Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Usermin's spf and dkim flagging of emails could be enhanced #95

Open
Stephano2000 opened this issue Apr 2, 2023 · 15 comments
Open

Usermin's spf and dkim flagging of emails could be enhanced #95

Stephano2000 opened this issue Apr 2, 2023 · 15 comments

Comments

@Stephano2000
Copy link

Usermin's flagging of emails with respect to spf and dkim (the popup when one clicks on the inverted arrow next to the sender name in the spam folder) could be enhanced:

dkim-signature is currently not visible when an invalid dkim signature is present. It is better if it is always displayed, and indicates whether a dkim signature is found or not, and in case it is there, whether it is valid or invalid.

Similarly for spf: spf record found or not, and matches or not

@jcameron
Copy link
Collaborator

jcameron commented Apr 3, 2023

Can you attach a screenshot of the popup you're seeing currently?

@Stephano2000
Copy link
Author

Stephano2000 commented Apr 3, 2023

Here are 3 different popups. There is no dkim status in the last two.

Screenshot from 2023-04-03 09-56-02
Screenshot from 2023-04-03 09-56-45
Screenshot from 2023-04-03 09-57-11

@iliajie
Copy link
Collaborator

iliajie commented Apr 3, 2023

There is no dkim status in the last two.

If you compare those two emails by viewing as a raw message, do you see DKIM signature in the two last message from the screenshot above? Is there a DKIM signature in the first one? Can we have a look at the headers of those 3 mentioned emails?

@Stephano2000
Copy link
Author

Screenshot from 2023-04-03 21-07-37

Content analysis details:   (7.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.5 URIBL_DBL_MALWARE      Contains a malware URL listed in the Spamhaus
                            DBL blocklist
                            [URIs: marrugo.com]
 3.6 RCVD_IN_SBL_CSS        RBL: Received via a relay in Spamhaus SBL-CSS
                            [88.209.253.213 listed in zen.spamhaus.org]
 0.1 URIBL_CSS_A            Contains URL's A record listed in the Spamhaus CSS
                            blocklist
                            [URIs: marrugo.com]
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                            blocked.  See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [URIs: marrugo.com]
 0.0 RCVD_IN_DNSWL_BLOCKED  RBL: ADMINISTRATOR NOTICE: The query to
                            DNSWL was blocked.  See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [88.209.253.213 listed in list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.3 HTML_IMAGE_ONLY_04     BODY: HTML: images with 0-400 bytes of words
 0.7 MPART_ALT_DIFF         BODY: HTML and text parts are different
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid
-0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                            envelope-from domain
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                            author's domain
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.0 DC_PNG_UNO_LARGO       Message contains a single large png image

@iliajie
Copy link
Collaborator

iliajie commented Apr 3, 2023

I don't understand what you're trying to say. Sorry. I need to see the complete headers (in raw) of the email in question.

@Stephano2000
Copy link
Author

I have listed spam assassin's results, which shows that the SPF passed, and DKIM is present and valid.
I was about to post similar info for the 2 other cases.

As for the headers, which ones do you need? Those on the spam page, or the original mail page?
In any case, some of the headers info must be redacted before posting, and hence you will not be able to verify DKIM validity.

@iliajie
Copy link
Collaborator

iliajie commented Apr 3, 2023

and hence you will not be able to verify DKIM validity.

I don't need to do it. The email should already include all information needed to make this check.

which shows that the SPF passed, and DKIM is present and valid.

Which is fine, right? It depends on the email message headers.

I still don't understand the problem we're solving here. If Usermin displays DKIM status incorrectly then it's a bug. But to know that, I need to see the screenshot of a popup and all actual email headers in raw.

@Stephano2000
Copy link
Author

Screenshot from 2023-04-03 21-07-37

Email (redacted) headers:

Return-Path: 	<rose@marrugo.com>
X-Original-To: 	robert@example.com
Delivered-To: 	"robert@example.com"@mars.example.com
Authentication-Results: 	mars.example.com;dkim=pass (2048-bit key; unprotected) header.d=marrugo.com header.i=rose@marrugo.com header.a=rsa-sha1 header.s=dkim header.b=0QVsE0iP;dkim-atps=neutral
Received: 	from ernestine2265.marrugo.com (ernestine2265.marrugo.com [88.209.253.213])by mars.example.com (Postfix) with ESMTPS id 58A1040B19for <robert@example.com>; Mon, 3 Apr 2023 03:38:15 +0000 (UTC)
DKIM-Signature: 	v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=marrugo.com;h=Content-Type:MIME-Version:Subject:To:From:Date:Message-ID; i=rose@marrugo.com;bh=DskVhnS4zuPeVJ1JTfIWTmrdKyA=;b=0QVsE0iP/D8O6EEZHQazVd4RylVd33gt69/b5xMB17TKQ/xmZG6q4Cp4w2zXdpOprcQCzEN3KpjFp8PxepNnWodSkdm681df1cqe9lR7OvemeOyZ2p2SkzRySFUoybjHsE8kKN0ah2WXo6RapBOuSoHeexCKUdta9rb4MH2nglJHuZ96qJxpdRP0bwENu5woJJLZQ0CILd3tZiIh9kR9GefT/PYunTRYr8KfySGGe5AIq/w2sFbeaS0/kEHPlp7KKtOAEv2nD5bO00s0JDnHu1+MEa2m91dtRi9qxbYLKGAAjCED3BcJrpMjz4x3YsWFRiL3tAi3JDxn++fq/dHQ8w==
DomainKey-Signature: 	a=rsa-sha1; c=nofws; q=dns; s=dkim; d=marrugo.com;b=Xm0ml7Tz0bPQgAaLYHpc8aTDJG8/ssfDk4dEXaSpMqLb0VF1vBRnRU1KMwTgIvV6YHiQgNwasEvdUIRAFFw8LpyA2xCdyog0M0L5XUkvtY0J4upOmQXhYRlWS6YqUFt7U23pUwvh/OzniysvSYuCe+emWbYgOBI4ROtnSyOQZ1Jf1SeMtmWefdd+f83v/5+e+e3iA04wnCOzaBppiCUiSjSc9fMTT62zL3Jx2nWKvi4Xjl3WjKwz/3m3vf+4ni3DNE2mNZx6PYXuhqaogYblcKMT7ajGfkEbqnkBqxF4SSiPKbx37QzeA4++ipiUAz/O8bbX4KL1MANxOe8ZfIbwRw==;
Content-Type: 	multipart/mixed; boundary="===============1548607889=="
MIME-Version: 	1.0
Subject: 	DHL Express - Shipment Notification
To: 	rose@marrugo.com
From: 	"DHL Express" <rose@marrugo.com>
Date: 	Mon, 03 Apr 2023 05:38:13 +0200
Message-ID: 	<0.0.4.62D.1D965DDB879A3D4.0@ernestine2265.marrugo.com>

iliajie added a commit to webmin/authentic-theme that referenced this issue Apr 3, 2023
@iliajie
Copy link
Collaborator

iliajie commented Apr 3, 2023

I think it's rather a feature than a bug. Google Mail does the same. It doesn't say anything about the signature if it's not present. However, I think that you're right, it's better to always show signed-by field.

Check this patch, does it solve your problem?

@Stephano2000
Copy link
Author

Just to understand, what does a green check mark or a red X supposed to mean for spf and dkim? present/notpresent, or valid/invalid? Then i will be able to re-evaluate the other emails.

In the case of this email (#95 (comment)), it was the other way round as the mail has a dkim signature, but Usermin didn't show the dkim status.

However i won't be able to check the patch as this email is on a production machine. I will see if i can setup a test server and attract spam in order to test the patch :)

@iliajie
Copy link
Collaborator

iliajie commented Apr 4, 2023

Alright, please give it a try on a test server and let me know what you find out.

@Stephano2000
Copy link
Author

Alright, please give it a try on a test server and let me know what you find out.

I will. However i need to know the expected behavior to be able to spot drifts: What does a green check mark or a red X supposed to mean for spf and dkim? present/notpresent, or valid/invalid, or some combination?

What's the recommended way to install Virtualmin from github master?

@iliajie
Copy link
Collaborator

iliajie commented Apr 5, 2023

What does a green check mark or a red X supposed to mean for spf and dkim?

Currently, green means passed and red can mean failed/missing.

What's the recommended way to install Virtualmin from github master?

Never do that. Always use automated installer - https://www.virtualmin.com/download/.

@Stephano2000
Copy link
Author

What does a green check mark or a red X supposed to mean for spf and dkim?

Currently, green means passed and red can mean failed/missing.

Great!

What's the recommended way to install Virtualmin from github master?

Never do that. Always use automated installer - https://www.virtualmin.com/download/.

Let me rephrase my question:
How can i make a fresh install using the automated installer, but benefiting from all the patches that haven't been released in the stable package?
Would this do it:

# wget -O virtualmin-install.sh https://raw.githubusercontent.com/virtualmin/virtualmin-install/master/virtualmin-install.sh
# /bin/sh virtualmin-install.sh

@iliajie
Copy link
Collaborator

iliajie commented Apr 5, 2023

You cannot have all the latest patches applied like that. You could try nightly builds of Webmin and Usermin thought.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants