[opendmarc-users] Deployment problems with Postfix + pypolicyd-spf + OpenDKIM

Scott Kitterman sklist at kitterman.com
Mon Aug 19 07:29:34 PDT 2013 

So I'm about 98.7% sure I tested this before and it was working correctly.  
It's not now, so let me troubleshoot.

Scott K

On Monday, August 19, 2013 09:07:04 Nic Bernstein wrote:
> Scott,
> Could you please post (or email off-list) the contents of a history file
> pertaining to a message for which DMARC worked?  That's the only way I
> know of to tell if it is, in fact, scoring SPF.  According to earlier
> list posts, OpenDMARC will pass a message as long as either SPF or DKIM
> pass, so without the history file data, it's hard to tell what's happening.
> 
> For completeness, the default setting of "smtpd_delay_reject = yes" is
> in place, there are no "smtpd_data_restrictions," and
> "policyd-spf_time_limit = 3600."
> 
> Cheers,
>     -nic
> 
> PS - To enable writing the history file (disabled by default) either add
> or uncomment the "HistoryFile" directive in opendmarc.conf:
>     HistoryFile /var/run/opendmarc/opendmarc.dat
> 
> On 08/16/2013 05:20 PM, opendmarc-users-request at trusteddomain.org wrote:
> > On Friday, August 16, 2013 16:42:07 Nic Bernstein wrote:
> >> > Folks,
> >> > We are attempting to deploy opendmarc(1.1.3) for receiving, with
> >> > Postfix
> >> > (2.9.2), pypolicyd-spf(1.2) and OpenDKIM(2.6.8).  We are getting mixed
> >> > results, in that while we do see the proper Authentication-Results
> >> > headers in our messages, opendmarc seems not to see the SPF headers.
> >> > 
> >> > Here is a sample from a recent test message:
> >> >     Authentication-Results: smtp.onlight.com; spf=pass (sender SPF
> >> > 
> >> > authorized) smtp.mailfrom=gmail.com (client-ip=209.85.212.68;
> >> > helo=mail-vb0-f68.google.com; envelope-from=nb1onlight at gmail.com;
> >> > receiver=nic at onlight.com) Authentication-Results: smtp.onlight.com;
> >> > dkim=pass
> >> > 
> >> >     	reason="2048-bit key; insecure key"
> >> >     	header.d=gmail.com header.i=@gmail.com header.b=gzXzLLLE;
> >> >     	dkim-adsp=pass; dkim-atps=neutral
> >> >     
> >> >     <...>
> >> >     Authentication-Results: ujiji.onlight.com/E85322025F; dmarc=pass
> >> > 
> >> > header.from=gmail.com
> >> > 
> >> > However, in the history file we see this:
> >> >     job E85322025F
> >> >     reporter smtp.onlight.com
> >> >     received 1376684253
> >> >     ipaddr 209.85.212.68
> >> >     from gmail.com
> >> >     mfrom gmail.com
> >> >     dkim gmail.com 0
> >> >     spf -1
> >> >     pdomain gmail.com
> >> >     policy 15
> >> >     rua mailto:mailauth-reports at google.com
> >> >     pct 100
> >> >     adkim 114
> >> >     aspf 114
> >> >     p 110
> >> >     sp 0
> >> >     align_dkim 4
> >> >     align_spf 5
> >> >     action 2
> >> > 
> >> > We have postfix configured like so:
> >> >     /etc/postfix/main.cf:
> >> >         smtpd_recipient_restrictions = permit_sasl_authenticated,
> >> >         
> >> >                 permit_mynetworks,
> >> >                 reject_unknown_recipient_domain,
> >> >                 reject_unauth_pipelining,
> >> >                 reject_unauth_destination,
> >> >                 check_policy_service unix:private/policyd-spf,
> >> >                 permit_auth_destination,
> >> >                 reject
> >> >         
> >> >         smtpd_milters = unix:/var/run/opendkim/opendkim.sock
> >> >         
> >> >                 unix:/var/run/opendmarc/opendmarc.sock
> >> >     
> >> >     /etc/postfix/master.cf:
> >> >         policyd-spf  unix  -       n       n       -       0      
> >> >         spawn
> >> >         
> >> >                 user=nobody argv=/usr/bin/policyd-spf
> >> > 
> >> > Yet it appears that the Authentication-Results header from
> >> > pypolicyd-spf
> >> > is not in the message when it is processed by opendmarc.  We turned on
> >> > full debugging in pypolicyd-spf, and added some debugging to mlfi_eom
> >> > in
> >> > an effort to see what's going on, but while we do see the opendkim
> >> > headers being processed (result_method=1,5,7), we do not see the
> >> > SPF(result_method=4) stuff at all.  It appears we're not even entering
> >> > the  "if (ar.ares_result[c].result_method == ARES_METHOD_SPF)" section
> >> > of mlfi_eom(), even though pypolicyd-spf appears to be prepending the
> > 
> >> > proper header, and we do see that header in the final email:
> > ...
> > 
> >> > Anyone have any thoughts?  It seems as though the milters are getting
> >> > the message before the policy daemon, and yet the logs would appear to
> >> > say otherwise (and they should get it after).
> >> > 
> >> > Any guidance would be greatly appreciated.
> > 
> > I have almost this exact setup and it's working.  I'm specifying the
> > milters using -o for the relevant service in master.cf instead of in
> > main.cf, but other than that, I think it's identical.
> > 
> > The logs clearly show that the SPF check is being done and I don't see how
> > it couldn't be accomplished prior to the DMARC check as it's done at RCPT
> > TO and the DMARC check can't be done until after DATA.
> > 
> > Do you have any smtpd_data_restrictions defined?
> > 
> > You might try defining TrustedAuthservIDs in your opendmarc.conf to
> > include
> > smtp.onlight.com if you haven't already.
> > 
> > Scott K

More information about the opendmarc-users mailing list