[opendmarc-users] Deployment problems with Postfix + pypolicyd-spf + OpenDKIM

Fri Aug 16 15:20:06 PDT 2013

On Friday, August 16, 2013 16:42:07 Nic Bernstein wrote:
> Folks,
> We are attempting to deploy opendmarc(1.1.3) for receiving, with Postfix
> (2.9.2), pypolicyd-spf(1.2) and OpenDKIM(2.6.8).  We are getting mixed
> results, in that while we do see the proper Authentication-Results
> headers in our messages, opendmarc seems not to see the SPF headers.
> Here is a sample from a recent test message:
> 
>     Authentication-Results: smtp.onlight.com; spf=pass (sender SPF
> authorized) smtp.mailfrom=gmail.com (client-ip=209.85.212.68;
> helo=mail-vb0-f68.google.com; envelope-from=nb1onlight at gmail.com;
> receiver=nic at onlight.com) Authentication-Results: smtp.onlight.com;
> dkim=pass
>     	reason="2048-bit key; insecure key"
>     	header.d=gmail.com header.i=@gmail.com header.b=gzXzLLLE;
>     	dkim-adsp=pass; dkim-atps=neutral
>     <...>
>     Authentication-Results: ujiji.onlight.com/E85322025F; dmarc=pass
> header.from=gmail.com
> 
> However, in the history file we see this:
> 
>     job E85322025F
>     reporter smtp.onlight.com
>     received 1376684253
>     ipaddr 209.85.212.68
>     from gmail.com
>     mfrom gmail.com
>     dkim gmail.com 0
>     spf -1
>     pdomain gmail.com
>     policy 15
>     rua mailto:mailauth-reports at google.com
>     pct 100
>     adkim 114
>     aspf 114
>     p 110
>     sp 0
>     align_dkim 4
>     align_spf 5
>     action 2
> 
> We have postfix configured like so:
> 
>     /etc/postfix/main.cf:
> 
>         smtpd_recipient_restrictions = permit_sasl_authenticated,
>                 permit_mynetworks,
>                 reject_unknown_recipient_domain,
>                 reject_unauth_pipelining,
>                 reject_unauth_destination,
>                 check_policy_service unix:private/policyd-spf,
>                 permit_auth_destination,
>                 reject
>         smtpd_milters = unix:/var/run/opendkim/opendkim.sock
>                 unix:/var/run/opendmarc/opendmarc.sock
> 
>     /etc/postfix/master.cf:
> 
>         policyd-spf  unix  -       n       n       -       0       spawn
>                 user=nobody argv=/usr/bin/policyd-spf
> 
> Yet it appears that the Authentication-Results header from pypolicyd-spf
> is not in the message when it is processed by opendmarc.  We turned on
> full debugging in pypolicyd-spf, and added some debugging to mlfi_eom in
> an effort to see what's going on, but while we do see the opendkim
> headers being processed (result_method=1,5,7), we do not see the
> SPF(result_method=4) stuff at all.  It appears we're not even entering
> the  "if (ar.ares_result[c].result_method == ARES_METHOD_SPF)" section
> of mlfi_eom(), even though pypolicyd-spf appears to be prepending the
> proper header, and we do see that header in the final email:
> 
...
> 
> Anyone have any thoughts?  It seems as though the milters are getting
> the message before the policy daemon, and yet the logs would appear to
> say otherwise (and they should get it after).
> 
> Any guidance would be greatly appreciated.

I have almost this exact setup and it's working.  I'm specifying the milters 
using -o for the relevant service in master.cf instead of in main.cf, but 
other than that, I think it's identical.

The logs clearly show that the SPF check is being done and I don't see how it 
couldn't be accomplished prior to the DMARC check as it's done at RCPT TO and 
the DMARC check can't be done until after DATA.

Do you have any smtpd_data_restrictions defined?

You might try defining TrustedAuthservIDs in your opendmarc.conf to include 
smtp.onlight.com if you haven't already.

Scott K