[opendmarc-users] spf align question

Murray S. Kucherawy msk at blackops.org
Tue Apr 2 11:16:57 PDT 2013 

On Sat, 30 Mar 2013, Murray S. Kucherawy wrote:
>> I don't understand why spf alignment fails for this message:

The explanation and solution to this turns out to be pretty complicated.

The main issue with respect to the message is that there is no indication 
of whether SPF passed.  opendmarc itself does not do SPF or DKIM checks; 
it relies on some other filter to do that and then communicate the result 
via Authentication-Results header fields.  So your message has no SPF 
alignment because there's nothing upstream telling it that alignment 
exists or that there was an SPF result of any kind.

I would typically recommend installing and using sid-milter even though 
it's unmaintained, but I recently discovered that there's a problem with 
the way it adds Authentication-Results that also results in incorrect 
alignment conclusions by opendmarc.  This problem goes back to RFC5451 as 
well.  I've fixed that issue in RFC5451bis (not yet published), but 
sid-milter won't be patched to fix it, so I'm considering a hack to 
accommodate it in opendmarc.

It does reveal an actual bug, however, in that we were recording false SPF 
"pass" results.  The attached patch fixes it.  Note that you will need to 
do an ALTER TABLE to get the "messages" table set properly to match what's 
in the patch.

-MSK
-------------- next part --------------
diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index 8b09da1..80aeb69 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -3,6 +3,10 @@
 This listing shows the versions of the OpenDMARC package, the date of
 release, and a summary of the changes in that release.
 
+1.1.3		2013/04/??
+	Fix reporting of nonexistent SPF results.  Problem noted by
+		Andrei Ioachim.
+
 1.1.2		2013/03/27
 	Do Authentication-Results keyword parsing in a case-insensitive
 		manner.  Problem noted by Chris Meidinger.
diff --git a/configure.ac b/configure.ac
index ae7e870..10900a6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,7 +17,7 @@ AC_PREREQ(2.61)
 #
 m4_define([VERSION_RELEASE], 1)
 m4_define([VERSION_MAJOR_REV], 1)
-m4_define([VERSION_MINOR_REV], 2)
+m4_define([VERSION_MINOR_REV], 3)
 m4_define([VERSION_PATCH], 0)
 
 #
diff --git a/opendmarc/opendmarc.c b/opendmarc/opendmarc.c
index 40aa446..5716d53 100644
--- a/opendmarc/opendmarc.c
+++ b/opendmarc/opendmarc.c
@@ -98,7 +98,6 @@ struct dmarcf_header
 struct dmarcf_msgctx
 {
 	int			mctx_spfresult;
-	int			mctx_spfalign;
 	char *			mctx_jobid;
 	struct dmarcf_header *	mctx_hqhead;
 	struct dmarcf_header *	mctx_hqtail;
@@ -1774,6 +1773,7 @@ mlfi_envfrom(SMFICTX *ctx, char **envfrom)
 	cc->cctx_msg = dfc;
 
 	dfc->mctx_jobid = JOBIDUNKNOWN;
+	dfc->mctx_spfresult = -1;
 
 	dfc->mctx_histbuf = dmarcf_dstring_new(BUFRSZ, 0);
 	if (dfc->mctx_histbuf == NULL)
@@ -1784,8 +1784,6 @@ mlfi_envfrom(SMFICTX *ctx, char **envfrom)
 		return SMFIS_TEMPFAIL;
 	}
 
-	dfc->mctx_spfalign = -1;
-
 	if (cc->cctx_dmarc != NULL)
 		(void) opendmarc_policy_connect_rset(cc->cctx_dmarc);
 
diff --git a/reports/mkdb.mysql b/reports/mkdb.mysql
index 94b1e68..83f5de5 100644
--- a/reports/mkdb.mysql
+++ b/reports/mkdb.mysql
@@ -34,7 +34,7 @@ CREATE TABLE messages (
 	env_domain INT(10) UNSIGNED NOT NULL,
 	policy_domain INT(10) UNSIGNED NOT NULL,
 	sigcount TINYINT(3) UNSIGNED NOT NULL,
-	spf TINYINT(3) UNSIGNED NOT NULL,
+	spf TINYINT(3) NOT NULL,
 	align_spf TINYINT(3) UNSIGNED NOT NULL,
 	align_dkim TINYINT(3) UNSIGNED NOT NULL,
 	PRIMARY KEY(id),

More information about the opendmarc-users mailing list