1

I'm having a number of issues with Postfix and mail sent being rejected or put in the spam/junk folder.

I am trying to send emails on behalf of a number of my customers. I've got a postfix server set up and running, DKIM configured(open-dlim) and seems to be working properly(For the most part at least. Verified with port25 verifier, sent several test emails to test accounts and checked authentication headers), SPF and rDNS are set up properly, and so on. Who this server sends on behalf of can change frequently so I've got bash scripts that generate, verify, and configure DKIM for a new domain with open-dkim dynamically. This seems to work very well. I also am modifying the return-path and sender addresses to be a verp address which go to a mailbox I've setup for bounce, complaint, and reject processing. This works smoothly as well.

DKIM passes on port25 verifier, elandsys verifier, Gmail, and several others. But it fails with AOL. I keep getting a body hash failure but everywhere else says the body hash passes. I set up a new aol account to double check and now I'm getting a "521 5.2.1 : AOL will not accept delivery of this message" reject from AOL.

Emails to Outlook/MSN/Hotmail accounts go to the junk folder.

I would also like to sign outgoing emails from domains that don't have DKIM verified with my mail domain's DKIM. I've seen this done by providers such as Mandrill (please see below). After configuring this is postfix, the result was not positive. The deliverability of the emails actually dropped drastically.

Delivered-To: replaced@replaced.com
Received: by 10.55.161.141 with SMTP id k135csp1830148qke;
        Tue, 26 Apr 2016 20:47:00 -0700 (PDT)
X-Received: by 10.37.106.85 with SMTP id f82mr3485368ybc.108.1461728820068;
        Tue, 26 Apr 2016 20:47:00 -0700 (PDT)
Return-Path: <bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com>
Received: from mail132-12.atl131.mandrillapp.com (mail132-12.atl131.mandrillapp.com. [198.2.132.12])
        by mx.google.com with ESMTPS id w16si600671ybg.207.2016.04.26.20.46.59
        for <replaced@replaced.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 26 Apr 2016 20:47:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com designates 198.2.132.12 as permitted sender) client-ip=198.2.132.12;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mail132-12.atl131.mandrillapp.com;
       dkim=pass header.i=@mandrillapp.com;
       spf=pass (google.com: domain of bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com designates 198.2.132.12 as permitted sender) smtp.mailfrom=bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=mail132-12.atl131.mandrillapp.com;
 h=From:Sender:Subject:Reply-To:To:Message-Id:Date:MIME-Version:Content-Type; i=brandon.pugh@mail132-12.atl131.mandrillapp.com;
 bh=8PvyG5n9j+Ss5LkEFRDfDyq0HKE=;
 b=R0+W6T3QnIZ6BiLyJ7dkxJAKeX3lPwuIb5J+t+HXfUgyuIZGXVDpcaPUxUsnZr7Vj8W/hen2AxXT
   Ul9Fyr7kT1BJFebk+Q/lZKQOoD+TRjx6acbqxZtih581bpQUXlLfGvsu6IBAu87T6Bo2TYKimeu6
   ZVwDkQneY8kcB5/40HY=
Received: from pmta02.mandrill.prod.atl01.rsglab.com (127.0.0.1) by mail132-12.atl131.mandrillapp.com id h40r381sar81 for <jacob.ralph@diamondprofilellc.com>; Wed, 27 Apr 2016 03:46:59 +0000 (envelope-from <bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; 
 i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1461728819; h=From : 
 Sender : Subject : Reply-To : To : Message-Id : Date : MIME-Version : 
 Content-Type : From : Subject : Date : X-Mandrill-User : 
 List-Unsubscribe; bh=ZrtQq9DGePbIoMTLPLNJf1+1+NGpBrWl294/n54mrko=; 
 b=mKtUK27sdir1yIoMUKzddEFOZN6CD6CSpl3V42N+n4st78OHYeaE1BDraVhuIvctg5r6uk
 5dh6vcGh40AcvyZKSkWBecqESP0kKQKKhbR7Oidlef9dP7PYZ11CLQ1DxbsAUP0IOUtUu7dW
 SrGTmkbnIAv+9hPgB/JdUgHt+SISk=
From: Replaced Sender <sender_replaced@replaced.com>
Sender: Replaced Sender <replaced.sender@mail132-12.atl131.mandrillapp.com>
Subject: test 3
Return-Path: <bounce-md_30132259.57203633.v1-c38c577effa341359e850867904fed55@mandrillapp.com>
Received: from [52.2.104.2] by mandrillapp.com id c38c577effa341359e850867904fed55; Wed, 27 Apr 2016 03:46:59 +0000
Reply-To: <sender_replaced@replaced.com>
To: "replaced@replaced.com" <replaced@replaced.com>
X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com
X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30132259.c38c577effa341359e850867904fed55
X-Mandrill-User: md_30132259
Message-Id: <30132259.20160427034659.572036335eb949.06765010@mail132-12.atl131.mandrillapp.com>
Date: Wed, 27 Apr 2016 03:46:59 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_av-P_hw6r65tO2JheT0wzzGaA"

Keep in mind that I changed to sender and receiver addresses for obvious privacy reasons. Notice how the email has two DKIM signatures, one for the mail server and one for Mandrill.com. Is this what I need? Also, the "From" and "Reply-To" address is not the same as the "Sender" and "Return-Path" headers. Do I need to sign my emails with my mail server's DKIM also because my sender and return-path headers are an address at my mail server?

Postfix Config:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = ipv4
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
smtpd_tls_cert_file=/etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file=/etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = no
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
myhostname = mail.mailserver.com
mydomain = mailserver.com
myorigin = mailserver.com
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf, regexp:/etc/postfix/regexp-alias.cf
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 20
smtpd_hard_error_limit = 40
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
smtp_destination_concurrency_limit = 2
delay_warning_time = 0h
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
notify_classes = bounce, 2bounce, delay, policy, protocol, resource, software
bounce_notice_recipient = fbl@mailserver.com
2bounce_notice_recipient = fbl@mailserver.com
error_notice_recipient = fbl@mailserver.com
delay_notice_recipient = fbl@mailserver.com
verp_delimiter_filter = +=
smtp_tls_security_level = may
smtp_tls_CAfile=/etc/postfix/ssl/cacert.pem
default_verp_delimiters = +=

Again keep in mind that the mail server domain has been replaced with "replaced".

Example of DKIM and SPF passing:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mail.mailserver.com
Source IP:      MAIL-SERVER-IP
mail-from:      fbl-verb@mailserver.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass 
ID(s) verified: smtp.mailfrom=fbl-verp@mailserver.com
DNS record(s):
   mailserver.com. SPF (no records)
   mailserver.com. 300 IN TXT "v=spf1 mx ptr a:mail.mailserver.com a:smtp.mailserver.com ?all"
   mailserver.com. 159 IN MX 0 mail.mailserver.com.
   mailserver.com. 159 IN MX 10 smtp.mailserver.com.
   mail.cbcrmes.com. 165 IN A MAIL-SERVER-IP

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=sender_replaced@replaced.com
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: sender_replaced@replaced.com)
ID(s) verified: header.d=replaced.com
Canonicalized Headers:
   date:Wed,'20'27'20'Apr'20'2016'20'12:41:21'20'+0000'0D''0A'
   from:"sender_replaced"'20'<sender_replaced@replaced.com>'0D''0A'
   reply-to:"sender_replaced"'20'<sender_replaced@replaced.com>'0D''0A'
   to:check-auth@verifier.port25.com.'0D''0A'
   list-unsubscribe::'20'<mailto:fbl-verp@mailserver.com?subject=unsubscribe>,'20'<unsublink.com>'0D''0A'
   subject:=?utf-8?Q?test?='0D''0A'
   dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=replaced.com;'20's=mail;'20't=1461760882;'20'bh=JA4czgWk/3S9Et+7C2mkMVF38CnW0WyK2YaWom9s0J8=;'20'h=Date:From:Reply-To:To:List-Unsubscribe:Subject:From;'20'b=

Canonicalized Body:
   CONTENT REPLACED


DNS record(s):
   mail._domainkey.replaced.com. 300 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHQ+O0Lu2IOTQvFfguL0U5rMJo1RsVy3ZEP5Dkup/meMRfDYbnaUQL7pIRvBZo7WczgtcYVHI7A0rqwGJXZ8dyo5CC5A+2Kg6WtOTkmMwTPaRtASIX+qsJXe6ZksiOrfllFHbs+zOA1uT6m42VH+5cw4l9MzL75WAeUEy+cElx3QIDAQAB"

Public key used for verification: mail._domainkey.replaced.com (1024 bits)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         pass 
ID(s) verified: header.Sender=fbl-verp@mailserver.com
DNS record(s):
   mailserver.com. SPF (no records)
   mailserver.com. 300 IN TXT "v=spf1 mx ptr a:mail.mailserver.com a:smtp.mailserver.com ?all"
   mailserver.com. 159 IN MX 0 mail.mailserver.com.
   mailserver.com. 159 IN MX 10 smtp.mailserver.com.
   mail.mailserver.com. 165 IN A MAIL-SERVER-IP

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.0 (2014-02-07)

Result:         ham  (0.7 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                           See
                           http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                            for more information.
0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                           domains are different
-0.0 SPF_PASS               SPF: sender matches SPF record
-1.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                           [score: 0.0000]
0.0 HTML_MESSAGE           BODY: HTML included in message
1.7 HTML_IMAGE_ONLY_08     BODY: HTML: images with 400-800 bytes of words
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                           domain
0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
2.0 LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short
                           message

Example of failed DKIM at AOL.com:

Return-Path: <fbl-verp@mailserver.com>
Received: from mail.mailserver.com (mail.mailserver.com [MAIL-SERVER-IP])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mtaig-aaj03.mx.aol.com (Internet Inbound) with ESMTPS id 8994670000095
    for <receiver@aol.com>; Wed, 27 Apr 2016 10:40:37 -0400 (EDT)
Received: from anothersubdomain.mailer.com (unknown [ANOTHER-IP])
    by mail.mailserver.com (Postfix) with ESMTPA id E209040DC5
    for <receiver@aol.com>; Wed, 27 Apr 2016 14:40:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
    d=replaced.com; s=mail; t=1461768035;
    bh=xeyQpzG8DUkOjVoBaQKDREDNNMY65POvqFqSduSIYlk=;
    h=Date:From:Reply-To:To:List-Unsubscribe:Subject:From;
    b=LlYKos9npzLMlbflARsTIe8ryzAU9cMdaseHMAWJQgXgzLg9TT1VB5P5HC7+VBjqt
     dgcEoJ3f48XQU11FXjYGt3DG2Z4n7htbJoz113JTOLIynAHEnvT5N3Zk8IaJQhOA17
     /EXrYL3X4zBMiE/1xbSmSA/OlgcFBHEavvRnBJ6w=
User-Agent: AGENT-REPLACED
Date: Wed, 27 Apr 2016 14:40:35 +0000
From: "Replaced" <replaced@replaced.com>
Sender: <fbl-verp@mailserver.com>
Reply-To: "Replaced" <replaced@replaced.com>
To: receiver@aol.com
X-FBL: client-5595338668
X-Data: client-5595338668
X-Report-Abuse: Please report abuse here: abuse@mailserver.com
List-Unsubscribe:: <mailto:fbl-verp@mailserver.com?subject=unsubscribe>, <UNSUB-LINK>
Subject: =?utf-8?Q?test?=
X-Sender: replaced@replaced.com
X-Mailer: MAILER-REPLACED
X-Priority: 3 (Normal)
Message-ID: <5720cf63d98bb@mailserver.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="B_ALT_5720cf63d996e"
x-aol-global-disposition: S
X-AOL-SCOLL-AUTHENTICATION: mtaig-aaj03.mx.aol.com ; domain : replaced.com DKIM : fail
Authentication-Results: mx.aol.com;
    spf=pass (aol.com: the domain mailserver.com reports MAIL-SERVER-IP as a permitted sender.) smtp.mailfrom=mailserver.com;
    dkim=fail (aol.com: Message body hash computation failed verification.) header.d=replaced.com;
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1b03c35720cf6433ad
X-AOL-IP: 52.87.69.25
X-AOL-SPF: domain : mailserver.com SPF : pass

Once again, keep in mind that identifying information has been changed.

I also sent an email to test@allaboutspam.com to get an additional report from another party. All tests passed(rDNS, DKIM, SPF, Blacklist checks, Greeting check, spam assassin check, and greylist check) except for the Bounce Address Tag Validation check, which shouldn't be causing my email to get rejected or bulked.

I've been searching all over for solutions to these problems. None have worked so far. Any suggestions?

Jacob R
  • 111
  • 3
  • I took a look at open-dlim's config parameters and figured out how to sign both domains(from/reply-to domain and sender/return-path domain). I also figured out that AOL DKIM fails when email is send over SMTP but not when using the mail command over command line. – Jacob R Apr 27 '16 at 21:56

2 Answers2

1

The email to AOL and the EMAIL to Port 25 - The DKIM signing process is different.

When you send to AOL you're signing it with c=relaxed/simple when you send it to port 25 it's c=relaxed/relaxed. You're not really comparing apples to apples.

With that being said, many DKIM validators have trouble with Simple conancalization, stick with relaxed. If you test by sending an email to mailtest@unlocktheinbox.com they test with 4 different DKIM Validators - 2 of them are not behind the paywall. When you see discrepancies among different validators it's normally a bug. But in your case, I'm not so sure, because the test that you done really are not exact compares, you should send the same email to port25, aol, mailtest with all the validators on the "To" line. This will give you an apples to apples compare.

Henry
  • 920
  • 1
  • 5
  • 17
0

I recently had this same problem albeit nothing to do with AOL. Gmail was failing my DKIM and when I dug deeper it was failing everywhere (e.g. mail-tester.com, dkimvalidator.com) stating that the body had changed. Oddly enough, the DKIM math was correct according to dkimcore.org/c/keycheck (if you try dkimcore.org, the "selector" is just "dkim" without the quotes assuming the host value of your DNS DKIM entry is dkim._domainkey). I believe the reason was the hash value difference caused by \n vs. \r\n on different systems but I can't confirm this.

To get everything working I modified the DNS TXT _dmarc record by adding adkim=r; which is similar to @Henry 's answer.

So your _dmarc record might be:

TXT _dmarc v=DMARC1; p=none; adkim=r; rua=mailto:postmaster@mailserver.com

FYI v=DMARC1 means the protocol version is DMARC1. p=none means we choose none as the policy for our domain. rua stands for reporting URI for aggregate report. The email address is used to tell the world where report should be sent. Replace postmaster@mailserver.com with your real email address that's used to receive aggregate DMARC reports.

J-a-n-u-s
  • 101