Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Les messages de rebond (bounce) envoyés par Postfix n'ont pas l'air d'être signés

nicolas

J’ai repéré cette erreur dans les logs :

2025-05-11T10:47:39.477722+02:00 club1 postfix/lmtp[4173495]: EFA1740C1E: to=<***@club1.fr>, relay=mail.club1.fr[private/dovecot-lmtp], delay=0.51, delays=0.4/0.01/0.05/0.05, dsn=2.0.0, status=sent (250 2.0.0 <***@club1.fr> chSuGCtkIGi4rj8AOV9Ouw Saved)
2025-05-11T10:47:39.478864+02:00 club1 postsrsd[4173492]: srs_forward: <""> not rewritten: No at sign in sender address
2025-05-11T10:47:39.479663+02:00 club1 postsrsd[4173493]: srs_reverse: <SRS0=dLDb=X3=hotmail.com=***@club1.fr> rewritten as <***@hotmail.com>
2025-05-11T10:47:39.480354+02:00 club1 postsrsd[4173493]: srs_reverse: <SRS0=dLDb=X3=hotmail.com=***@club1.fr> rewritten as <***@hotmail.com>
2025-05-11T10:47:39.481022+02:00 club1 postfix/cleanup[4173491]: 74C1E41B81: message-id=<20250511084739.74C1E41B81@mail.club1.fr>
2025-05-11T10:47:39.483208+02:00 club1 postfix/bounce[4173498]: EFA1740C1E: sender delivery status notification: 74C1E41B81
2025-05-11T10:47:39.483325+02:00 club1 postfix/qmgr[1743]: 74C1E41B81: from=<>, size=11987, nrcpt=1 (queue active)
2025-05-11T10:47:39.483405+02:00 club1 postfix/qmgr[1743]: EFA1740C1E: removed
2025-05-11T10:47:40.434305+02:00 club1 postfix/smtp[4173499]: Trusted TLS connection established to hotmail-com.olc.protection.outlook.com[52.101.40.5]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1) server-signature RSA-PSS (2048 bits) server-digest SHA256
2025-05-11T10:47:44.722076+02:00 club1 postfix/smtp[4173499]: 74C1E41B81: to=<***@hotmail.com>, orig_to=<SRS0=dLDb=X3=hotmail.com=***@club1.fr>, relay=hotmail-com.olc.protection.outlook.com[52.101.40.5]:25, delay=5.2, delays=0/0.09/1.1/4, dsn=5.7.509, status=bounced (host hotmail-com.olc.protection.outlook.com[52.101.40.5] said: 550 5.7.509 Access denied, sending domain [CLUB1.FR] does not pass DMARC verification and has a DMARC policy of reject. [AS8P194MB1144.EURP194.PROD.OUTLOOK.COM 2025-05-11T08:47:44.552Z 08DD8FA3A080E099] [BYAPR05CA0062.namprd05.prod.outlook.com 2025-05-11T08:47:44.627Z 08DD8C2E8C22667D] [CY4PEPF0000EDD5.namprd03.prod.outlook.com 2025-05-11T08:47:44.639Z 08DD8B36A1960708] (in reply to end of DATA command))
2025-05-11T10:47:44.725154+02:00 club1 postfix/qmgr[1743]: 74C1E41B81: removed

Visiblement, Outlook demande des Delivery Status Notifications (DSN), lesquelles sont supportées par Postfix, qui utilise pour cela le mécanisme de bounce(8).

D’après les logs, on voit que les messages générés par bounce sont rejetés par le politique DMARC de CLUB1. Il semblerait en effet qu’ils ne soient pas signés avant envoi, car OpenDKIM ne figure pas dans cet extrait de log.

Il y a visiblement un moyen d’activer les filtres milter pour les bounces :

According to the docs mentioned by Stefan this is now possible but disabled by default. You can add internal_mail_filter_classes = bounce to your config for bounces to be filtered just as any other mail (including signing filter).

This will work well if you only have signing filter. Though you may encounter problems when you have other filters. You should make sure that no filter rejects locally generated bounces as this may generate another bounce which will possibly be rejected too and so on…

Je vais probablement bientôt ajouter cette configuration mais je n’ai pas encore trouvé comment tester qu’elle fait bien ce que je veux.