[opendmarc-users] Deployment problems with Postfix + pypolicyd-spf + OpenDKIM

Nic Bernstein nic at onlight.com
Mon Aug 19 07:07:04 PDT 2013 

Scott,
Could you please post (or email off-list) the contents of a history file
pertaining to a message for which DMARC worked?  That's the only way I
know of to tell if it is, in fact, scoring SPF.  According to earlier
list posts, OpenDMARC will pass a message as long as either SPF or DKIM
pass, so without the history file data, it's hard to tell what's happening.

For completeness, the default setting of "smtpd_delay_reject = yes" is
in place, there are no "smtpd_data_restrictions," and
"policyd-spf_time_limit = 3600."

Cheers,
    -nic

PS - To enable writing the history file (disabled by default) either add
or uncomment the "HistoryFile" directive in opendmarc.conf:
    HistoryFile /var/run/opendmarc/opendmarc.dat

On 08/16/2013 05:20 PM, opendmarc-users-request at trusteddomain.org wrote:
> On Friday, August 16, 2013 16:42:07 Nic Bernstein wrote:
>> > Folks,
>> > We are attempting to deploy opendmarc(1.1.3) for receiving, with Postfix
>> > (2.9.2), pypolicyd-spf(1.2) and OpenDKIM(2.6.8).  We are getting mixed
>> > results, in that while we do see the proper Authentication-Results
>> > headers in our messages, opendmarc seems not to see the SPF headers.
>> > Here is a sample from a recent test message:
>> > 
>> >     Authentication-Results: smtp.onlight.com; spf=pass (sender SPF
>> > authorized) smtp.mailfrom=gmail.com (client-ip=209.85.212.68;
>> > helo=mail-vb0-f68.google.com; envelope-from=nb1onlight at gmail.com;
>> > receiver=nic at onlight.com) Authentication-Results: smtp.onlight.com;
>> > dkim=pass
>> >     	reason="2048-bit key; insecure key"
>> >     	header.d=gmail.com header.i=@gmail.com header.b=gzXzLLLE;
>> >     	dkim-adsp=pass; dkim-atps=neutral
>> >     <...>
>> >     Authentication-Results: ujiji.onlight.com/E85322025F; dmarc=pass
>> > header.from=gmail.com
>> > 
>> > However, in the history file we see this:
>> > 
>> >     job E85322025F
>> >     reporter smtp.onlight.com
>> >     received 1376684253
>> >     ipaddr 209.85.212.68
>> >     from gmail.com
>> >     mfrom gmail.com
>> >     dkim gmail.com 0
>> >     spf -1
>> >     pdomain gmail.com
>> >     policy 15
>> >     rua mailto:mailauth-reports at google.com
>> >     pct 100
>> >     adkim 114
>> >     aspf 114
>> >     p 110
>> >     sp 0
>> >     align_dkim 4
>> >     align_spf 5
>> >     action 2
>> > 
>> > We have postfix configured like so:
>> > 
>> >     /etc/postfix/main.cf:
>> > 
>> >         smtpd_recipient_restrictions = permit_sasl_authenticated,
>> >                 permit_mynetworks,
>> >                 reject_unknown_recipient_domain,
>> >                 reject_unauth_pipelining,
>> >                 reject_unauth_destination,
>> >                 check_policy_service unix:private/policyd-spf,
>> >                 permit_auth_destination,
>> >                 reject
>> >         smtpd_milters = unix:/var/run/opendkim/opendkim.sock
>> >                 unix:/var/run/opendmarc/opendmarc.sock
>> > 
>> >     /etc/postfix/master.cf:
>> > 
>> >         policyd-spf  unix  -       n       n       -       0       spawn
>> >                 user=nobody argv=/usr/bin/policyd-spf
>> > 
>> > Yet it appears that the Authentication-Results header from pypolicyd-spf
>> > is not in the message when it is processed by opendmarc.  We turned on
>> > full debugging in pypolicyd-spf, and added some debugging to mlfi_eom in
>> > an effort to see what's going on, but while we do see the opendkim
>> > headers being processed (result_method=1,5,7), we do not see the
>> > SPF(result_method=4) stuff at all.  It appears we're not even entering
>> > the  "if (ar.ares_result[c].result_method == ARES_METHOD_SPF)" section
>> > of mlfi_eom(), even though pypolicyd-spf appears to be prepending the
>> > proper header, and we do see that header in the final email:
>> > 
> ...
>> > 
>> > Anyone have any thoughts?  It seems as though the milters are getting
>> > the message before the policy daemon, and yet the logs would appear to
>> > say otherwise (and they should get it after).
>> > 
>> > Any guidance would be greatly appreciated.
> I have almost this exact setup and it's working.  I'm specifying the milters 
> using -o for the relevant service in master.cf instead of in main.cf, but 
> other than that, I think it's identical.
>
> The logs clearly show that the SPF check is being done and I don't see how it 
> couldn't be accomplished prior to the DMARC check as it's done at RCPT TO and 
> the DMARC check can't be done until after DATA.
>
> Do you have any smtpd_data_restrictions defined?
>
> You might try defining TrustedAuthservIDs in your opendmarc.conf to include 
> smtp.onlight.com if you haven't already.
>
> Scott K
>

-- 
Nic Bernstein                             nic at onlight.com
Onlight, Inc.                             www.onlight.com
219 N. Milwaukee St., Suite 2a            v. 414.272.4477
Milwaukee, Wisconsin  53202

More information about the opendmarc-users mailing list