Bug 11655

Summary: outgoing mails are missing DKIM signatures
Product: Infrastructure Reporter: Peter Müller <peter.mueller>
Component: Mail & Mailing ListsAssignee: Peter Müller <peter.mueller>
Status: CLOSED FIXED QA Contact: Michael Tremer <michael.tremer>
Severity: Major Usability    
Priority: - Unknown -    
Version: unspecified   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on: 12150    
Bug Blocks: 11634    
Attachments: attachment-4160-0.html

Description Peter Müller 2018-03-01 20:05:43 UTC 
Some outgoing mails (especially coming from the web server) are missing DKIM signatures and won't authenticate against it. The IgnoreHosts directive of OpenDKIM needs to be adjusted here.

@Michael: Is there a network range for servers only? Or do we need to sign all mails coming from RFC1918 addresses?
Comment 1 Peter Müller 2018-03-01 20:25:40 UTC 
Added 172.28.1.0/24 to the InternalNetworks, so mails coming from these IPs should be signed now. We need to test if mails delivered via submission port are still, too, but I think so. :-)
Comment 2 Peter Müller 2018-03-01 21:01:18 UTC 
Tested, this is fixed now.
Comment 3 Michael Tremer 2018-03-01 21:37:36 UTC 
172.28.1.0/24, 192.168.9.0/24 is what we use internally mainly

Since relay.i.ipfire.org is only pointing to IPv4 only, we don't use IPv6 at the
moment but that is only disabled since we migrated to the new machine
Comment 4 Peter Müller 2018-03-11 21:41:25 UTC 
For the records: 192.168.9.0/24 was missing, added now.

Had much too little coffee today...
Comment 5 Peter Müller 2018-03-11 21:48:14 UTC 
Some outgoing mails are still missing DKIM signatures. This might be fixed by adding the internal network (see last comment), but we keep this open until the DMARC reports prove that.
Comment 6 Peter Müller 2018-04-20 18:31:05 UTC 
I do not see any major amount of unsinged mails looking at the DMARC reports.

Can we consider this as being closed?
Comment 7 Michael Tremer 2018-04-20 21:00:39 UTC 
If the reports are all green, yes.

What can we do about the remaining yellow ones?
Comment 8 Peter Müller 2018-04-20 21:04:34 UTC 
(In reply to Michael Tremer from comment #7)
> If the reports are all green, yes.
> 
> What can we do about the remaining yellow ones?
In case of the Gmail report from yesterday (https://dmarc-reports.ipfire.org/dmarc-reports/?report=645&hostlookup=1&sortorder=1&p=2018-04#rpt645), not very much I'm afraid. They are all DKIM signed.
Comment 9 Michael Tremer 2018-04-20 21:08:02 UTC 
I looked yesterday or two days ago and there is still a lot of yellow
in there. Amazon for example. Or is that a fraud?
Comment 10 Peter Müller 2018-04-20 21:20:35 UTC 
Hard to tell... There is some traffic to Amazon, but mostly aggregated DMARC reports. Could you send me those so I can check wether they are DKIM signed?
Comment 11 Michael Tremer 2018-04-20 22:19:32 UTC 
I don't have them. I removed the CC to postmaster@ipfire.org so I do
not get a sh*t ton of emails in my inbox that I cannot do anything
about.
Comment 12 Peter Müller 2018-04-20 22:24:22 UTC 
Well, in that case I suppose there is no information left.

Are you fine with re-enabling the CC and move the reports to a separate folder in your IMAP account?
Comment 13 Michael Tremer 2018-04-20 22:36:39 UTC 
Created attachment 575 [details]
attachment-4160-0.html

Yes that would be fine. Or ideally having them put in an own Git repo with my archive script?! For how long and for what purpose do you want to keep them?
Comment 14 Peter Müller 2018-04-21 08:30:22 UTC 
I use to keem them 14 days, mainly for debugging and throubleshooting.
Comment 15 Peter Müller 2018-04-29 12:34:51 UTC 
Some mails to Amazon SES are missing DKIM signatures:
- https://dmarc-reports.ipfire.org/dmarc-reports/?report=722&hostlookup=1&sortorder=1&p=2018-04#rpt722
- https://dmarc-reports.ipfire.org/dmarc-reports/?report=723&hostlookup=1&sortorder=1&p=2018-04#rpt723

These seem to be DMARC reports. @Michael: Could you send them to me so I can have a look at them?

Apart from that, everything else is green now.
Comment 16 Michael Tremer 2018-04-30 12:46:51 UTC 
I am not storing them. I just pipe them into the script which puts them into
this database that you are having a look at.
Comment 17 Peter Müller 2018-04-30 19:19:41 UTC 
(In reply to Michael Tremer from comment #16)
> I am not storing them. I just pipe them into the script which puts them into
> this database that you are having a look at.
I meant the DMARC report we sent to Amazon SES since I suspect it being missing a DKIM signature for whatever reason.
Comment 18 Michael Tremer 2018-04-30 20:22:26 UTC 
Yes same, I do not store them. I will set something up that they are stored in a
separate inbox and then we should have one in a few days if that is soon enough.
Comment 19 Peter Müller 2019-01-22 20:41:29 UTC 
Since the last DMARC reports indicate DKIM success with a few exceptions (looks like mail redirections at GMail), I think we can close this issue.

@Michael: Can we? :-)
Comment 20 Michael Tremer 2019-01-28 11:48:48 UTC 
I didn't check the reports, but I trust you when you say this is okay...
Comment 21 Michael Tremer 2019-01-28 11:50:11 UTC 
What is with all the stuff that is coming from web06? That's the wiki and forum.
Comment 22 Michael Tremer 2019-01-28 15:30:22 UTC 
Re-opened because we need to get rid of "web06.i.ipfire.org" in the headers...
Comment 23 Peter Müller 2019-04-06 07:36:32 UTC 
(In reply to Michael Tremer from comment #22)
> Re-opened because we need to get rid of "web06.i.ipfire.org" in the
> headers...
I filed this seperately under #12042.

Closing this.
Comment 24 Peter Müller 2019-09-01 07:55:14 UTC 
We currently send messages without DKIM signatures, as DKIM keys are missing.
Comment 25 Peter Müller 2019-09-05 17:28:54 UTC 
This is fixed for ipfire.org and lighthningwirelabs.com by now.

Some other personal domains of Michael may be missing, but they are not that crticial here...