From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6F4A4138350 for ; Tue, 7 Apr 2020 18:35:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 82C2AE09D9; Tue, 7 Apr 2020 18:35:21 +0000 (UTC) Received: from s1.swsch.de (s1.swsch.de [IPv6:2a01:4f8:a0:8074::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2357CE095A for ; Tue, 7 Apr 2020 18:35:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xss.de; s=s1; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Subject:To:Message-ID:From:Date:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/7rEezJ54u8wTESVlV5GrGJIN8r38rPkH3zcNgRtazs=; b=AuLpKqmaLeUcezX4M9lZe4rQC9 dxNNPMY4fP6k4PgnzcKUE5C/sRcSRUgwqGDOTMxn46qx+swXQ7ZYObKWEEiU/xdMUc3uCVJE0HBiT bbiFXOEw2ygLBQ02Kcucpdu37uivJbqbDOuKfQgbimlhCsr7B7YwNz9vsntwoisto1E0=; Received: from [2003:d4:4710:af00:5c12:ad9:2c4c:628b] (helo=PC-DEV.fritz.box) by s1.swsch.de with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93.0.4) (envelope-from ) id 1jLt49-0006PI-T2; Tue, 07 Apr 2020 20:35:17 +0200 Date: Tue, 7 Apr 2020 20:35:17 +0200 From: Stefan Schmiedl Organization: EDV-Beratung Schmiedl Message-ID: <1006982307.20200407203517@xss.de> To: Michael , gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Alternate Incoming Mail Server In-Reply-To: <2361732.4XsnlVU6TS@lenovo.localdomain> References: <20200406153445.yzeewcorrb7vjtni@ad-gentoo-main> <3d992689-1f33-f2b1-d94a-87ddeaa41230@gentoo.org> <1262066889.20200406201306@xss.de> <2361732.4XsnlVU6TS@lenovo.localdomain> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Scan-Signature: 5e327afec4aa7aba8545b0390c7a5594 X-Archives-Salt: 8fb55b43-4456-462d-ae4e-4fb3ea91943f X-Archives-Hash: e00d15dd2f7d03e9f9b72c12bc4d6946 "Michael" , 07.04.2020, 19:10: >=C2=A0This thread has been covered in depth for a while now, but I noticed= something > noteworthy. > On Monday, 6 April 2020 19:13:06 BST Stefan Schmiedl wrote: >>=20 >> And here's an example for J. Roeleveld's observed missed original >> messages: >>=20 >> A few days ago I sent a message to this list. As usual, I received >> a bunch of DMARC reports from mailservers rejecting the messages. >>=20 >> > From: "Seznam.cz" >> > This is a spf/dkim authentication-failure report for an email message >> > received>=20 >> > =C2=A0from IP 208.92.234.80 on Sun, 05 Apr 2020 22:14:23 +0200. >> >=20 >> > The message below did not meet the sending domain's dmarc policy. > The reason your message was *rejected*, rather than failed to be delivere= d/ > gone missing, was because there is a DKIM failure in its headers. =C2=A0T= his is not > the non-delivery failure Joost was talking about when an MX server has go= ne > offline. As I understood it, were I somebody@seznam.cz, I would not have received the original message but only the replies to it, hence observing the same strange behaviour of "missed original message but received replies" due to issues completely out of somebody's control. >> The headers of that rejected message start with >>=20 >> > Received: from lists.gentoo.org (unknown [208.92.234.80]) >> >=20 >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 by email-smtpd3.ng.seznam.cz (Seznam SMTPD= 1.3.108) with ESMTP; >> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 Sun, 05 Apr 2020 22:14:22 +0200 (CEST) >>=20 >> This means that folks @seznam.cz (among others) will not get to see >> this message unless somebody replies to it from a domain that uses >> a less restrictive combination of SPF, DKIM and DMARC rules. > I would think the @seznam.cz recipient server obliges by following the DM= ARC > policy published, but ... the tag "p=3Dnone" in _dmarc.xss.de TXT means it > should neither reject, nor quarantine the message. =C2=A0:-/ It's been a while since I set this up, but according to RFC 7489, section 6.7 "policies of "p=3Dnone" SHOULD NOT modify existing mail=20 disposition processing", which I understood as "the receiver can do what it wants, but I get notified about DMARC related problems". I'll update the record to quarantine and see what breaks. > In other messages the 'bh=3D' hash is before the 'h=3D' string. =C2=A0The= sequence of > tags is: > bh=3D.....; > h=3D......; > b=3D....... > In Stefan's message the sequence is different: > h=3D......; > bh=3D.....; > b=3D....... > Perhaps the order in which recipients servers parse the headers cause the= DKIM > check to fail? I really hope that is not the case as the sequence is whatever exim uses as default sequence. Outgoing mail uses this transport: remote_smtp: driver =3D smtp dkim_domain =3D ${lc:${domain:$h_from:}} dkim_selector =3D s1 dkim_private_key =3D CONFDIR/dkim/dkim.private.key dkim_canon =3D relaxed > This is what I see here in the headers delivered by Stephan via the gento= o- > user M/L: > Authentication-Results: ; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 dkim=3Dfail header.d=3Dxss.de; =C2=A0 =C2=A0 = =C2=A0<=3D=3D DKIM checks failed =3D=3D > =C2=A0 =C2=A0 =C2=A0 =C2=A0 spf=3Dpass (sender IP is 208.92.234.80) > [snip ...] The problem could be that the header list includes things like h=3D...:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-= Owner:List-Archive; which are not in my original message but are added by the mailing list=20 software. So if you received one of my DKIM signed messages directly, the signature would work, but if you received it after it passed through a mailing list, your DKIM check would fail because it would include List-Id in the test and the test would fail. Michael, you should receive two copies of this message, one via list=20 one directly. Could you do me the favour and let me know (offline) what the Authentication-Results for both messages look like? Thanks, s.