I've configured postfix with opendkim and opendmarc. Outgoing mail is signed correctly, and incoming mail appears to be validated (dkim, spf, dmarc) with one notable exception – anyone can connect to postfix on 25, send mail from fake@mydomain.com to me@mydomain.com, and it's delivered without question.
Logs from an example message:
postfix/smtpd[10275]: 934533DA0157: client=60-241-c-d.tpgi.com.au[60.241.c.d]
postfix/cleanup[14306]: 934533DA0157: message-id=<05846311.653A4BF8@mydomain.com>
opendkim[16729]: 934533DA0157: 60-241-c-d.tpgi.com.au [60.241.c.d] not internal
opendkim[16729]: 934533DA0157: not authenticated
opendkim[16729]: 934533DA0157: external host 60-241-c-d.tpgi.com.au attempted to send as mydomain.com
opendkim[16729]: 934533DA0157: no signature data
opendmarc[32220]: implicit authentication service: host.mydomain.com
opendmarc[32220]: 934533DA0157: mydomain.com fail
postfix/qmgr[22948]: 934533DA0157: from=<accounting@mydomain.com>, size=287090, nrcpt=2 (queue active)
postfix/smtpd[10275]: disconnect from 60-241-c-d.tpgi.com.au[60.241.c.d]
postfix/pipe[14316]: 934533DA0157: to=<techsupport@mydomain.com>, relay=spamassassin, delay=7.6, delays=4.3/0.01/0/3.2, dsn=2.0.0, status=sent (delivered via spamassassin service)
Abridged delivered headers:
Return-Path: <accounting@mydomain.com>
Delivered-To: techsupport@mydomain.com
Received: by host.mydomain.com (Postfix, from userid 987)
id D89DD3DA023E; Thu, 8 Sep 2016 14:58:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com;
s=host; [...]
Received: from mydomain.com (60-241-c-d.tpgi.com.au [60.241.c.d])
by host.mydomain.com (Postfix) with SMTP id 934533DA0157
for <techsupport@mydomain.com>; Thu, 8 Sep 2016 14:58:48 +0000 (UTC)
Authentication-Results: host.mydomain.com; dmarc=fail header.from=mydomain.com
Authentication-Results: host.mydomain.com; spf=pass smtp.mailfrom=accounting@mydomain.com
Message-ID: <05846311.653A4BF8@mydomain.com>
Date: Fri, 09 Sep 2016 00:54:26 +1000
From: "accounting@mydomain.com" <accounting@mydomain.com>
To: <techsupport@mydomain.com>
SPF record – A and MX contain only IPs I control. Redundancy deliberate.
mydomain.com. 600 IN TXT "v=spf1 +a +mx +ip4:myrelay1 +ip4:myrelay2 -all"
opendkim.conf
Mode sv
Syslog yes
SyslogSuccess yes
LogWhy yes
Socket local:/var/run/opendkim/opendkim.sock
SendReports yes
ReportAddress "Xyz Postmaster" <postmaster@mydomain.com>
SoftwareHeader no
Canonicalization relaxed/relaxed
Domain mydomain.com
Selector host
MinimumKeyBits 1024
KeyFile /etc/opendkim/keys/host.private
InternalHosts refile:/etc/opendkim/TrustedHosts # contains 127.0.0.1 and ::1
OversignHeaders From
QueryCache yes
opendmarc.conf
FailureReports true
IgnoreAuthenticatedClients true
IgnoreHosts /etc/opendmarc/ignore.hosts # contains 127.0.0.1 and ::1
Socket local:/var/run/opendmarc/opendmarc.sock
SoftwareHeader false
SPFIgnoreResults true
SPFSelfValidate true
Syslog true
postfix main.cf
mynetworks_style = host
myorigin = $mydomain
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock, unix:/var/run/opendmarc/opendmarc.sock
smtp_header_checks = regexp:/etc/postfix/submission_header_checks
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 TLSv1 TLSv1.1 TLSv1.2
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_milters = unix:/var/run/opendkim/opendkim.sock, unix:/var/run/opendmarc/opendmarc.sock
# rbl_override_whitelist OKs 127.0.0.1 and ::1
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unknown_sender_domain reject_unauth_pipelining check_client_access hash:/etc/postfix/rbl_override_whitelist
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
Despite the external host attempted to send as mydomain.com log entry, opendkim signed the message, then opendmarc decided spf passed.
After a day of reading the opendkim and opendmarc documentation and source I'm nearly convinced these are bugs in opendkim and opendmarc, but am holding out hope it's user error.
What do I need to do prevent opendkim from signing incoming mail marked as from mydomain.com? To troubleshoot or fix opendmarc deciding spf=pass?
Best Answer
Despite the fact the mail was from an external source, the accepted return path is internal. It also appears the external host used your domain in its HELO command.
The message should have been rejected based on the domain in the return path and/or the domain in the HELO command. Try to configure your server to reject mail based on these factors. I would consider accepting the message is a configuration issue for the mail server.
I believe OpenDKIM behaved correctly signing a message from a local address despite the external IP address. This would be the behavior if you had authenticated from the internet before sending.