[opendmarc-users] Validation problem with postfix-policyd-spf-python module

Nic Bernstein nic at onlight.com
Mon Aug 11 15:30:23 PDT 2014


Please take a look in this mailing list's archives for these subject lines:

  * "pypolicyd-spf integration" from March of this year
  * "OpenDMARC Postfix SPF implementation" from April of this year

Those messages will tell you all you need to get this working.

Cheers,
     -nic

Archives are here: 
http://www.trusteddomain.org/mailman/listinfo/opendmarc-users

On 08/11/2014 09:05 AM, Christoph Steindl wrote:
> Hello,
>
> I still have some troubles with the spf validation in opendmarc. 
> Currently I'm using postfix with opendkim, postfix-policyd-spf-python 
> and opendmarc (v. 1.3.0). The spf module adds a "Received-SPF:" header 
> with the right results and the opendkim milter adds an 
> "Authentication-Results:" header with the right results. But in the 
> history files, which are used to generate the reports, spf always 
> fails (spf = -1). See the logs for an email from gmail to my own 
> domain below. It would be great if somebody could help me with this 
> problem.
>
> Thanks in advance,
> Christoph
>
>
>
> history file (opendmarc):
> #########################
> job 2922AAC0303
> reporter dmarctest.info
> received 1407764522
> ipaddr 209.85.212.180
> from gmail.com
> mfrom gmail.com
> dkim gmail.com 0       # dkim is ok
> spf -1                         # spf has a problem
> pdomain gmail.com
> policy 15
> rua mailto:mailauth-reports at google.com
> pct 100
> adkim 114
> aspf 114
> p 110
> sp 0
> align_dkim 4
> align_spf 5
> action 2
> #########################
>
>
> Mail header:
> #########################
> Return-Path: <test at gmail.com>
> X-Original-To: christoph at mydomain.com
> Delivered-To: christoph at mydomain.com
> Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
> client-ip=209.85.212.179; helo=mail-wi0-f179.google.com; 
> envelope-from=test at gmail.com; receiver=christoph at mydomain.com
> Authentication-Results: mydomain.com; dkim=pass
>     reason="2048-bit key; unprotected key"
>     header.d=gmail.com header.i=@gmail.com header.b=jZobihA3;
>     dkim-adsp=pass; dkim-atps=neutral
> Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com 
> [209.85.212.179])
>     (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
>     (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" 
> (verified OK))
>     by mydomain.com (Postfix) with ESMTPS id 96E56AC0303
>     for <christoph at mydomain.com>; Mon, 11 Aug 2014 15:22:37 +0200 (CEST)
> Received: by mail-wi0-f179.google.com with SMTP id f8so4191754wiw.6
>     for <christoph at mydomain.com>; Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>     d=gmail.com; s=20120113;
>     h=message-id:date:from;
>     bh=+5MTaFlEEPuOhZYsC4F3LrgZyCMC4AuHpjeVyA5jfOo=;
> b=jZobihA3nuRSbCmvYfTOIEPekkcFXLGTI9jJhuztBd+31/G9vbgckfzW3EgpzTmjhH
> t06JI+rNJYLtxAW8c9HlW61VUYVjIAWml3zBP/mRoCzz13pOJjkkt2tZ3Q6FxODc6kKh
> BsI7mNGtF/GUgJCnYmXAD8JWEtulUWD/NzVG47cLiQQY0DmvgMdPlQHVFutO2iUyqKLP
> tGeymgsjAMJAzCMknwVTb560Khuv3OduxFgitnaUK7CP/yGsUuWDCn339XeWCoVrysIG
> HQos4Gr7FLSWjoR0WZ8tnirAWPrNrTCex9i9kO1rxQuV9WGVSbf+eKj76fCILKaFQSt5
>     G8lQ==
> X-Received: by 10.180.73.235 with SMTP id 
> o11mr25722870wiv.41.1407763517782;
>     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
> Received: from eos.fc.univie.ac.at ([2001:62a:4:2401:1aa9:5ff:fef0:6c47])
>     by mx.google.com with ESMTPSA id 
> dc3sm1598986wjc.27.2014.08.11.06.25.17
>     for <christoph at mydomain.com>
>     (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
> Message-ID: <53e8c43d.03b3c20a.718e.617d at mx.google.com>
> Date: Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
> From: test at gmail.com
> Authentication-Results: mydomain.com; dmarc=pass header.from=gmail.com
> DMARC-Filter: OpenDMARC Filter v1.3.0 mydomain.com 96E56AC0303
> ...
> #########################
>
>
> mail.log (system):
> #########################
> ...
> policyd-spf[6312]: None; identity=helo; client-ip=74.125.82.50; 
> helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com; 
> receiver=christoph at mydomain.com
> policyd-spf[6312]: Pass; identity=mailfrom; client-ip=74.125.82.50; 
> helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com; 
> receiver=christoph at mydomain.com
> postfix/smtpd[6309]: A6290AC0303: 
> client=mail-wg0-f50.google.com[74.125.82.50]
> postfix/cleanup[6313]: A6290AC0303: 
> message-id=<53e8c302.26bbb40a.1ef5.ffff8f32 at mx.google.com>
> opendkim[12505]: A6290AC0303: mail-wg0-f50.google.com [74.125.82.50] 
> not internal
> opendkim[12505]: A6290AC0303: not authenticated
> opendkim[12505]: A6290AC0303: s=20120113 d=gmail.com SSL
> opendmarc[2145]: A6290AC0303: gmail.com pass
> ...
> #########################
>
>
> main.cf (postfix):
> #########################
> ...
> smtpd_recipient_restrictions = reject_unknown_client_hostname,
>     reject_unknown_sender_domain, reject_unknown_recipient_domain,
>     reject_unauth_pipelining, permit_mynetworks,
>     permit_sasl_authenticated, reject_unauth_destination,
>     reject_invalid_hostname, reject_non_fqdn_sender, 
> check_policy_service unix:private/policy-spf
> ...
> policy-spf_time_limit = 3600s
> ...
> smtpd_milters = unix:/var/run/opendkim/opendkim.sock 
> unix:/var/run/opendmarc/opendmarc.sock
> ...
> #########################
>
>
> master.cf (postfix):
> #########################
> ...
> policy-spf  unix  -       n       n       -       0       spawn
>      user=policyd-spf argv=/usr/bin/policyd-spf
> ...
> #########################
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users

-- 
Nic Bernstein                             nic at onlight.com
Onlight llc.                              www.onlight.com
219 N. Milwaukee St., Ste. 2A	          v. 414.272.4477
Milwaukee, Wisconsin  53202		  f. 414.290.0335

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20140811/07bad1be/attachment.htm>


More information about the opendmarc-users mailing list