[opendmarc-users] Validation problem with postfix-policyd-spf-python module
Christoph Steindl
c.steindl at univie.ac.at
Tue Aug 12 10:44:01 PDT 2014
Hey Nic,
Thanks for the references. I switched to the spf-milter-python package
but there is still one problem. You said that it is necessary to change
the index where to put the spf header. I did so but now the spf
validation results in "spf 1" in the history file. I attached my changes
as *.diff (the changes are around line 295). I tried different indices
which had an effect on the spf header position, but always resulted in
"spf -1" or "spf 1". In case you have any ideas please let me know.
Regards,
Christoph
Am 2014-08-12 00:30, schrieb Nic Bernstein:
> Please take a look in this mailing list's archives for these subject
> lines:
>
> * "pypolicyd-spf integration" from March of this year
> * "OpenDMARC Postfix SPF implementation" from April of this year
>
> Those messages will tell you all you need to get this working.
>
> Cheers,
> -nic
>
> Archives are here:
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
> On 08/11/2014 09:05 AM, Christoph Steindl wrote:
>> Hello,
>>
>> I still have some troubles with the spf validation in opendmarc.
>> Currently I'm using postfix with opendkim, postfix-policyd-spf-python
>> and opendmarc (v. 1.3.0). The spf module adds a "Received-SPF:"
>> header with the right results and the opendkim milter adds an
>> "Authentication-Results:" header with the right results. But in the
>> history files, which are used to generate the reports, spf always
>> fails (spf = -1). See the logs for an email from gmail to my own
>> domain below. It would be great if somebody could help me with this
>> problem.
>>
>> Thanks in advance,
>> Christoph
>>
>>
>>
>> history file (opendmarc):
>> #########################
>> job 2922AAC0303
>> reporter dmarctest.info
>> received 1407764522
>> ipaddr 209.85.212.180
>> from gmail.com
>> mfrom gmail.com
>> dkim gmail.com 0 # dkim is ok
>> spf -1 # spf has a problem
>> pdomain gmail.com
>> policy 15
>> rua mailto:mailauth-reports at google.com
>> pct 100
>> adkim 114
>> aspf 114
>> p 110
>> sp 0
>> align_dkim 4
>> align_spf 5
>> action 2
>> #########################
>>
>>
>> Mail header:
>> #########################
>> Return-Path: <test at gmail.com>
>> X-Original-To: christoph at mydomain.com
>> Delivered-To: christoph at mydomain.com
>> Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
>> client-ip=209.85.212.179; helo=mail-wi0-f179.google.com;
>> envelope-from=test at gmail.com; receiver=christoph at mydomain.com
>> Authentication-Results: mydomain.com; dkim=pass
>> reason="2048-bit key; unprotected key"
>> header.d=gmail.com header.i=@gmail.com header.b=jZobihA3;
>> dkim-adsp=pass; dkim-atps=neutral
>> Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com
>> [209.85.212.179])
>> (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
>> (Client CN "smtp.gmail.com", Issuer "Google Internet Authority
>> G2" (verified OK))
>> by mydomain.com (Postfix) with ESMTPS id 96E56AC0303
>> for <christoph at mydomain.com>; Mon, 11 Aug 2014 15:22:37 +0200 (CEST)
>> Received: by mail-wi0-f179.google.com with SMTP id f8so4191754wiw.6
>> for <christoph at mydomain.com>; Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>> d=gmail.com; s=20120113;
>> h=message-id:date:from;
>> bh=+5MTaFlEEPuOhZYsC4F3LrgZyCMC4AuHpjeVyA5jfOo=;
>> b=jZobihA3nuRSbCmvYfTOIEPekkcFXLGTI9jJhuztBd+31/G9vbgckfzW3EgpzTmjhH
>> t06JI+rNJYLtxAW8c9HlW61VUYVjIAWml3zBP/mRoCzz13pOJjkkt2tZ3Q6FxODc6kKh
>> BsI7mNGtF/GUgJCnYmXAD8JWEtulUWD/NzVG47cLiQQY0DmvgMdPlQHVFutO2iUyqKLP
>> tGeymgsjAMJAzCMknwVTb560Khuv3OduxFgitnaUK7CP/yGsUuWDCn339XeWCoVrysIG
>> HQos4Gr7FLSWjoR0WZ8tnirAWPrNrTCex9i9kO1rxQuV9WGVSbf+eKj76fCILKaFQSt5
>> G8lQ==
>> X-Received: by 10.180.73.235 with SMTP id
>> o11mr25722870wiv.41.1407763517782;
>> Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>> Received: from eos.fc.univie.ac.at
>> ([2001:62a:4:2401:1aa9:5ff:fef0:6c47])
>> by mx.google.com with ESMTPSA id
>> dc3sm1598986wjc.27.2014.08.11.06.25.17
>> for <christoph at mydomain.com>
>> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>> Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>> Message-ID: <53e8c43d.03b3c20a.718e.617d at mx.google.com>
>> Date: Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>> From: test at gmail.com
>> Authentication-Results: mydomain.com; dmarc=pass header.from=gmail.com
>> DMARC-Filter: OpenDMARC Filter v1.3.0 mydomain.com 96E56AC0303
>> ...
>> #########################
>>
>>
>> mail.log (system):
>> #########################
>> ...
>> policyd-spf[6312]: None; identity=helo; client-ip=74.125.82.50;
>> helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com;
>> receiver=christoph at mydomain.com
>> policyd-spf[6312]: Pass; identity=mailfrom; client-ip=74.125.82.50;
>> helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com;
>> receiver=christoph at mydomain.com
>> postfix/smtpd[6309]: A6290AC0303:
>> client=mail-wg0-f50.google.com[74.125.82.50]
>> postfix/cleanup[6313]: A6290AC0303:
>> message-id=<53e8c302.26bbb40a.1ef5.ffff8f32 at mx.google.com>
>> opendkim[12505]: A6290AC0303: mail-wg0-f50.google.com [74.125.82.50]
>> not internal
>> opendkim[12505]: A6290AC0303: not authenticated
>> opendkim[12505]: A6290AC0303: s=20120113 d=gmail.com SSL
>> opendmarc[2145]: A6290AC0303: gmail.com pass
>> ...
>> #########################
>>
>>
>> main.cf (postfix):
>> #########################
>> ...
>> smtpd_recipient_restrictions = reject_unknown_client_hostname,
>> reject_unknown_sender_domain, reject_unknown_recipient_domain,
>> reject_unauth_pipelining, permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destination,
>> reject_invalid_hostname, reject_non_fqdn_sender,
>> check_policy_service unix:private/policy-spf
>> ...
>> policy-spf_time_limit = 3600s
>> ...
>> smtpd_milters = unix:/var/run/opendkim/opendkim.sock
>> unix:/var/run/opendmarc/opendmarc.sock
>> ...
>> #########################
>>
>>
>> master.cf (postfix):
>> #########################
>> ...
>> policy-spf unix - n n - 0 spawn
>> user=policyd-spf argv=/usr/bin/policyd-spf
>> ...
>> #########################
>> _______________________________________________
>> opendmarc-users mailing list
>> opendmarc-users at trusteddomain.org
>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
> --
> Nic Bernsteinnic at onlight.com
> Onlight llc.www.onlight.com
> 219 N. Milwaukee St., Ste. 2A v. 414.272.4477
> Milwaukee, Wisconsin 53202 f. 414.290.0335
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20140812/58ae5bc8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spfmilter.diff
Type: text/x-patch
Size: 12555 bytes
Desc: not available
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20140812/58ae5bc8/attachment-0001.bin>
More information about the opendmarc-users
mailing list