# # Kerio Connect DSN breaks DMARC
APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Kerio Connect DSN breaks DMARC

I've removed advertising from most of this site and will eventually clean up the few pages where it remains.

While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.

If you found something useful today, please consider a small donation.



Some material is very old and may be incorrect today

© May 2019 Anthony Lawrence

2015/01/19

At Help protect your mail domain with DMARC I explained how to implement DMARC with Kerio Connect. I had set up my server that way and was monitoring the results, hoping that I could change the DMARC policy from "quarantine" to "reject".

However, I noticed that something was slipping through without SPF or DKIM. The mail was coming from my IP address, but it was saying it came from "mail.aplawrence.com", which is incorrect. My first thought was that I had some old cron job or script misconfigured, but it wasn't that.

Hunting more deeply, I found that the problem was DSN's (Delivery Status Notifications). If someone sends email to a non-existent address at aplawrence.com, a DSN would be generated, but it comes from "[email protected]". It picks that up from the Internet Hostname and there is no other place to override that. As "mail.aplawrence.com" doesn't exist as a mail domain (it's my MX, but my domain is "aplawrence.com"), SPF fails and also no DKIM is added.

I'd call that improper behavior. RFC 1894 seems to address this:


The From field of the message header of the DSN SHOULD contain the address of a human who is responsible for maintaining the mail system at the Reporting MTA site (e.g. Postmaster), so that a reply to the DSN will reach that person. Exception: if a DSN is translated from a foreign delivery report, and the gateway performing the translation cannot determine the appropriate address, the From field of the DSN MAY be the address of a human who is responsible for maintaining the gateway.

The envelope sender address of the DSN SHOULD be chosen to ensure that no delivery status reports will be issued in response to the DSN itself, and MUST be chosen so that DSNs will not generate mail loops. Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a NULL return address, i.e. "MAIL FROM:<>".

I would think that the DSN should be from the postmaster at the domain that the incorrect mail was sent to. The Internet Host name is not a domain; it's a host and shouldn't be used as a mail domain.

I raised a ticket with Kerio. Their suggestion was to set the Internet Hostname and MX to "aplawrence.com", but that would break my web site as that sits at a different IP. I could use another domain entirely, but that is annoying and wasteful.

For the moment, I have to leave my DMARC policy set to "quarantine".


If you found something useful today, please consider a small donation.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> Kerio Connect DSN breaks DMARC

2 comments


Inexpensive and informative Apple related e-books:

iOS 10: A Take Control Crash Course

Take Control of Parallels Desktop 12

Take Control of Numbers

Take Control of the Mac Command Line with Terminal, Second Edition

Take Control of IOS 11





More Articles by © Anthony Lawrence







Tue Jan 20 16:50:55 2015: 12601   905c)

gravatar


Well, legacy stuff again.
DSN is supposed to come from server administrator. What address should be there if an email was intended for two users in two different domains? That why a generic server name is used as sending domain. Emails should be delivered there (if any because DSN have empty sender in SMTP to avoid loop) using legacy email delivery via A record (link)
It is not perfect but it works.



Tue Jan 20 16:57:35 2015: 12602   TonyLawrence

gravatar


Thanks for that link. It doesn't work for DMARC!

But - now that I know these are just DSN's, I'm going to switch back to reject. A few bad typists may not know they mistyped if they don't get the reply. Minor risk.

------------------------


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





Better to fight for something than live for nothing. (George S. Patton)




Linux posts

Troubleshooting posts


This post tagged:

Kerio Connect

Kerio

Kerio Info

Kerio Pricing

Kerio RSS Feed

Mail

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode