[opendmarc-users] Deployment problems with Postfix + pypolicyd-spf + OpenDKIM

Nic Bernstein nic at onlight.com
Tue Aug 20 14:44:08 PDT 2013 

On 08/20/2013 02:38 PM, Murray S. Kucherawy wrote:
> Thanks for all the details and reproductions on this.  It will take me
> a few days to dig myself out of the hole I'm in on other projects, but
> I will get to it ASAP.  If anyone's feeling impatient, please don't
> wait for me to take a run at it.
>
> -MSK

Murray,
For the record, we did some further testing with the spf-milter-python
package in Ubuntu Lucid with similar results.  When processing a message
with legitimate DKIM Authentication-Results header, the SPF-Results
header doesn't seem to be seen by opendmarc.  Here is the pertinent
setup info:

    #/etc/postfix/main.cf
    smtpd_milters = inet:localhost:8891        # spf-milter-python
        inet:localhost:8892                    # opendkim
        inet:localhost:8893                    # opendmarc

    # netstat -lntp4
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address        
    State       PID/Program name
    tcp      0    0     127.0.0.1:8891          0.0.0.0:*              
    LISTEN     29025/python   
    tcp      0    0     127.0.0.1:8892          0.0.0.0:*              
    LISTEN     28962/opendkim 
    tcp      0    0     127.0.0.1:8893          0.0.0.0:*              
    LISTEN     28985/opendmarc

Attached is what we see in the logs (with our added debugging) when
receiving a message with both SPF and DKIM headers (headers also
attached, as is our debugging patch used to produce the extra log messages).

Here is the portion of /var/run/opendmarc/opendmarc.dat matching this
message:

    job 39566203A3
    reporter smtp.onlight.com
    received 1376944893
    ipaddr 209.85.212.68
    from gmail.com
    mfrom gmail.com
    dkim gmail.com 0
    spf -1
    pdomain gmail.com
    policy 15
    rua mailto:mailauth-reports at google.com
    pct 100
    adkim 114
    aspf 114
    p 110
    sp 0
    align_dkim 4
    align_spf 5
    action 2

Please let us know if we can be of further assistance.
    -nic

-- 
Nic Bernstein                             nic at onlight.com
Onlight, Inc.                             www.onlight.com
219 N. Milwaukee St., Suite 2a            v. 414.272.4477
Milwaukee, Wisconsin  53202

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20130820/e9903ee5/attachment.htm>
-------------- next part --------------
Received: from smtp.onlight.com ([127.0.0.1])
	by localhost (filter.onlight.com [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id oYNdWFw3rGtV for <nic at onlight.com>;
	Mon, 19 Aug 2013 15:41:33 -0500 (CDT)
Received-SPF: Pass (smtp.onlight.com: domain of gmail.com designates 209.85.212.68 as permitted sender) client-ip=209.85.212.68; envelope-from="nb1onlight at gmail.com"; helo=mail-vb0-f68.google.com; receiver=smtp.onlight.com; mechanism="include:_netblocks.google.com"; identity=mailfrom
Authentication-Results: smtp.onlight.com; dkim=pass
	reason="2048-bit key; insecure key"
	header.d=gmail.com header.i=@gmail.com header.b=UhA3rVUa;
	dkim-adsp=pass; dkim-atps=neutral
Received: from mail-vb0-f68.google.com (mail-vb0-f68.google.com [209.85.212.68])
	by smtp.onlight.com (Postfix) with ESMTPS id 39566203A3
	for <nic at onlight.com>; Mon, 19 Aug 2013 15:41:33 -0500 (CDT)
Received: by mail-vb0-f68.google.com with SMTP id e13so1442879vbg.11
        for <nic at onlight.com>; Mon, 19 Aug 2013 13:41:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=qJPIRZ4rICL/Lr0Ky/b2UdlX3MZ3Zc6mls4MqmokhRc=;
        b=UhA3rVUaiIkSAn7k1T5RGp3kPADcNUoy5pLE9Oz4mUX/WmAD55192yb5UkeCinK0ZT
         rMdadi6zW3eUfmAGpcrUoAEdHFfiVBKPCYBqDhMifIDrozfkhNPp2L4NC3uQ6/QyWnVo
         9m/b4nIdasEaIpQCRkJinjfcHUyoxYQhW0gcMrnuHGC0ZVSyG9CSZ/NssI+FySDdlYHe
         PJccyiX6e/JyO+YFP9rpscIYvt+dw7JB6r+a8p5KjhJtKnyG8iVxfpLlTV5ws6rHB6PM
         tvih+qh27aTFXwFcAbUASw96/r2LWfIKfKynzuCU4XEBNH8F3j747KfMEefLzfuaqKmu
         I6wg==
MIME-Version: 1.0
X-Received: by 10.59.8.232 with SMTP id dn8mr14849090ved.8.1376944900687; Mon,
 19 Aug 2013 13:41:40 -0700 (PDT)
Received: by 10.220.151.84 with HTTP; Mon, 19 Aug 2013 13:41:40 -0700 (PDT)
Date: Mon, 19 Aug 2013 15:41:40 -0500
Message-ID: <CAAUC_HZnjeqcLvzmSa41WBnj6FFoB9Xp3r4EWF=RTNmWqSzuQA at mail.gmail.com>
Subject: THis is a TCP test
From: N B <nb1onlight at gmail.com>
To: nic at onlight.com
Content-Type: multipart/alternative; boundary=047d7bd75d5cae4c6b04e452f7c4
Authentication-Results: smtp.onlight.com/39566203A3; dmarc=pass header.from=gmail.com
-------------- next part --------------
Aug 19 15:41:32 ujiji postfix/postscreen[29139]: CONNECT from [209.85.212.68]:39690 to [10.10.1.25]:25
Aug 19 15:41:32 ujiji postfix/postscreen[29139]: PASS OLD [209.85.212.68]:39690
Aug 19 15:41:32 ujiji postfix/smtpd[29140]: connect from mail-vb0-f68.google.com[209.85.212.68]
Aug 19 15:41:33 ujiji spfmilter: [4] connect from mail-vb0-f68.google.com at ('209.85.212.68', 39690) EXTERNAL
Aug 19 15:41:33 ujiji spfmilter: [4] hello from mail-vb0-f68.google.com
Aug 19 15:41:33 ujiji spfmilter: [4] hello from mail-vb0-f68.google.com
Aug 19 15:41:33 ujiji spfmilter: [4] mail from <nb1onlight at gmail.com> ()
Aug 19 15:41:33 ujiji spfmilter: [4] Received-SPF: Pass (smtp.onlight.com: domain of gmail.com designates 209.85.212.68 as permitted sender) client-ip=209.85.212.68; envelope-from="nb1onlight at gmail.com"; helo=mail-vb0-f68.google.com; receiver=smtp.onlight.com; mechanism="include:_netblocks.google.com"; identity=mailfrom
Aug 19 15:41:33 ujiji postfix/smtpd[29140]: 39566203A3: client=mail-vb0-f68.google.com[209.85.212.68]
Aug 19 15:41:33 ujiji postfix/cleanup[29145]: 39566203A3: message-id=<CAAUC_HZnjeqcLvzmSa41WBnj6FFoB9Xp3r4EWF=RTNmWqSzuQA at mail.gmail.com>
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: entered
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: c=0 result_method=1 result_result=0
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: c=1 result_method=5 result_result=0
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: c=2 result_method=7 result_result=3
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Authentication-Results
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Received
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Received
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing DKIM-Signature
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing MIME-Version
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing X-Received
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Received
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Date
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Message-ID
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Subject
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing From
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing To
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Content-Type
Aug 19 15:41:33 ujiji opendmarc[28985]: 39566203A3: gmail.com pass
Aug 19 15:41:33 ujiji postfix/qmgr[29131]: 39566203A3: from=<nb1onlight at gmail.com>, size=1747, nrcpt=1 (queue active)
Aug 19 15:41:33 ujiji postfix/smtpd[29140]: disconnect from mail-vb0-f68.google.com[209.85.212.68]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: opendmarc-debug.patch
Type: text/x-patch
Size: 1448 bytes
Desc: not available
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20130820/e9903ee5/attachment.bin>

More information about the opendmarc-users mailing list