[opendmarc-users] Deployment problems with Postfix + pypolicyd-spf + OpenDKIM
Nic Bernstein
nic at onlight.com
Tue Aug 20 14:44:08 PDT 2013
On 08/20/2013 02:38 PM, Murray S. Kucherawy wrote:
> Thanks for all the details and reproductions on this. It will take me
> a few days to dig myself out of the hole I'm in on other projects, but
> I will get to it ASAP. If anyone's feeling impatient, please don't
> wait for me to take a run at it.
>
> -MSK
Murray,
For the record, we did some further testing with the spf-milter-python
package in Ubuntu Lucid with similar results. When processing a message
with legitimate DKIM Authentication-Results header, the SPF-Results
header doesn't seem to be seen by opendmarc. Here is the pertinent
setup info:
#/etc/postfix/main.cf
smtpd_milters = inet:localhost:8891 # spf-milter-python
inet:localhost:8892 # opendkim
inet:localhost:8893 # opendmarc
# netstat -lntp4
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 127.0.0.1:8891 0.0.0.0:*
LISTEN 29025/python
tcp 0 0 127.0.0.1:8892 0.0.0.0:*
LISTEN 28962/opendkim
tcp 0 0 127.0.0.1:8893 0.0.0.0:*
LISTEN 28985/opendmarc
Attached is what we see in the logs (with our added debugging) when
receiving a message with both SPF and DKIM headers (headers also
attached, as is our debugging patch used to produce the extra log messages).
Here is the portion of /var/run/opendmarc/opendmarc.dat matching this
message:
job 39566203A3
reporter smtp.onlight.com
received 1376944893
ipaddr 209.85.212.68
from gmail.com
mfrom gmail.com
dkim gmail.com 0
spf -1
pdomain gmail.com
policy 15
rua mailto:mailauth-reports at google.com
pct 100
adkim 114
aspf 114
p 110
sp 0
align_dkim 4
align_spf 5
action 2
Please let us know if we can be of further assistance.
-nic
--
Nic Bernstein nic at onlight.com
Onlight, Inc. www.onlight.com
219 N. Milwaukee St., Suite 2a v. 414.272.4477
Milwaukee, Wisconsin 53202
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20130820/e9903ee5/attachment.htm>
-------------- next part --------------
Received: from smtp.onlight.com ([127.0.0.1])
by localhost (filter.onlight.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id oYNdWFw3rGtV for <nic at onlight.com>;
Mon, 19 Aug 2013 15:41:33 -0500 (CDT)
Received-SPF: Pass (smtp.onlight.com: domain of gmail.com designates 209.85.212.68 as permitted sender) client-ip=209.85.212.68; envelope-from="nb1onlight at gmail.com"; helo=mail-vb0-f68.google.com; receiver=smtp.onlight.com; mechanism="include:_netblocks.google.com"; identity=mailfrom
Authentication-Results: smtp.onlight.com; dkim=pass
reason="2048-bit key; insecure key"
header.d=gmail.com header.i=@gmail.com header.b=UhA3rVUa;
dkim-adsp=pass; dkim-atps=neutral
Received: from mail-vb0-f68.google.com (mail-vb0-f68.google.com [209.85.212.68])
by smtp.onlight.com (Postfix) with ESMTPS id 39566203A3
for <nic at onlight.com>; Mon, 19 Aug 2013 15:41:33 -0500 (CDT)
Received: by mail-vb0-f68.google.com with SMTP id e13so1442879vbg.11
for <nic at onlight.com>; Mon, 19 Aug 2013 13:41:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=qJPIRZ4rICL/Lr0Ky/b2UdlX3MZ3Zc6mls4MqmokhRc=;
b=UhA3rVUaiIkSAn7k1T5RGp3kPADcNUoy5pLE9Oz4mUX/WmAD55192yb5UkeCinK0ZT
rMdadi6zW3eUfmAGpcrUoAEdHFfiVBKPCYBqDhMifIDrozfkhNPp2L4NC3uQ6/QyWnVo
9m/b4nIdasEaIpQCRkJinjfcHUyoxYQhW0gcMrnuHGC0ZVSyG9CSZ/NssI+FySDdlYHe
PJccyiX6e/JyO+YFP9rpscIYvt+dw7JB6r+a8p5KjhJtKnyG8iVxfpLlTV5ws6rHB6PM
tvih+qh27aTFXwFcAbUASw96/r2LWfIKfKynzuCU4XEBNH8F3j747KfMEefLzfuaqKmu
I6wg==
MIME-Version: 1.0
X-Received: by 10.59.8.232 with SMTP id dn8mr14849090ved.8.1376944900687; Mon,
19 Aug 2013 13:41:40 -0700 (PDT)
Received: by 10.220.151.84 with HTTP; Mon, 19 Aug 2013 13:41:40 -0700 (PDT)
Date: Mon, 19 Aug 2013 15:41:40 -0500
Message-ID: <CAAUC_HZnjeqcLvzmSa41WBnj6FFoB9Xp3r4EWF=RTNmWqSzuQA at mail.gmail.com>
Subject: THis is a TCP test
From: N B <nb1onlight at gmail.com>
To: nic at onlight.com
Content-Type: multipart/alternative; boundary=047d7bd75d5cae4c6b04e452f7c4
Authentication-Results: smtp.onlight.com/39566203A3; dmarc=pass header.from=gmail.com
-------------- next part --------------
Aug 19 15:41:32 ujiji postfix/postscreen[29139]: CONNECT from [209.85.212.68]:39690 to [10.10.1.25]:25
Aug 19 15:41:32 ujiji postfix/postscreen[29139]: PASS OLD [209.85.212.68]:39690
Aug 19 15:41:32 ujiji postfix/smtpd[29140]: connect from mail-vb0-f68.google.com[209.85.212.68]
Aug 19 15:41:33 ujiji spfmilter: [4] connect from mail-vb0-f68.google.com at ('209.85.212.68', 39690) EXTERNAL
Aug 19 15:41:33 ujiji spfmilter: [4] hello from mail-vb0-f68.google.com
Aug 19 15:41:33 ujiji spfmilter: [4] hello from mail-vb0-f68.google.com
Aug 19 15:41:33 ujiji spfmilter: [4] mail from <nb1onlight at gmail.com> ()
Aug 19 15:41:33 ujiji spfmilter: [4] Received-SPF: Pass (smtp.onlight.com: domain of gmail.com designates 209.85.212.68 as permitted sender) client-ip=209.85.212.68; envelope-from="nb1onlight at gmail.com"; helo=mail-vb0-f68.google.com; receiver=smtp.onlight.com; mechanism="include:_netblocks.google.com"; identity=mailfrom
Aug 19 15:41:33 ujiji postfix/smtpd[29140]: 39566203A3: client=mail-vb0-f68.google.com[209.85.212.68]
Aug 19 15:41:33 ujiji postfix/cleanup[29145]: 39566203A3: message-id=<CAAUC_HZnjeqcLvzmSa41WBnj6FFoB9Xp3r4EWF=RTNmWqSzuQA at mail.gmail.com>
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: entered
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: c=0 result_method=1 result_result=0
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: c=1 result_method=5 result_result=0
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: c=2 result_method=7 result_result=3
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Authentication-Results
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Received
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Received
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing DKIM-Signature
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing MIME-Version
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing X-Received
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Received
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Date
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Message-ID
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Subject
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing From
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing To
Aug 19 15:41:33 ujiji opendmarc[28985]: mlfi_eom: processing Content-Type
Aug 19 15:41:33 ujiji opendmarc[28985]: 39566203A3: gmail.com pass
Aug 19 15:41:33 ujiji postfix/qmgr[29131]: 39566203A3: from=<nb1onlight at gmail.com>, size=1747, nrcpt=1 (queue active)
Aug 19 15:41:33 ujiji postfix/smtpd[29140]: disconnect from mail-vb0-f68.google.com[209.85.212.68]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: opendmarc-debug.patch
Type: text/x-patch
Size: 1448 bytes
Desc: not available
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20130820/e9903ee5/attachment.bin>
More information about the opendmarc-users
mailing list