation for e.g. factory.lists and see what happens. I won't do it right now, as I am away for the next few days.

Also available in: Atom PDF