github-starred/sendmailanalyzer
2
0
Fork 0
mirror of https://github.com/darold/sendmailanalyzer.git synced 2026-05-15 22:02:32 -06:00
Code Issues 3 Projects Packages Wiki Activity Actions

[GH-ISSUE #45] SPF, DKIM, Postscreen report RfC #35

New issue
Closed
opened 2026-05-05 15:00:55 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 15:00:55 -06:00
Owner
Copy link

Originally created by @r-sherwood on GitHub (Feb 23, 2017).
Original GitHub issue: https://github.com/darold/sendmailanalyzer/issues/45

To keep track about incoming/outgoing signed/validated/failed SPF and DKIM records it would be nice to have that feature in an upcoming sendmail report.
A postscreen option would be nice too.

i.e.
SPF + DKIM in:

Feb 14 09:38:17 mail amavis[25650]: (25650-04) Passed CLEAN {RelayedInbound}, [40.100.x.x]:33160 [40.100.x.x] xyz.abc@domain.com -> info@mydomain.com, Queue-ID: DFA8A20EA, Message-ID: VI1PR0302xxxxxxxxxAA3447319ACAF580@domain.com, mail_id: vxMxxxxxkbRF, Hits: -3.298, size: 16059, queued_as: BE1xxxx89F, dkim_sd=selector1-domain.com, 1837 ms, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_MSPIKE_H2=-3.296,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001]

SPF in:
Feb 15 14:26:45 mail amavis[25709]: (25709-15) Passed CLEAN {RelayedInbound}, [212.0.x.x]:63329 [192.168.0.1] info@domain.com -> info@mydomain.com, Queue-ID: 40Dxxx8A1, Message-ID: 462E4E98-2B0B-xxxx-xxxx-58F678236C6D@gmx.net, mail_id: brShxxxxx3y1, Hits: -0.201, size: 2002, queued_as: 2FCxxxx9D5, 1815 ms, Tests: [FREEMAIL_FROM=0.001,RCVD_IN_DNSWL_LOW=-0.7,RCVD_IN_SORBS_SPAM=0.5,RP_MATCHES_RCVD=-0.001,SPF_PASS=-0.001]

Postscreen:
Feb 20 19:56:34 v19368 postfix/postscreen[20462]: CONNECT from [216.x.x.x]:53699 to [31.x.x.x]:25

I've been using a policy deamon for postgreying called iredapd form the iRedMail project. Would be nice to add this daemon as well to the sendmailreport.

The logs look like this:
Feb 20 19:12:58 mail postfix/postscreen[11395]: PASS NEW [216.x.x.x]:51520
...
Feb 20 19:22:29 mail postfix/postscreen[14248]: PASS OLD [216.x.x.x]:51992
Feb 20 19:22:29 mail postfix/smtpd[14249]: NOQUEUE: reject: RCPT from www4.checktls.com[216.x.x.x]: 451 4.7.1 info@mydomain.com: Recipient address rejected: Intentional policy rejection, please try again later; from=test@assuretls.checktls.com to=info@mydomain.com proto=ESMTP helo=<checktls.com>
...
Feb 20 19:56:34 mail postfix/postscreen[20462]: CONNECT from [216.68.85.112]:53699 to [31.172.95.219]:25
Feb 20 19:56:34 mail postfix/postscreen[20462]: PASS OLD [216.x.x.x]:53699
Feb 20 19:56:34 mail postfix/smtpd[20463]: connect from www4.checktls.com[216.x.x.x]
Feb 20 19:56:34 mail postfix/smtpd[20463]: Anonymous TLS connection established from www4.checktls.com[216.x.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Originally created by @r-sherwood on GitHub (Feb 23, 2017). Original GitHub issue: https://github.com/darold/sendmailanalyzer/issues/45 To keep track about incoming/outgoing signed/validated/failed SPF and DKIM records it would be nice to have that feature in an upcoming sendmail report. A postscreen option would be nice too. i.e. SPF + DKIM in: Feb 14 09:38:17 mail amavis[25650]: (25650-04) Passed CLEAN {RelayedInbound}, [40.100.x.x]:33160 [40.100.x.x] <xyz.abc@domain.com> -> <info@mydomain.com>, Queue-ID: DFA8A20EA, Message-ID: <VI1PR0302xxxxxxxxxAA3447319ACAF580@domain.com>, mail_id: vxMxxxxxkbRF, Hits: -3.298, size: 16059, queued_as: BE1xxxx89F, dkim_sd=selector1-domain.com, 1837 ms, Tests: [**DKIM_SIGNED**=0.1,**DKIM_VALID**=-0.1,RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_MSPIKE_H2=-3.296,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001] SPF in: Feb 15 14:26:45 mail amavis[25709]: (25709-15) Passed CLEAN {RelayedInbound}, [212.0.x.x]:63329 [192.168.0.1] <info@domain.com> -> <info@mydomain.com>, Queue-ID: 40Dxxx8A1, Message-ID: <462E4E98-2B0B-xxxx-xxxx-58F678236C6D@gmx.net>, mail_id: brShxxxxx3y1, Hits: -0.201, size: 2002, queued_as: 2FCxxxx9D5, 1815 ms, Tests: [FREEMAIL_FROM=0.001,RCVD_IN_DNSWL_LOW=-0.7,RCVD_IN_SORBS_SPAM=0.5,RP_MATCHES_RCVD=-0.001,**SPF_PASS**=-0.001] Postscreen: Feb 20 19:56:34 v19368 postfix/postscreen[20462]: CONNECT from [216.x.x.x]:53699 to [31.x.x.x]:25 I've been using a policy deamon for postgreying called [iredapd](https://bitbucket.org/zhb/iredapd) form the iRedMail project. Would be nice to add this daemon as well to the sendmailreport. The logs look like this: Feb 20 19:12:58 mail postfix/postscreen[11395]: PASS NEW [216.x.x.x]:51520 ... Feb 20 19:22:29 mail postfix/postscreen[14248]: PASS OLD [216.x.x.x]:51992 Feb 20 19:22:29 mail postfix/smtpd[14249]: NOQUEUE: reject: RCPT from www4.checktls.com[216.x.x.x]: 451 4.7.1 <info@mydomain.com>: Recipient address rejected: Intentional policy rejection, please try again later; from=<test@assuretls.checktls.com> to=<info@mydomain.com> proto=ESMTP helo=<checktls.com> ... Feb 20 19:56:34 mail postfix/postscreen[20462]: CONNECT from [216.68.85.112]:53699 to [31.172.95.219]:25 Feb 20 19:56:34 mail postfix/postscreen[20462]: PASS OLD [216.x.x.x]:53699 Feb 20 19:56:34 mail postfix/smtpd[20463]: connect from www4.checktls.com[216.x.x.x] Feb 20 19:56:34 mail postfix/smtpd[20463]: Anonymous TLS connection established from www4.checktls.com[216.x.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
gitea-mirror commented 2026-05-05 15:01:00 -06:00
Author
Owner
Copy link

@enekux commented on GitHub (Jun 19, 2018):

+1

But I think the proper lines to check in the logs would be:

  • SPF (postfix-policyd-spf-python):
    Jun 19 14:33:21 mx1 policyd-spf[32051]: None; ....
    Jun 19 14:32:53 mx1 policyd-spf[24854]: Pass; ....
    Jun 19 14:17:20 mx1 policyd-spf[20871]: Fail; ....
    Jun 19 14:35:59 mx1 policyd-spf[2315]: Softfail; ....

  • DKIM (opendkim): here I don't know if we can identify clearly enough different results, I see this type:
    Jun 19 14:37:39 mx1 opendkim[17499]: 17D581E2A0: bad signature data
    Jun 19 14:40:58 mx1 opendkim[17499]: D0B3F1E29A: message has signatures from kuponlandia.in, amazonses.com
    Jun 19 14:40:58 mx1 opendkim[17499]: D0B3F1E29A: s=mdpolsbwcxpptb7otdn73qg2km75bkhd d=kuponlandia.in SSL
    Jun 19 14:40:58 mx1 opendkim[17499]: 48E861E2A0: s=k1 d=oeaw.ac.at SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature

  • DMARC (opendmarc):
    Jun 19 14:38:21 mx1 opendmarc[1409]: F14AB1DDD0: domain.com none
    Jun 19 14:38:21 mx1 opendmarc[1409]: F14AB1DDD0: domain.com pass
    Jun 19 14:38:21 mx1 opendmarc[1409]: F14AB1DDD0: domain.com fail

<!-- gh-comment-id:398385109 --> @enekux commented on GitHub (Jun 19, 2018): +1 But I think the proper lines to check in the logs would be: + SPF (postfix-policyd-spf-python): Jun 19 14:33:21 mx1 policyd-spf[32051]: None; .... Jun 19 14:32:53 mx1 policyd-spf[24854]: Pass; .... Jun 19 14:17:20 mx1 policyd-spf[20871]: Fail; .... Jun 19 14:35:59 mx1 policyd-spf[2315]: Softfail; .... + DKIM (opendkim): here I don't know if we can identify clearly enough different results, I see this type: Jun 19 14:37:39 mx1 opendkim[17499]: 17D581E2A0: bad signature data Jun 19 14:40:58 mx1 opendkim[17499]: D0B3F1E29A: message has signatures from kuponlandia.in, amazonses.com Jun 19 14:40:58 mx1 opendkim[17499]: D0B3F1E29A: s=mdpolsbwcxpptb7otdn73qg2km75bkhd d=kuponlandia.in SSL Jun 19 14:40:58 mx1 opendkim[17499]: 48E861E2A0: s=k1 d=oeaw.ac.at SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature + DMARC (opendmarc): Jun 19 14:38:21 mx1 opendmarc[1409]: F14AB1DDD0: domain.com none Jun 19 14:38:21 mx1 opendmarc[1409]: F14AB1DDD0: domain.com pass Jun 19 14:38:21 mx1 opendmarc[1409]: F14AB1DDD0: domain.com fail
gitea-mirror commented 2026-05-05 15:01:02 -06:00
Author
Owner
Copy link

@enekux commented on GitHub (Jul 2, 2018):

Hi,
I noticed that the latest commit "709a398" adds support for "Add parsing of SPF/DKIM log entries".
I have tried it but I don't see any "spf_dkim.dat" file being generated in the data directory...

Also I wonder if this commit is also adding support for SPF (postfix-policyd-spf-python)...

Thanks,

<!-- gh-comment-id:401779084 --> @enekux commented on GitHub (Jul 2, 2018): Hi, I noticed that the latest commit "709a398" adds support for "Add parsing of SPF/DKIM log entries". I have tried it but I don't see any "spf_dkim.dat" file being generated in the data directory... Also I wonder if this commit is also adding support for SPF (postfix-policyd-spf-python)... Thanks,
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v9.4
v9.3
v9.2
v9.1
v9.0
Labels
Clear labels   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

No labels
enhancement
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/sendmailanalyzer#35
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?