[opendmarc-users] Validation problem with postfix-policyd-spf-python module

Christoph Steindl c.steindl at univie.ac.at
Tue Aug 12 10:44:01 PDT 2014 

Hey Nic,

Thanks for the references. I switched to the spf-milter-python package 
but there is still one problem. You said that it is necessary to change 
the index where to put the spf header. I did so but now the spf 
validation results in "spf 1" in the history file. I attached my changes 
as *.diff (the changes are around line 295). I tried different indices 
which had an effect on the spf header position, but always resulted in 
"spf -1" or "spf 1". In case you have any ideas please let me know.

Regards,
Christoph

Am 2014-08-12 00:30, schrieb Nic Bernstein:
> Please take a look in this mailing list's archives for these subject 
> lines:
>
>   * "pypolicyd-spf integration" from March of this year
>   * "OpenDMARC Postfix SPF implementation" from April of this year
>
> Those messages will tell you all you need to get this working.
>
> Cheers,
>     -nic
>
> Archives are here: 
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
> On 08/11/2014 09:05 AM, Christoph Steindl wrote:
>> Hello,
>>
>> I still have some troubles with the spf validation in opendmarc. 
>> Currently I'm using postfix with opendkim, postfix-policyd-spf-python 
>> and opendmarc (v. 1.3.0). The spf module adds a "Received-SPF:" 
>> header with the right results and the opendkim milter adds an 
>> "Authentication-Results:" header with the right results. But in the 
>> history files, which are used to generate the reports, spf always 
>> fails (spf = -1). See the logs for an email from gmail to my own 
>> domain below. It would be great if somebody could help me with this 
>> problem.
>>
>> Thanks in advance,
>> Christoph
>>
>>
>>
>> history file (opendmarc):
>> #########################
>> job 2922AAC0303
>> reporter dmarctest.info
>> received 1407764522
>> ipaddr 209.85.212.180
>> from gmail.com
>> mfrom gmail.com
>> dkim gmail.com 0       # dkim is ok
>> spf -1                         # spf has a problem
>> pdomain gmail.com
>> policy 15
>> rua mailto:mailauth-reports at google.com
>> pct 100
>> adkim 114
>> aspf 114
>> p 110
>> sp 0
>> align_dkim 4
>> align_spf 5
>> action 2
>> #########################
>>
>>
>> Mail header:
>> #########################
>> Return-Path: <test at gmail.com>
>> X-Original-To: christoph at mydomain.com
>> Delivered-To: christoph at mydomain.com
>> Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
>> client-ip=209.85.212.179; helo=mail-wi0-f179.google.com; 
>> envelope-from=test at gmail.com; receiver=christoph at mydomain.com
>> Authentication-Results: mydomain.com; dkim=pass
>>     reason="2048-bit key; unprotected key"
>>     header.d=gmail.com header.i=@gmail.com header.b=jZobihA3;
>>     dkim-adsp=pass; dkim-atps=neutral
>> Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com 
>> [209.85.212.179])
>>     (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
>>     (Client CN "smtp.gmail.com", Issuer "Google Internet Authority 
>> G2" (verified OK))
>>     by mydomain.com (Postfix) with ESMTPS id 96E56AC0303
>>     for <christoph at mydomain.com>; Mon, 11 Aug 2014 15:22:37 +0200 (CEST)
>> Received: by mail-wi0-f179.google.com with SMTP id f8so4191754wiw.6
>>     for <christoph at mydomain.com>; Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>>     d=gmail.com; s=20120113;
>>     h=message-id:date:from;
>>     bh=+5MTaFlEEPuOhZYsC4F3LrgZyCMC4AuHpjeVyA5jfOo=;
>> b=jZobihA3nuRSbCmvYfTOIEPekkcFXLGTI9jJhuztBd+31/G9vbgckfzW3EgpzTmjhH
>> t06JI+rNJYLtxAW8c9HlW61VUYVjIAWml3zBP/mRoCzz13pOJjkkt2tZ3Q6FxODc6kKh
>> BsI7mNGtF/GUgJCnYmXAD8JWEtulUWD/NzVG47cLiQQY0DmvgMdPlQHVFutO2iUyqKLP
>> tGeymgsjAMJAzCMknwVTb560Khuv3OduxFgitnaUK7CP/yGsUuWDCn339XeWCoVrysIG
>> HQos4Gr7FLSWjoR0WZ8tnirAWPrNrTCex9i9kO1rxQuV9WGVSbf+eKj76fCILKaFQSt5
>>     G8lQ==
>> X-Received: by 10.180.73.235 with SMTP id 
>> o11mr25722870wiv.41.1407763517782;
>>     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>> Received: from eos.fc.univie.ac.at 
>> ([2001:62a:4:2401:1aa9:5ff:fef0:6c47])
>>     by mx.google.com with ESMTPSA id 
>> dc3sm1598986wjc.27.2014.08.11.06.25.17
>>     for <christoph at mydomain.com>
>>     (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>>     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>> Message-ID: <53e8c43d.03b3c20a.718e.617d at mx.google.com>
>> Date: Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>> From: test at gmail.com
>> Authentication-Results: mydomain.com; dmarc=pass header.from=gmail.com
>> DMARC-Filter: OpenDMARC Filter v1.3.0 mydomain.com 96E56AC0303
>> ...
>> #########################
>>
>>
>> mail.log (system):
>> #########################
>> ...
>> policyd-spf[6312]: None; identity=helo; client-ip=74.125.82.50; 
>> helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com; 
>> receiver=christoph at mydomain.com
>> policyd-spf[6312]: Pass; identity=mailfrom; client-ip=74.125.82.50; 
>> helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com; 
>> receiver=christoph at mydomain.com
>> postfix/smtpd[6309]: A6290AC0303: 
>> client=mail-wg0-f50.google.com[74.125.82.50]
>> postfix/cleanup[6313]: A6290AC0303: 
>> message-id=<53e8c302.26bbb40a.1ef5.ffff8f32 at mx.google.com>
>> opendkim[12505]: A6290AC0303: mail-wg0-f50.google.com [74.125.82.50] 
>> not internal
>> opendkim[12505]: A6290AC0303: not authenticated
>> opendkim[12505]: A6290AC0303: s=20120113 d=gmail.com SSL
>> opendmarc[2145]: A6290AC0303: gmail.com pass
>> ...
>> #########################
>>
>>
>> main.cf (postfix):
>> #########################
>> ...
>> smtpd_recipient_restrictions = reject_unknown_client_hostname,
>>     reject_unknown_sender_domain, reject_unknown_recipient_domain,
>>     reject_unauth_pipelining, permit_mynetworks,
>>     permit_sasl_authenticated, reject_unauth_destination,
>>     reject_invalid_hostname, reject_non_fqdn_sender, 
>> check_policy_service unix:private/policy-spf
>> ...
>> policy-spf_time_limit = 3600s
>> ...
>> smtpd_milters = unix:/var/run/opendkim/opendkim.sock 
>> unix:/var/run/opendmarc/opendmarc.sock
>> ...
>> #########################
>>
>>
>> master.cf (postfix):
>> #########################
>> ...
>> policy-spf  unix  -       n       n       -       0       spawn
>>      user=policyd-spf argv=/usr/bin/policyd-spf
>> ...
>> #########################
>> _______________________________________________
>> opendmarc-users mailing list
>> opendmarc-users at trusteddomain.org
>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
> -- 
> Nic Bernsteinnic at onlight.com
> Onlight llc.www.onlight.com
> 219 N. Milwaukee St., Ste. 2A	          v. 414.272.4477
> Milwaukee, Wisconsin  53202		  f. 414.290.0335

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20140812/58ae5bc8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spfmilter.diff
Type: text/x-patch
Size: 12555 bytes
Desc: not available
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20140812/58ae5bc8/attachment-0001.bin>

More information about the opendmarc-users mailing list