Applicable to:
- Plesk for Linux
Symptoms
-
The option Enable DMARC to check incoming mail is enabled in Plesk at Tools & Settings > Mail Server Settings.
-
Emails sent from external mail services are rejected by DMARC checker, because SPF/DKIM record (or both) was not found. The following entries appear in
/var/log/maillog:CONFIG_TEXT: dmarc[16748]: Starting the dmarc filter...
dmarc[16748]: SPF record was not found in Authentication-Results:
dmarc[16748]: DKIM record was not found in Authentication-Results:
dmarc[16748]: DMARC: REJECT message for jdoe@example.com
postfix-local[16746]: message discarded by a mail handler
Cause
The Postfix before-queue mail filter is either not defined:
# grep smtpd_milters /etc/postfix/main.cf
smtpd_milters =
or disabled:
# grep smtpd_milters /etc/postfix/main.cf
#smtpd_milters = , inet:127.0.0.1:12768
As a result, SPF/DKIM checks are not performed and the email is rejected by DMARC policy of the sender.
Resolution
Configure the Postfix before-queue mail filter:
-
Connect to the server via SSH.
-
Create a backup of the original /etc/postfix/main.cf file:
# cp /etc/postfix/main.cf /etc/postfix/main.cf_orig
-
Open the /etc/postfix/main.cf in a text editor. In this example, we are using the vi editor:
# vi /etc/postfix/main.cf
-
Change the
smtpd_miltersvalue as follows:CONFIG_TEXT: smtpd_milters = , inet:127.0.0.1:12768
-
If the
non_smtpd_miltersoption exists, make its value empty:CONFIG_TEXT: non_smtpd_milters =
-
Save the changes and close the file.
-
Verify the changes:
# grep -ir milt /etc/postfix/main.cf
smtpd_milters = , inet:127.0.0.1:12768
non_smtpd_milters = -
Restart the Postfix service to apply the changes:
# service postfix restart
Comments
4 comments
The instructions of making non_smtpd_milters empty contradicts with https://support.plesk.com/hc/en-us/articles/214528265-Plesk-Premium-Antivirus-does-not-detect-infected-emails. So what should we do now?
Hello b_p,
It depends on what error/symptoms you have.
In order to investigate it, you might try it first or open a support request.
As a follow-up, this was mainly a comment, that your documentation is contradictory: here you state that non_smtpd_milters shall be empty while you recommend the opposite in the other article.
Also, given that the issue described here refers to incoming e-mails (which should be delivered through smtpd), the non_smtpd_milters should not affect this process at all? But as this would disable scanning e-mails that are sent from scripts for instance, I assume the advice in this article should be adjusted?
Hello @b_p,
"non_smtpd_milters" was used in old unsupported Plesk versions. Currently Plesk do not use and do not configure it anymore.
"non_smtpd_milters" must be empty.
I have corrected https://support.plesk.com/hc/en-us/articles/214528265
Plesk uses its own custom sendmail-wrapper which already uses mail handlers stack for this reason "non_smtpd_milters" is not needed.
Please sign in to leave a comment.