Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ES 10.0.11 - DMARC Reporting missing - nothing but Google?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

is anyone else experiencing missing DMARC reporting? @David W

DMARC Master Detail Report is just showing Provider google.com for the last 21 days, but I know that Microsoft did send reports in the recent days as well. What happened to them?

dmarc_reports:<hostname> log directory only holds .xml files from Google.

It's not just my deployment, it affects customer deployments too.

--Michael@BWC

Category: Email Security Appliances
Reply

Answers

  • David WDavid W SonicWall Employee

    @BWC I will have to see what I can find out.

    I don;t think we have anything reported on it at the moment.

    However I do know that there are some instances where if there is anything in policy filters doing anything with compressed file types they may get missed due to being altered.

    Check and see if you have anything like that in policy filters and may need to add some exceptions to not do anything with them when the zip, GZIp file attachments are sent in. They come in as an email inbound.

    If you have a case open I can see if Gailand can do a follow up with you.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @David W thanks for checking, I'll open up a ticket and keep you posted because this is something I don't wanna attack with general Support.

    I don't have any Policies in use which are related to archives.

    The whole DMARC implementation seems to be fragile, outbound reporting does not seem to work without having an outbound Flow and 127.0.0.1 as allowed IP address in the contacting Path. This is not documented anywhere, I just saw my own reports in the Inbound Log, which did not made sense to me. After having this fixed, DMARC outbound reports are delivered properly.

    Funny thing, one of the reports send out last night was addressed to a HES Customer of mine, guess what, no DMARC report on HES either. I'll check again tomorrow, not sure how often DMARC reports will be processed.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    DMARC does not seems to be strong suit of Email Security, while waiting for the answer about the failing incoming DMARC reporting I found another flaw in outbound DMARC reports, which render them probably useless.

    The XML generated by ES is not compliant to RFC7489, it should contain a record like this:

    		<identifiers>
    			<envelope_from>xyz.de</envelope_from>
    			<header_from>xyz.de</header_from>
    		</identifiers>
    

    but instead it uses the element name identities instead identifiers which is not correct.

    Is anyone using DMARC seriously on SonicWall Email Security and not struggling with this?

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Just in case anybody cares (what I begin to doubt), I've got an update to my ticket after 2 months:

    Issue is under review by devs.
    

    I'll leave it to that and see what happens

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Another two months past, the world has changed dramatically, but no progress on DMARC. It's good to have some constants in life.

    I know, I know, devs were busy with log4j and the 2022 date dilemma. 🤬

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    7+ months in and still no visible progress, Engineering is involved and the DMARC issues should be fixed with the Release of Firmware 10.0.19 with no ETA at the moment. We'll see.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Firmware 10.0.19 got released, but the DMARC issues are not addressed according to the Release Notes, got postponed because of the recent issues I guess.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Happy anniversary 🤦‍♂️, DMARC reporting still not working but I've got word that Firmware 10.0.20 will probably fix it, ETA somewhere in the future. Provided that no other big task is consuming all the time of the huge army of developers which are actively working on ES, like a log4j update or similar.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 2023

    !!! DO NOT INSTALL 10.0.20 - I've got a 2nd mail to hold off because of an issue !!!


    If anyone is fancy about DMARC reporting, SNWL released Firmware 10.0.20 without much commotion which addresses this topic, according to the Release Notes and Feedback I've got on my long running Support Case. Some other fixes are also included, besides a few new features.

    Time will tell if it's the case or not, I'am installing it right away and see everyone on the other side.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Firmware 10.0.21.7607 got released as replacement for the pulled 10.0.20 release.

    I waited over 13 months to get this fixed, but I'll wait a few days more to avoid surprises.

    When DMARC is configured, the only reports which are available for customers to view are those related to Google. ES-8866

    No word on the malformed outgoing DMARC reports, hopefully they'll fixed as well.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    It seems that DMARC reporting is fixed (hopefully for good) and I can see DMARC reports for other domains as well. I've got only data from AMAZON-SES and Google at the moment but I hope others work as well.

    Sending outgoing DMARC reports is a complete different story which needs further investigation. But it seems that the Outbound Mail flow in general is broken because of a well-known DNS issue the ES had in the past. This does "only" affect sending mails to recipients with many MX records, exceeding the 512 Bytes barrier for a DNS response. 😫

    --Michael@BWC

Sign In or Register to comment.