[opendmarc-users] OpenDMARC Postfix SPF implementation

Scott Kitterman sklist at kitterman.com
Mon Apr 28 07:10:18 PDT 2014


On Monday, April 28, 2014 08:38:44 Nic Bernstein wrote:
> On 04/26/2014 06:30 PM, Patrick Laimbock wrote:
> > Hi Andreas,
> > 
> > On 26-04-14 12:10, Andreas Schulze wrote:
> >> here we run milter in multiple configuration for years but this behavior
> >> I couldn't observe.
> >> OK, I have my smf-spf milter patched. Maybe that's the reason...
> > 
> > AFAICT pypolicyd works fine but I'm always interested in learning
> > about other solutions like smf-spf. Are your patches available
> > anywhere? It would be nice to have another SPF solution that works so
> > people who want to use OpenDMARC can be pointed to one or more
> > reference solutions/setups that are known to work.
> 
> FWIW, we found that milters which use the smfi_insheader() call with a
> header index of -1 (before the first existing header) may in turn be
> missed by later milters *in postfix*.  For example, the spfmilter.py
> program, which uses Python's milter library, does this, and a subsequent
> opendmarc milter will not see any Received-SPF or Authentication-Results
> header added this way.  Simply hacking the code to set the index to 0 or
> 1 will cause the spfmilter=>opendkim=>opendmarc milter chain to work.
> 
> We ultimately adopted Scott's solution of using policyd-spf in the
> primary instance of smtpd, and then applying opendkim/opendmarc milters
> in the post-content-filter instance.  We're not currently rejecting
> based on DMARC, so have not yet considered the ramifications of this in
> re back-scatter, as Andreas has pointed out.
> 
> Cheers,
>     -nic
> 
> BTW: My comments are *only* in relation to how milters work in postfix,
> and have no bearing on how they may work in sendmail, exim or any other MTA.


Nic,

Could you send me the patch you did for spfmilter.py (off list I guess, since 
it's pretty OT at this point)?  I want to discuss it with the author and see 
if it'd cause a problem with Sendmail or not.

Scott K


More information about the opendmarc-users mailing list