[opendmarc-users] Validation problem with postfix-policyd-spf-python module

Christoph Steindl c.steindl at univie.ac.at
Mon Aug 11 07:05:05 PDT 2014 

Hello,

I still have some troubles with the spf validation in opendmarc. 
Currently I'm using postfix with opendkim, postfix-policyd-spf-python 
and opendmarc (v. 1.3.0). The spf module adds a "Received-SPF:" header 
with the right results and the opendkim milter adds an 
"Authentication-Results:" header with the right results. But in the 
history files, which are used to generate the reports, spf always fails 
(spf = -1). See the logs for an email from gmail to my own domain below. 
It would be great if somebody could help me with this problem.

Thanks in advance,
Christoph



history file (opendmarc):
#########################
job 2922AAC0303
reporter dmarctest.info
received 1407764522
ipaddr 209.85.212.180
from gmail.com
mfrom gmail.com
dkim gmail.com 0       # dkim is ok
spf -1                         # spf has a problem
pdomain gmail.com
policy 15
rua mailto:mailauth-reports at google.com
pct 100
adkim 114
aspf 114
p 110
sp 0
align_dkim 4
align_spf 5
action 2
#########################


Mail header:
#########################
Return-Path: <test at gmail.com>
X-Original-To: christoph at mydomain.com
Delivered-To: christoph at mydomain.com
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
client-ip=209.85.212.179; helo=mail-wi0-f179.google.com; 
envelope-from=test at gmail.com; receiver=christoph at mydomain.com
Authentication-Results: mydomain.com; dkim=pass
     reason="2048-bit key; unprotected key"
     header.d=gmail.com header.i=@gmail.com header.b=jZobihA3;
     dkim-adsp=pass; dkim-atps=neutral
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com 
[209.85.212.179])
     (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
     (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" 
(verified OK))
     by mydomain.com (Postfix) with ESMTPS id 96E56AC0303
     for <christoph at mydomain.com>; Mon, 11 Aug 2014 15:22:37 +0200 (CEST)
Received: by mail-wi0-f179.google.com with SMTP id f8so4191754wiw.6
     for <christoph at mydomain.com>; Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
     d=gmail.com; s=20120113;
     h=message-id:date:from;
     bh=+5MTaFlEEPuOhZYsC4F3LrgZyCMC4AuHpjeVyA5jfOo=;
b=jZobihA3nuRSbCmvYfTOIEPekkcFXLGTI9jJhuztBd+31/G9vbgckfzW3EgpzTmjhH
t06JI+rNJYLtxAW8c9HlW61VUYVjIAWml3zBP/mRoCzz13pOJjkkt2tZ3Q6FxODc6kKh
BsI7mNGtF/GUgJCnYmXAD8JWEtulUWD/NzVG47cLiQQY0DmvgMdPlQHVFutO2iUyqKLP
tGeymgsjAMJAzCMknwVTb560Khuv3OduxFgitnaUK7CP/yGsUuWDCn339XeWCoVrysIG
HQos4Gr7FLSWjoR0WZ8tnirAWPrNrTCex9i9kO1rxQuV9WGVSbf+eKj76fCILKaFQSt5
     G8lQ==
X-Received: by 10.180.73.235 with SMTP id o11mr25722870wiv.41.1407763517782;
     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
Received: from eos.fc.univie.ac.at ([2001:62a:4:2401:1aa9:5ff:fef0:6c47])
     by mx.google.com with ESMTPSA id dc3sm1598986wjc.27.2014.08.11.06.25.17
     for <christoph at mydomain.com>
     (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
Message-ID: <53e8c43d.03b3c20a.718e.617d at mx.google.com>
Date: Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
From: test at gmail.com
Authentication-Results: mydomain.com; dmarc=pass header.from=gmail.com
DMARC-Filter: OpenDMARC Filter v1.3.0 mydomain.com 96E56AC0303
...
#########################


mail.log (system):
#########################
...
policyd-spf[6312]: None; identity=helo; client-ip=74.125.82.50; 
helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com; 
receiver=christoph at mydomain.com
policyd-spf[6312]: Pass; identity=mailfrom; client-ip=74.125.82.50; 
helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com; 
receiver=christoph at mydomain.com
postfix/smtpd[6309]: A6290AC0303: 
client=mail-wg0-f50.google.com[74.125.82.50]
postfix/cleanup[6313]: A6290AC0303: 
message-id=<53e8c302.26bbb40a.1ef5.ffff8f32 at mx.google.com>
opendkim[12505]: A6290AC0303: mail-wg0-f50.google.com [74.125.82.50] not 
internal
opendkim[12505]: A6290AC0303: not authenticated
opendkim[12505]: A6290AC0303: s=20120113 d=gmail.com SSL
opendmarc[2145]: A6290AC0303: gmail.com pass
...
#########################


main.cf (postfix):
#########################
...
smtpd_recipient_restrictions = reject_unknown_client_hostname,
     reject_unknown_sender_domain, reject_unknown_recipient_domain,
     reject_unauth_pipelining, permit_mynetworks,
     permit_sasl_authenticated, reject_unauth_destination,
     reject_invalid_hostname, reject_non_fqdn_sender, 
check_policy_service unix:private/policy-spf
...
policy-spf_time_limit = 3600s
...
smtpd_milters = unix:/var/run/opendkim/opendkim.sock 
unix:/var/run/opendmarc/opendmarc.sock
...
#########################


master.cf (postfix):
#########################
...
policy-spf  unix  -       n       n       -       0       spawn
      user=policyd-spf argv=/usr/bin/policyd-spf
...
#########################

More information about the opendmarc-users mailing list