Problem with system messages on 1 server to Google (quarantaine)

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
14,906
Location
Maastricht
Oke I'm fed up now. System messages from 1 server do not give any issues on the google reports. Disposition "none" and the rest passes.

On the other server, they go into quarantaine every time, which is odd because I setup the servers the same way, but I can't find the issue or I'm looking passed it.

Result from server 1, which is working as desired:
Code: 
 <policy_published>
    <domain>mydomain.nl</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>reject</sp>
    <pct>100</pct>
    <np>reject</np>
  </policy_published>
  <record>
   <row>
      <source_ip>2a01:xxx:xxx:xxx::2</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mycompany.nl</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mycompany.nl</domain>
        <result>pass</result>
        <selector>x</selector>
      </dkim>
      <spf>
        <domain>mycompany.nl</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>2a01:xxx:xxx:xxx::2</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mycompany.nl</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>server1.firstserver.nl</domain>
        <result>pass</result>
        <selector>x</selector>
      </dkim>
      <spf>
        <domain>server1.firstserver.nl</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

So a disposition of "none" and mails gets through.

However, on server 2 this is not happening and I can't figure out why, even changed the creator of my domain from other admin to admin, no change.

So this is happening on server 2 and it's also a lot shorter than on server 1:
Code: 
 <policy_published>
    <domain>my-company.nl</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>reject</sp>
    <pct>100</pct>
    <np>reject</np>
  </policy_published>
  <record>
    <row>
      <source_ip>2a01:xxxx:xxx:xxx:xxx:2</source_ip>
      <count>3</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>my-company.nl</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>server2.seconddomain.nl</domain>
        <result>pass</result>
        <selector>x</selector>
      </dkim>
      <spf>
        <domain>server2.seconddomain.nl</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

As you can see disposition is quarantaine.

The difference which I can see is the "domain". On server 1 correctly mydomain.nl is used. On server 2 on domain the hostname is used.
I don't remember if I made an adjustment somewhere to make this happen. Or otherwise I don't know to look anymore.

NB: This is a reseller domain on both servers. I do have admin access so I can change whatever I want and where I want. But as far as I know I have setup things the same way. The names mycompany.nl and my-company.nl are masked but correct, there is a dash in between the name on the second server.

Both hostnames and domains from hostnames do not have any DMARC records. Tried removing those which were present, but did not make a difference.

Anybody a clue on why on server 2 the hostname is used on domain instead of my company domain? I did not make any custom exim changes for this as far as I remember.
 
The report says that the mail states it's from [email protected] and its send from server2.seconddomain.nl. This proves actually only that:

- server2.seconddomain.nl is authorized to send mail due to spf.
- server2.seconddomain.nl has signed the message.

Both are true and pass.

But server2.seconddomain.nl is not my-company.nl so dmarcs alignment fails and it gets quarantained p=quar....

Preventing quarantaine in a shitty, temp. solution is to set the p=none in the dmarc record.

But you have literally two domains and iirc you can't have dmarc get that to pass.

mailheader from: my-company.nl
dkim: server2.seconddomain.nl
spf: server2.seconddomain.nl

Just rename server2.seconddomain.nl to server2.my-company.nl.
and use a dmarc like: _dmarc.my-company.nl. ... p=quarantine; adkim=s; aspf=s
If you just want to get the mail out of quarantaine, set p=none.

No real happy joy joy solution, I guess :/
 
sysdev said:
But server2.seconddomain.nl is not my-company.nl so dmarcs alignment fails and it gets quarantained p=quar....
Click to expand...
Yes, so why does that not happen on server 1 then? Because there it's exactly the same.

I'm wondering about these lines because these are causing the issue:
Server 1:
<dkim>
<domain>mycompany.nl</domain>

Server 2:
<dkim>
<domain>server2.seconddomain.nl</domain>

So why is server 2 using the hostname here and not my-company.nl domain name?

sysdev said:
Just rename server2.seconddomain.nl to server2.my-company.nl.
Click to expand...
Not an option as my accounts are reseller accounts and seconddomain.nl and primarydomain.nl are both admin domains and hostnames are seperate DNS entries for the hostname.

I have it the same on both servers but do not understand why on server 2 my domain (or probably any customers domain) is not used, while this does work correctly on server 1.
 
I'm kinda too tipsy for this now, but...

The difference is that server 1 is not doing the same thing for the messages.
On server 1 you have at least one message where either header_from / dkim / spf = mycompany.nl so dmarc is happy.
There is a second record where from = mycompany.nl but dkim / spf =server1.firstserver.nl.
That one gets quarantine too, same as server 2.

I kinda think it has something to do with 'primary_hostname' somewhere in exim config. Use a DA ticket? :)
 
sysdev said:
There is a second record where from = mycompany.nl but dkim / spf =server1.firstserver.nl.
Click to expand...
Hold on, the second one is my-company.nl with a dash in between, dus een streepje er tussen, these are different domain names.

When looking at the reports, both servers use the correct header-from, so that is correct.
But it fails after that, where server 1 is using "domain mycompany.nl" and server2 is using "domain server2.secondomain.nl" so the hostname instead of the domain name.

And I can't find where that is coming from. Maybe @mxroute has an idea how this is possible?

I know in the old days on forums you could use the -f parameter in scripts do they would rather use domain name than hostname.
But this is no script, it's DA's backup function, just system messages.
 
You must log in or register to reply here.
Back
Top