My MIAB used as a relay?

ge8Hooe · April 24, 2021, 6:38am

To me it looks like my MIAB has been used as a relay to send email to “d@ruf.agari.com”.

Below is one exerpt from mail.log:

Apr 20 00:35:55 box postfix/pickup[32284]: 573DF7F0DD: uid=119 from=
Apr 20 00:35:55 box postfix/cleanup[10293]: 573DF7F0DD: message-id=20210419213555.573DF7F0DD@box.domain.tld
Apr 20 00:35:55 box postfix/qmgr[8820]: 573DF7F0DD: from=opendmarc@box.domain.tld, size=13656, nrcpt=1 (queue active)
Apr 20 00:35:57 box postfix/smtp[10295]: 573DF7F0DD: to=d@ruf.agari.com, relay=mx1.ruf.agari.com[54.148.35.67]:25, delay=2.6, delays=0.18/0.09/1.7/0.56, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 503586D)
Apr 20 00:35:57 box postfix/qmgr[8820]: 573DF7F0DD: removed

If I’m correct, how do I prevent this?

openletter · April 24, 2021, 11:18am

That is opendmarc doing its job of sending DMARC ruf failure report per the domain owner’s request:

$ dig txt _dmarc.agari.com +short
_dmarc.02.da.50.02.dns.agari.com.
"v=DMARC1; p=reject; sp=reject; ri=3600; rua=mailto:agari-data@rua.agari.com; ruf=mailto:agari-data@ruf.agari.com; fo=1"

Looks like there should be a similar email somewhere to agari-data@rua.agari.com.