DMARC email reports from Gmail are rejected (return to the sender)

Peculiar

Verified User
Joined
Jul 15, 2015
Messages
13
I have set up dmarc on the server. I am receiving daily reports from Yahoo and Hotmail with no problem. But email reports from Gmail from address: [email protected] are frozen and rejected by the server.

Here's the email report from mail queue:
1ZFKFK-0006ej-N9-H
mail 8 12
<>
1436957342 0
-ident mail
-received_protocol local
-body_linecount 68
-max_received_linelength 96
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1436957346
-localerror
XX
1
[email protected]

164P Received: from mail by server.mydomain.com with local (Exim 4.76)
id 1ZFKFK-0006ej-N9
for [email protected]; Wed, 15 Jul 2015 15:19:02 +0430
046 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
069F From: Mail Delivery System <[email protected]>
037T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
058I Message-Id: <[email protected]>
038 Date: Wed, 15 Jul 2015 15:19:02 +0430

With the following message to the sender:
1ZFKFK-0006ej-N9-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
This message has been rejected because it has
potentially executable content
"google.com
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.

What should I do to stop this? I have yet to receive a report in my dmarc mailbox.
 
sorry extra info about the google attachment

Please put both reactions together ;)
Content-Type: application/zip;
name="google.com!thedomain.com!1440115200!1440201599.zip"
Content-Disposition: attachment;
filename="google.com!thedomain.com!1440115200!1440201599.zip"
Content-Transfer-Encoding: base64
SPFCheck: Server passes SPF test, -30 Spam score
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on theipnr, -10 Spam score
X-DKIM: signer='google.com' status='pass' reason=''
DKIMCheck: Server passes DKIM test, -20 Spam score
SpamTally: Final spam score: -60
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

thedomain = ofcourse the maildomain here

theipnr that ipnr

problem should be therefore to have settings to allow serverwide this kind of attachments comming fron the google guys
[email protected]

ensure your anti-spam filters and mail server accept large attachments of type ZIP. .....
https://dmarc.org/wiki/FAQ

Also for this
If I implement DMARC, will I get a special icon next to my message in the recipient’s inbox?

The DMARC standard does not specify any visual indicators that would be displayed to the end user. However the group has identified recommendations around email client features like these as an area for future work. Some individual receivers already show visual indicators for messages under different circumstances. For example, Google’s GMail service offers a setting that will cause a gold key to be displayed next to authenticated messages from certain senders. Features like this may become more widespread as more senders and receivers put email authentication into practice. You can find out more about the GMail “gold key” feature here:
Announcement in official GMail blog
Q&A at About.com
 
Last edited:
Reply in DMARC discussion list about this

Note that the failure reports contains even more information that will trigger the filters, therefore both addresses (rue and ruf) should be set up to allow such reports to come in. Fix your filters would be my answe
r.

So also the exim filters have to be changed according this reply hmm.
Then all defaults (filters exim directadmin) don't comply with the dmarc reports or am i wrong?
Manual please.

Another reply out of that discussion.
At the same time, I'd expect someone at the postmaster level to be able to configure exceptions so that they can receive abuse reports at appropriate abuse@ and postmaster@ addresses which may include "bad" content of a variety of types, and similarly, I'd expect DMARC addresses to be treated similarly, so even if globally changing the filenames were possible, I wouldn't actually recommend doing it

Quick dirty fix in /etc/system_filter.exim make copy before and delete the .|com s there

a overal script setting / filter to achieve above in a much simple way in help is i think better.
 
Last edited:
A example report xml could be if not OK. ( I had sending from a third party mailserver therefore no dkim)

Attachment is a zip file that should be handled automatic complied to the DMARC settings of your Konfiguration

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>linkedin.com</org_name>
<email>[email protected]</email>
<extra_contact_info>http://help.linkedin.com</extra_contact_info>
<report_id>linkedin.com!yours.com!11755934ia</report_id>
<date_range>
<begin>1440460800</begin>
<end>1440547200</end>
</date_range>
</report_metadata>
<policy_published>
<domain>yours.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>themailserversip</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>yours.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>yours.com</domain>
<result>pass</result>
</spf>
<dkim>
<domain></domain>
<result>none</result>
</dkim>
</auth_results>
</record>
</feedback>
 
Fix

For anyone else wondering how to fix this issue, here's my solution.

I removed "com" file extention from system_filter.exim line of reject files (there are two lines). I am receiving the reports from google now.

Wierd thing is that the attachment is in zip format not com! The zip contains xml. This should be the exim's fault for some reason.
 
Found this older topic because I facing the same issues;
Dmarc emails from google become stuck/frozen in the mail-queue.

Anyone else having this?
 
I don't think I'm the only one having these issues therefore I expect there would be a better way to deal with this by now, instead of everyone having to manually edit their Exim-conf.
 
Hello,

There is a possible solution. Let's say you have [email protected] to which you want to receive reports, so you need to add

Code:
if "$h_to:, $h_cc:" contains [email protected]
then
    headers add "X-System-Filter: yeh"
    finish
endif

in to /etc/system_filter.exim after lines:

Code:
## The install notes are not a replacement for the exim documentation
## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

before

Code:
## -----------------------------------------------------------------------
# Only run any of this stuff on the first pass through the

Be careful if you use your personal email address here as no filtering of attachments will be done to delivery emails into it after you modify /etc/system_filter.exim.
 
Last edited:
Based on the idea and code from Alex, I added this code in my /etc/system_filter.exim:

Code:
if $header_from: contains "[email protected]"
then
  finish
endif

Incoming DMARC reports from Google will now pass the filter and will be normally delivered.
Thanx to all you guys pointing me in the right direction.
 
A long time ago in a dmarc group / test forum.

They fall over me pointing this out.

They told me yes but a .com scanning and blocking is a very old way and so more blabla for security and antivirus you have much better ways.
I think that time some guys from google ore dmarc where not ammused i asked them to change the .zip (.com name in it) and so.
I made it the easy way removed the .com part out of the blocking.

( yep sending .com virus is old and so most ( i hope all) of the emailclient anitvirus and or browsers have warnings/ removing them if real one comes through the other security measures)
 
i have the same problem and will add the code that is posted by Alex/rob

i was also searching and found this.

https://forums.cpanel.net/threads/exim-blocking-dmarc-reports-from-gmail.550741/

its the same thing but not sure if it also applies to directadmin/exim .

als its read there 1 can recieve the reports from hotmail but not google because google adds the "" ( if i understand correctly)

The Exim system filter for malicious file types could falsely flag unquoted names that contained a Windows extension somewhere in them. For example, "google.com.zip" would be flagged because it matched the pattern for ".com" (a DOS executable type). If the text is not in quotation marks, anchor it on whitespace, a semicolon, or a line break.

cant that be fixed instead of this work around ? then i shouldbe fixed for everyone?
 
I don't know which workaround you're talking about, but I used this one in /etc/exim.easy_spamfighter

Then edit exim_check_attachment.sh
change:
Code:
egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|zip)$' | \
to
Code:
egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url)$' | \
and restart exim.

If you chattr the file, it won't be overwritten by updates.

For the moment I don't know a better solution, but hopefully there will be.
 
I don't know which workaround you're talking about, but I used this one in /etc/exim.easy_spamfighter

Then edit exim_check_attachment.sh
change:
Code:
egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|zip)$' | \
to
Code:
egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url)$' | \
and restart exim.

If you chattr the file, it won't be overwritten by updates.

For the moment I don't know a better solution, but hopefully there will be.

well i did this.

Based on the idea and code from Alex, I added this code in my /etc/system_filter.exim:

Code:
if $header_from: contains "[email protected]"
then
  finish
endif

Incoming DMARC reports from Google will now pass the filter and will be normally delivered.
Thanx to all you guys pointing me in the right direction.

Not sure yet if it works i will get the mail again tomorrow.

but removing the Zip extention from the list is a kind of workaround for me.

But i do hope there will be a real fix for this.
 
but removing the Zip extention from the list is a kind of workaround for me.
The solution you choose is great if you want to keep scanning inside archives.
But .rar scanning is not done, so scanning inside zip has only half the effect (or less).
In my case it had more reaons, not only for Google, but also to have my customers send files which might be false alerts packed with zip. Als .exe files being installation files or self extractable archives got refused. That's why I choose to disable scanning from within archives. Fixed 2 things with the same edit.
So it all depends a little on what one wants to achieve.
 
The solution you choose is great if you want to keep scanning inside archives.
But .rar scanning is not done, so scanning inside zip has only half the effect (or less).
In my case it had more reaons, not only for Google, but also to have my customers send files which might be false alerts packed with zip. Als .exe files being installation files or self extractable archives got refused. That's why I choose to disable scanning from within archives. Fixed 2 things with the same edit.
So it all depends a little on what one wants to achieve.

I would also do it that way i guess if i had that problem.

With addin the email to the /etc/system_filter.exim i got the email from google in my spam box.
50 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
-7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM white-list

so that is all good now :)
 
Back
Top