Dovecot + Exim + Sieve -> DMARC policy Error

[gilbert]

Hello,
I have a problem with sieve vacation.
The out-of-office reply is (often) rejected because it does not comply with DMARC or DKIM rules.
My MX Server has a RedHat 9.6 OS with Exim 4.98.2 (Epel Repos) and Dovecot 2.3.16 (Red Hat Repos).

It seems to be the same problem solved in this post https://forum.directadmin.com/threads/update-to-latest-dovecot-fail-to-start.72919/#post-384496
Unfortunately, it doesn't work the same way.
If I leave

sieve_vacation_send_from_recipient = no

Sieve tries to send the email with User <>

<= <> U=vmail P=local S=811 id=dovecot-sieve-1758110008-409730-0@hostname

Here is the complete error in exim.log

1uyqiu-00000001UQj-FjW7 <= [email protected] U=exim P=spamd S=3679 id=CA+TmJzWPrT1AhMZNfUS3uS03gpiXLMdEN7jzTCA=oaME2HusMQ@mail.gmail.com
1uyqj2-00000001UR3-FZoY <= <> U=vmail P=local S=811 id=dovecot-sieve-1758110008-409730-0@hostname
1uyqiu-00000001UQj-FjW7 => account<[email protected]> R=local T=spam_local
1uyqiu-00000001UQj-FjW7 Completed
1uyqit-00000001UQN-GMCp => account<[email protected]> R=spam_check T=spam_check
1uyqit-00000001UQN-GMCp Completed
1uyqj2-00000001UR3-FZoY H=gmail-smtp-in.l.google.com [2a00:1450:400c:c1d::1a]: SMTP timeout after initial connection: Connection timed out
1uyqj2-00000001UR3-FZoY ** [email protected] R=remote T=remote H=gmail-smtp-in.l.google.com [142.251.168.26] I=[xxx.xxx.xxx.xxx] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes DN="/CN=mx.google.com": SMTP error from remote mail server after pipelined end of data: 550-5.7.26 Unauthenticated email from mailing-test.li is not accepted due to\n550-5.7.26 domain's DMARC policy. Please contact the administrator of\n550-5.7.26 mailing-test.li domain if this was a legitimate mail. To learn about\n550-5.7.26 the DMARC initiative, go to\n550 5.7.26  https://support.google.com/mail/?p=DmarcRejection 5b1f17b1804b1-46137d04086si16968885e9.24 - gsmtp

If, on the other hand, I set

sieve_vacation_send_from_recipient = yes

the user
in log there is [email protected]

<= account@hostname U=vmail P=local S=856 id=dovecot-sieve-1758104493-152507-0@hostname

hier the complete error

1uypHz-00000001TWr-Elxn <= [email protected] H=mail-vk1-f171.google.com [209.85.221.171] I=[xxx.xxx.xxx.xxx]:25 P=esmtps X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no SNI=mx.mailing-test.li S=3213 DKIM=gmail.com id=CA+TmJzUZu2w3s7wSZ6J9ba7ebyQ26ghiN19F=w4DTu3j7A8cjQ@mail.gmail.com
1uypHz-00000001TXC-GdKb <= [email protected] U=exim P=spamd S=3684 id=CA+TmJzUZu2w3s7wSZ6J9ba7ebyQ26ghiN19F=w4DTu3j7A8cjQ@mail.gmail.com
1uypI5-00000001TXV-F2Zk <= account@hostname U=vmail P=local S=856 id=dovecot-sieve-1758104493-152507-0@hostname
1uypHz-00000001TXC-GdKb => account<[email protected]> R=local T=spam_local
1uypHz-00000001TXC-GdKb Completed
1uypHz-00000001TWr-Elxn => account<[email protected]> R=spam_check T=spam_check
1uypHz-00000001TWr-Elxn Completed
1uypI5-00000001TXV-F2Zk ** [email protected] R=remote T=remote H=gmail-smtp-in.l.google.com [142.250.101.27] I=[xxx.xxx.xxx.xxx] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes DN="/CN=mx.google.com": SMTP error from remote mail server after pipelined end of data: 550-5.7.26 Unauthenticated email from domain.com is not accepted due to\n550-5.7.26 domain's DMARC policy. Please contact the administrator of\n550-5.7.26 domain.com domain if this was a legitimate mail. To learn about\n550-5.7.26 the DMARC initiative, go to\n550 5.7.26  https://support.google.com/mail/?p=DmarcRejection 98e67ed59e1d1-32ed9caf4d2si1182734a91.65 - gsmtp
1uypI7-00000001TXb-Fms8 <= <> R=1uypI5-00000001TXV-F2Zk U=exim P=local S=3206
1uypI5-00000001TXV-F2Zk Completed
1uypI7-00000001TXb-Fms8 ** [email protected]: Unrouteable address
1uypI7-00000001TXb-Fms8 Frozen (delivery error message)

the sieve puts the linux account@hostname as the sender (instead of account@domain) and the email is still rejected by the serious Mail Server.

But my impression is that the exim daemon is working correctly, because emails are being received and sent.
But when sieve tries to send an email (triggered by vacation), it uses the sendmail command incorrectly.
Any ideas?

 

[zEitEr]

Hello,

What part the domain mailing-test.li play in this story? I see Gmail rejects an email from the domain, as its DMARC policy is violated.

 

[gilbert]

Hello,

What part the domain mailing-test.li play in this story? I see Gmail rejects an email from the domain, as its DMARC policy is violated.

mailing-test.li = domain.com

The DMARC policy has been violated because when SMTP opens the connection to the GMAIL mail server and performs EHLO, the MAIL FROM: field shows <> or username@hostname (i.e., the Linux user and the server's FDQN).
My impression is that when sieve runs exim to send the out-of-office message, it does not pass the mail account correctly (either nothing passes <> or the Linux user passes, depending on the value set for sieve_vacation_send_from_recipient) .
I also tried to open the lda debug, but it says it calls sendmail. I cannot find the exact command that is executed.

 

[Richard G]

Did you remove the DMARC record? I can't find a DMARC record at the moment for that domain.

 

[gilbert]

Did you remove the DMARC record? I can't find a DMARC record at the moment for that domain.

Yes, I just removed it and removed the DKIM, to check. It's just a test.

 

[zEitEr]

The DMARC policy has been violated because when SMTP opens the connection to the GMAIL mail server and performs EHLO, the MAIL FROM: field shows <> or username@hostname (i.e., the Linux user and the server's FDQN).

I just tested on my end, and I got:

ARC-Authentication-Results: i=1; mx.google.com; dkim=pass
 [email protected] header.s=x header.b=B2UgW2vX; spf=pass
 (google.com: domain of [email protected] designates
 2a01:2228:abbbc:3e:: as permitted sender) smtp.helo=server.domain.com;
 dmarc=fail (p=QUARANTINE sp=NONE dis=QUARANTINE) header.from=another-domain.com
Return-Path: <>

An email is sent by Sieve filter in behalf of my email, but [email protected] is used

- smtp.helo=server.domain.com
- spf=pass
- dmarc=fail
- header.from=another-domain.com
- Return-Path: <>

In my case DMARC fails here too. But each of the hostname and user's domain have correct DKIM and SPF, rDNS, etc

Probably it happens due to Return-Path header domain doesn’t match the From domain.

Check it out: https://postmarkapp.com/blog/forwarding-emails-dmarc-failure

 

[gilbert]

I just tested on my end, and I got:

ARC-Authentication-Results: i=1; mx.google.com; dkim=pass
 [email protected] header.s=x header.b=B2UgW2vX; spf=pass
 (google.com: domain of [email protected] designates
 2a01:2228:abbbc:3e:: as permitted sender) smtp.helo=server.domain.com;
 dmarc=fail (p=QUARANTINE sp=NONE dis=QUARANTINE) header.from=another-domain.com
Return-Path: <>

An email is sent by Sieve filter in behalf of my email, but [email protected] is used

- smtp.helo=server.domain.com
- spf=pass
- dmarc=fail
- header.from=another-domain.com
- Return-Path: <>

In my case DMARC fails here too. But each of the hostname and user's domain have correct DKIM and SPF, rDNS, etc

My server has a public IP that responds to serverx.myserver.com, but the email domain is example.com and the email should be sent from [email protected] or at least from [email protected].

 

[zEitEr]

My server has a public IP that responds to serverx.myserver.com, but the email domain is example.com and the email should be sent from [email protected] or at least from [email protected].

It is working fine for me if I update "Reply sender address" to mach my hostname, i.e.

ARC-Authentication-Results: i=1; mx.google.com; dkim=pass
 [email protected] header.s=x header.b=rnixMi2N; spf=pass
 (google.com: domain of [email protected] designates
 2a01:2228:abbbc:3e:: as permitted sender) smtp.helo=server.domain.com;
 dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=server.domain.com
Return-Path: <>

- spf=pass
- smtp.helo=server.domain.com;
- dmarc=pass
- header.from=server.domain.com
- Return-Path: <>

But of course a reply-to in such an email is set to another address. And it will probably not what you want. But at least it's working.

For DMARC to pass the following conditions should match:

1. valid DKIM
2. valid SPF
3. domain in FROM match hostname from which an email is sent