[opendmarc-users] Deployment problems with Postfix + pypolicyd-spf + OpenDKIM
Nic Bernstein
nic at onlight.com
Mon Aug 19 07:48:56 PDT 2013
Scott,
Thanks much. Also, for completeness, I have tested this using the "SPF"
mode (Received-SPF header) of pypolicyd-spf, as Maarten Oelering reports
success with, and have the same results. The Received-SPF header is in
the final message, but is not seen by opendmarc.
Cheers,
-nic
On 08/19/2013 09:29 AM, Scott Kitterman wrote:
> So I'm about 98.7% sure I tested this before and it was working correctly.
> It's not now, so let me troubleshoot.
>
> Scott K
>
> On Monday, August 19, 2013 09:07:04 Nic Bernstein wrote:
>> Scott,
>> Could you please post (or email off-list) the contents of a history file
>> pertaining to a message for which DMARC worked? That's the only way I
>> know of to tell if it is, in fact, scoring SPF. According to earlier
>> list posts, OpenDMARC will pass a message as long as either SPF or DKIM
>> pass, so without the history file data, it's hard to tell what's happening.
>>
>> For completeness, the default setting of "smtpd_delay_reject = yes" is
>> in place, there are no "smtpd_data_restrictions," and
>> "policyd-spf_time_limit = 3600."
>>
>> Cheers,
>> -nic
>>
>> PS - To enable writing the history file (disabled by default) either add
>> or uncomment the "HistoryFile" directive in opendmarc.conf:
>> HistoryFile /var/run/opendmarc/opendmarc.dat
>>
>> On 08/16/2013 05:20 PM, opendmarc-users-request at trusteddomain.org wrote:
>>> On Friday, August 16, 2013 16:42:07 Nic Bernstein wrote:
>>>>> Folks,
>>>>> We are attempting to deploy opendmarc(1.1.3) for receiving, with
>>>>> Postfix
>>>>> (2.9.2), pypolicyd-spf(1.2) and OpenDKIM(2.6.8). We are getting mixed
>>>>> results, in that while we do see the proper Authentication-Results
>>>>> headers in our messages, opendmarc seems not to see the SPF headers.
>>>>>
>>>>> Here is a sample from a recent test message:
>>>>> Authentication-Results: smtp.onlight.com; spf=pass (sender SPF
>>>>>
>>>>> authorized) smtp.mailfrom=gmail.com (client-ip=209.85.212.68;
>>>>> helo=mail-vb0-f68.google.com; envelope-from=nb1onlight at gmail.com;
>>>>> receiver=nic at onlight.com) Authentication-Results: smtp.onlight.com;
>>>>> dkim=pass
>>>>>
>>>>> reason="2048-bit key; insecure key"
>>>>> header.d=gmail.com header.i=@gmail.com header.b=gzXzLLLE;
>>>>> dkim-adsp=pass; dkim-atps=neutral
>>>>>
>>>>> <...>
>>>>> Authentication-Results: ujiji.onlight.com/E85322025F; dmarc=pass
>>>>>
>>>>> header.from=gmail.com
>>>>>
>>>>> However, in the history file we see this:
>>>>> job E85322025F
>>>>> reporter smtp.onlight.com
>>>>> received 1376684253
>>>>> ipaddr 209.85.212.68
>>>>> from gmail.com
>>>>> mfrom gmail.com
>>>>> dkim gmail.com 0
>>>>> spf -1
>>>>> pdomain gmail.com
>>>>> policy 15
>>>>> rua mailto:mailauth-reports at google.com
>>>>> pct 100
>>>>> adkim 114
>>>>> aspf 114
>>>>> p 110
>>>>> sp 0
>>>>> align_dkim 4
>>>>> align_spf 5
>>>>> action 2
>>>>>
>>>>> We have postfix configured like so:
>>>>> /etc/postfix/main.cf:
>>>>> smtpd_recipient_restrictions = permit_sasl_authenticated,
>>>>>
>>>>> permit_mynetworks,
>>>>> reject_unknown_recipient_domain,
>>>>> reject_unauth_pipelining,
>>>>> reject_unauth_destination,
>>>>> check_policy_service unix:private/policyd-spf,
>>>>> permit_auth_destination,
>>>>> reject
>>>>>
>>>>> smtpd_milters = unix:/var/run/opendkim/opendkim.sock
>>>>>
>>>>> unix:/var/run/opendmarc/opendmarc.sock
>>>>>
>>>>> /etc/postfix/master.cf:
>>>>> policyd-spf unix - n n - 0
>>>>> spawn
>>>>>
>>>>> user=nobody argv=/usr/bin/policyd-spf
>>>>>
>>>>> Yet it appears that the Authentication-Results header from
>>>>> pypolicyd-spf
>>>>> is not in the message when it is processed by opendmarc. We turned on
>>>>> full debugging in pypolicyd-spf, and added some debugging to mlfi_eom
>>>>> in
>>>>> an effort to see what's going on, but while we do see the opendkim
>>>>> headers being processed (result_method=1,5,7), we do not see the
>>>>> SPF(result_method=4) stuff at all. It appears we're not even entering
>>>>> the "if (ar.ares_result[c].result_method == ARES_METHOD_SPF)" section
>>>>> of mlfi_eom(), even though pypolicyd-spf appears to be prepending the
>>>>> proper header, and we do see that header in the final email:
>>> ...
>>>
>>>>> Anyone have any thoughts? It seems as though the milters are getting
>>>>> the message before the policy daemon, and yet the logs would appear to
>>>>> say otherwise (and they should get it after).
>>>>>
>>>>> Any guidance would be greatly appreciated.
>>> I have almost this exact setup and it's working. I'm specifying the
>>> milters using -o for the relevant service in master.cf instead of in
>>> main.cf, but other than that, I think it's identical.
>>>
>>> The logs clearly show that the SPF check is being done and I don't see how
>>> it couldn't be accomplished prior to the DMARC check as it's done at RCPT
>>> TO and the DMARC check can't be done until after DATA.
>>>
>>> Do you have any smtpd_data_restrictions defined?
>>>
>>> You might try defining TrustedAuthservIDs in your opendmarc.conf to
>>> include
>>> smtp.onlight.com if you haven't already.
>>>
>>> Scott K
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
--
Nic Bernstein nic at onlight.com
Onlight, Inc. www.onlight.com
219 N. Milwaukee St., Suite 2a v. 414.272.4477
Milwaukee, Wisconsin 53202
More information about the opendmarc-users
mailing list