[opendmarc-users] OpenDMARC Postfix SPF implementation
Nic Bernstein
nic at onlight.com
Mon Apr 28 06:38:44 PDT 2014
On 04/26/2014 06:30 PM, Patrick Laimbock wrote:
> Hi Andreas,
>
> On 26-04-14 12:10, Andreas Schulze wrote:
>
>> here we run milter in multiple configuration for years but this behavior
>> I couldn't observe.
>> OK, I have my smf-spf milter patched. Maybe that's the reason...
>
> AFAICT pypolicyd works fine but I'm always interested in learning
> about other solutions like smf-spf. Are your patches available
> anywhere? It would be nice to have another SPF solution that works so
> people who want to use OpenDMARC can be pointed to one or more
> reference solutions/setups that are known to work.
FWIW, we found that milters which use the smfi_insheader() call with a
header index of -1 (before the first existing header) may in turn be
missed by later milters *in postfix*. For example, the spfmilter.py
program, which uses Python's milter library, does this, and a subsequent
opendmarc milter will not see any Received-SPF or Authentication-Results
header added this way. Simply hacking the code to set the index to 0 or
1 will cause the spfmilter=>opendkim=>opendmarc milter chain to work.
We ultimately adopted Scott's solution of using policyd-spf in the
primary instance of smtpd, and then applying opendkim/opendmarc milters
in the post-content-filter instance. We're not currently rejecting
based on DMARC, so have not yet considered the ramifications of this in
re back-scatter, as Andreas has pointed out.
Cheers,
-nic
BTW: My comments are *only* in relation to how milters work in postfix,
and have no bearing on how they may work in sendmail, exim or any other MTA.
--
Nic Bernstein nic at onlight.com
Onlight, Inc. www.onlight.com
219 N. Milwaukee St., Suite 2a v. 414.272.4477
Milwaukee, Wisconsin 53202
More information about the opendmarc-users
mailing list