Hello r/linux_admin,
first of all: it is. My question may seem kind of stupid, please let my explain.
In the last few month i have successfully deployed my own mail server using debian, postfix, dovecot, dspam, policyd-spf-python, opendkim and opendmarc. I am not yet using it productively, i am merely sending and receiving mail to and from gmail and watching headers and logfiles. I have found some stuff I can't quite get my head around.
Maybe you could take a look and, based on your experience, tell me "if its working".
This is an (altered) log excerpt from a mail from gmail.
Feb 12 14:14:35 domain postfix/smtpd[2870]: connect from mail-pa0-f53.google.com[209.85.220.53] Feb 12 14:14:36 domain postfix/smtpd[2870]: NOQUEUE: filter: RCPT from mail-pa0-f53.google.com[209.85.220.53]: <mail-pa0-f53.google.com[209.85.220.53]>: Client host triggers FILTER dspam:unix:/run/dspam/dspam.sock; from=<user@gmail.com> to=<user@domain.de> proto=ESMTP helo=<mail-pa0-f53.google.com> Feb 12 14:14:37 domain policyd-spf[2891]: None; identity=helo; client-ip=209.85.220.53; helo=mail-pa0-f53.google.com; envelope-from=user@gmail.com; receiver=user@domain.de Feb 12 14:14:37 domain policyd-spf[2891]: Pass; identity=mailfrom; client-ip=209.85.220.53; helo=mail-pa0-f53.google.com; envelope-from=user@gmail.com; receiver=user@domain.de Feb 12 14:14:37 domain postfix/smtpd[2870]: 6074DB00B5F: client=mail-pa0-f53.google.com[209.85.220.53] Feb 12 14:14:37 domain postfix/cleanup[2884]: 6074DB00B5F: message-id=<CAByb-asd+b4i18FshhN3G+q21kDCE7OZ+0BzwALw8TOug@mail.gmail.com> Feb 12 14:14:37 domain opendkim[2680]: 6074DB00B5F: mail-pa0-f53.google.com [209.85.220.53] not internal Feb 12 14:14:37 domain opendkim[2680]: 6074DB00B5F: not authenticated Feb 12 14:14:37 domain opendkim[2680]: 6074DB00B5F: no signing domain match for 'gmail.com' Feb 12 14:14:37 domain opendkim[2680]: 6074DB00B5F: no signing subdomain match for 'gmail.com' Feb 12 14:14:38 domain opendkim[2680]: 6074DB00B5F: DKIM verification successful Feb 12 14:14:38 domain opendkim[2680]: 6074DB00B5F: s=20120113 d=gmail.com SSL Feb 12 14:14:38 domain opendmarc[2646]: 6074DB00B5F: gmail.com pass Feb 12 14:14:38 domain postfix/qmgr[2833]: 6074DB00B5F: from=<user@gmail.com>, size=2543, nrcpt=1 (queue active) Feb 12 14:14:38 domain postfix/smtpd[2870]: disconnect from mail-pa0-f53.google.com[209.85.220.53] Feb 12 14:14:38 domain postfix/pickup[2832]: 722A5B00B75: uid=103 from=<user@gmail.com> Feb 12 14:14:38 domain postfix/cleanup[2884]: 722A5B00B75: message-id=<CAByb-asd+b4i18FshhN3G+q21kDCE7OZ+0BzwALw8TOug@mail.gmail.com> Feb 12 14:14:38 domain opendkim[2680]: 722A5B00B75: no signing domain match for 'gmail.com' Feb 12 14:14:38 domain opendkim[2680]: 722A5B00B75: no signing subdomain match for 'gmail.com' Feb 12 14:14:38 domain opendkim[2680]: 722A5B00B75: DKIM verification successful Feb 12 14:14:38 domain opendkim[2680]: 722A5B00B75: s=20120113 d=gmail.com SSL Feb 12 14:14:38 domain postfix/pipe[2894]: 6074DB00B5F: to=<user@domain.de>, relay=dspam, delay=1.9, delays=1.6/0.01/0/0.23, dsn=2.0.0, status=sent (delivered via dspam service) Feb 12 14:14:38 domain postfix/qmgr[2833]: 6074DB00B5F: removed Feb 12 14:14:38 domain postfix/qmgr[2833]: 722A5B00B75: from=<user@gmail.com>, size=3136, nrcpt=1 (queue active) Feb 12 14:14:38 domain dovecot: lda(user@domain.de): msgid=<CAByb-asd+b4i18FshhN3G+q21kDCE7OZ+0BzwALw8TOug@mail.gmail.com>: saved mail to INBOX Feb 12 14:14:38 domain postfix/pipe[2899]: 722A5B00B75: to=<user@domain.de>, relay=dovecot, delay=0.09, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service) Feb 12 14:14:38 domain postfix/qmgr[2833]: 722A5B00B75: removed Here is what I don't understand:
policyd-spf adds 2 lines where the first seems unnecessary. I have it configured like here. The info in both lines are exactly the same, so why not pass on the first line. The check is implemented in smtpd_recipient_restrictions so why is it passing on "mailfrom" instead of "rcptto".
no signing domain match for 'gmail.com'? Someone mentions here that this might be there are two domains in use... google.com and gmail.com. Why is it successful anyway?
opendkim is somehow running twice. I am not quite sure why. The internet says its because the message is given to another service which then gives it back to postfix and i have to tell postfix to not run milters again on it. Problem is: a) I don't know where b) why is opendmarc not run twice (it is configured as a milter like opendkim)
Here we have a header of a mail from gmail
Return-Path: <user@gmail.com> Delivered-To: user@domain.de Received: by domain.de (Postfix, from userid 103) id 722A5B00B75; Wed, 12 Feb 2014 14:14:38 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.8.4 domain.de 722A5B00B75 Authentication-Results: mail.domain.de; dkim=pass reason="2048-bit key; unprotected key" header.d=gmail.com header.i=@gmail.com header.b=W1DJH0MY; dkim-adsp=pass; dkim-atps=neutral Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.220.53; helo=mail-pa0-f53.google.com; envelope-from=user@gmail.com; receiver=user@domain.de Authentication-Results: mail.domain.de; dmarc=pass header.from=gmail.com DKIM-Filter: OpenDKIM Filter v2.8.4 domain.de 6074DB00B5F Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com [209.85.220.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by domain.de (Postfix) with ESMTPS id 6074DB00B5F for <user@domain.de>; Wed, 12 Feb 2014 14:14:36 +0100 (CET) Received: by mail-pa0-f53.google.com with SMTP id lj1so9133428pab.26 for <user@domain.de>; Wed, 12 Feb 2014 05:14:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=UCcaaZAmLzXQtDKzoMV4pNOgYcuEIwZmTOVj5EfYQxM=; b=W1DJH0MYbQJ1ychOvQBqPFtuNrGEqufoPzwlTiWyR676jG76+VzvlmRTNsFoqsNAej uHXFgZXZmp/exYHEaM28SdshrI9j625aKyMPpEIzft75cNdkKTV5K0wgB2deBQQ64s6b CdPqpI6eD1ExARi+NZepPe5YEr2NqPU4X7/crxBLxV1tpS+9VNCUwrveaFPlSLZtJkZm yxRJ9fvfLLyhYvbYpLVN/KSPUBzzwA9oAOuixLdRxFPJ8fv7Ze8fwJVEcSFXTQlqYszE aixYEfZnSUrFytSjxz881ujxULw5nKzCq9AJuh4fJvZWAim0cBmIQR6NbWPQcZzDGQU3 naig== MIME-Version: 1.0 X-DSPAM-Result: Innocent X-DSPAM-Processed: Wed Feb 12 14:14:38 2014 X-DSPAM-Confidence: 0.9899 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 52fb73be28958047950055 On first sight, this looks good. spf/dkim/dmarc = pass. What i don't like is this second OpenDKIM Filter v2.8.4 line :(
Here is the header of a mail from my server to gmail
Delivered-To: user@gmail.com Received: by 10.70.15.195 with SMTP id z3csp95906pdc; Wed, 12 Feb 2014 05:13:55 -0800 (PST) X-Received: by 10.224.136.67 with SMTP id q3mr39583754qat.32.1392210834781; Wed, 12 Feb 2014 05:13:54 -0800 (PST) Return-Path: <user@domain.de> Received: from domain.de (mail.domain.de. [my.ni.ce.ip]) by mx.google.com with ESMTPS id ew5si15156485qab.183.2014.02.12.05.13.52 for <user@gmail.com> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Feb 2014 05:13:54 -0800 (PST) Received-SPF: pass (google.com: domain of user@domain.de designates my.ni.ce.ip as permitted sender) client-ip=my.ni.ce.ip; Authentication-Results: mx.google.com; spf=pass (google.com: domain of user@domain.de designates my.ni.ce.ip as permitted sender) smtp.mail=user@domain.de; dkim=pass header.i=@domain.de; dmarc=pass (p=NONE dis=NONE) header.from=domain.de Received: from lx-heise.int.lan (p54821D45.dip0.t-ipconnect.de [84.130.29.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by domain.de (Postfix) with ESMTPSA id 0BB93B00B5F for <user@gmail.com>; Wed, 12 Feb 2014 14:13:50 +0100 (CET) Authentication-Results: mail.domain.de; dmarc=none header.from=domain.de DKIM-Filter: OpenDKIM Filter v2.8.4 domain.de 0BB93B00B5F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.de; s=dkim; t=1392210831; bh=QIbV4Cc9SPJYhStCKqEYkBnrucoH7okk/IaU+x6Kpv0=; h=Date:From:To:Subject:From; b=mDPe6AoYAAbubkBxawyOsBj9D7Ff++HbiFLY0JgOpWqCnqlUJN673q+TDtxNqjXZb Bh0xIn4BDkz22rpGclTdomainhsLB3MjcgqI0oyJAQp2IsyHlLA0nsPU3ycfwldq/AOK VmNzCOFNgm8l204kRATGrg6c/euamt9ds94y4nyUTeRy7EcxL3didsc/+4/Tgizp37 jSK6Zeb/SFKt6dKJ4qnfLpROgwunVEO/w0CK3azZZmEmXcFoADbZw3vxB35/lfmQwz PBA/tdrSUgkYSLK9sXbvjFZ3fVgwbl0DAm8LlG/gjKXoQ6JhLhTIgrTzpPTuPsZNaH cPatILjk8rJFw== I think that looks good. As the last header shows 3 passes for spf/dkim/dmarc I think i did these implementations right but I am concerned that my server is not behaving as expected when it is the receiver.
I understand that I might need to provide certain configuration parts but won't at the moment for the readability of this original post. I just hope that some of you ran into the same problems and got it figured out.
[link][3 comments]