[opendmarc-users] Validation problem with postfix-policyd-spf-python module

Nic Bernstein nic at onlight.com
Tue Aug 12 11:44:01 PDT 2014 

Christoph,
We weren't happy running hacked code, so what we've settled on is 
described here:
> We ultimately adopted Scott's solution of using policyd-spf in the
> primary instance of smtpd, and then applying opendkim/opendmarc milters
> in the post-content-filter instance.  We're not currently rejecting
> based on DMARC, so have not yet considered the ramifications of this in
> re back-scatter, as Andreas has pointed out.
Scott Kitterman's original explanation of that is here:

> Instead of doing everything in one smtpd process, I have two.
>
> Usual:
>
> smtpd ------> post-delivery processing (massive oversimplification)
>      |
>      |
> SPF policy daemon
> opendkim
> opendmarc
>
> Mine:
>
> smtpd    -> transparent    -> smtpd    -> post-delivery processing
>      |   filter (spam/virus)     |
> SPF policyd                  opendkim
>                               opendmarc
>
> My reason to do it this way was to mimimize pre-queue filtering, but as a side
> benefit, the SPF authentication results has already been inserted by a previous
> process before the smtpd that sends it to the milters acts on it.  That
> should, I think, avoid the problem.
>
> Also, you can't do DKIM/DMARC as a policy daemon because the information you
> need isn't exposed to the policy interface.

Perhaps you'll have better luck with this approach.

Cheers,
     -nic

On 08/12/2014 12:44 PM, Christoph Steindl wrote:
> Hey Nic,
>
> Thanks for the references. I switched to the spf-milter-python package 
> but there is still one problem. You said that it is necessary to 
> change the index where to put the spf header. I did so but now the spf 
> validation results in "spf 1" in the history file. I attached my 
> changes as *.diff (the changes are around line 295). I tried different 
> indices which had an effect on the spf header position, but always 
> resulted in "spf -1" or "spf 1". In case you have any ideas please let 
> me know.
>
> Regards,
> Christoph
>
> Am 2014-08-12 00:30, schrieb Nic Bernstein:
>> Please take a look in this mailing list's archives for these subject 
>> lines:
>>
>>   * "pypolicyd-spf integration" from March of this year
>>   * "OpenDMARC Postfix SPF implementation" from April of this year
>>
>> Those messages will tell you all you need to get this working.
>>
>> Cheers,
>>     -nic
>>
>> Archives are here: 
>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>>
>> On 08/11/2014 09:05 AM, Christoph Steindl wrote:
>>> Hello,
>>>
>>> I still have some troubles with the spf validation in opendmarc. 
>>> Currently I'm using postfix with opendkim, 
>>> postfix-policyd-spf-python and opendmarc (v. 1.3.0). The spf module 
>>> adds a "Received-SPF:" header with the right results and the 
>>> opendkim milter adds an "Authentication-Results:" header with the 
>>> right results. But in the history files, which are used to generate 
>>> the reports, spf always fails (spf = -1). See the logs for an email 
>>> from gmail to my own domain below. It would be great if somebody 
>>> could help me with this problem.
>>>
>>> Thanks in advance,
>>> Christoph
>>>
>>>
>>>
>>> history file (opendmarc):
>>> #########################
>>> job 2922AAC0303
>>> reporter dmarctest.info
>>> received 1407764522
>>> ipaddr 209.85.212.180
>>> from gmail.com
>>> mfrom gmail.com
>>> dkim gmail.com 0       # dkim is ok
>>> spf -1                         # spf has a problem
>>> pdomain gmail.com
>>> policy 15
>>> rua mailto:mailauth-reports at google.com
>>> pct 100
>>> adkim 114
>>> aspf 114
>>> p 110
>>> sp 0
>>> align_dkim 4
>>> align_spf 5
>>> action 2
>>> #########################
>>>
>>>
>>> Mail header:
>>> #########################
>>> Return-Path: <test at gmail.com>
>>> X-Original-To: christoph at mydomain.com
>>> Delivered-To: christoph at mydomain.com
>>> Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
>>> client-ip=209.85.212.179; helo=mail-wi0-f179.google.com; 
>>> envelope-from=test at gmail.com; receiver=christoph at mydomain.com
>>> Authentication-Results: mydomain.com; dkim=pass
>>>     reason="2048-bit key; unprotected key"
>>>     header.d=gmail.com header.i=@gmail.com header.b=jZobihA3;
>>>     dkim-adsp=pass; dkim-atps=neutral
>>> Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com 
>>> [209.85.212.179])
>>>     (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
>>>     (Client CN "smtp.gmail.com", Issuer "Google Internet Authority 
>>> G2" (verified OK))
>>>     by mydomain.com (Postfix) with ESMTPS id 96E56AC0303
>>>     for <christoph at mydomain.com>; Mon, 11 Aug 2014 15:22:37 +0200 
>>> (CEST)
>>> Received: by mail-wi0-f179.google.com with SMTP id f8so4191754wiw.6
>>>     for <christoph at mydomain.com>; Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>>>     d=gmail.com; s=20120113;
>>>     h=message-id:date:from;
>>>     bh=+5MTaFlEEPuOhZYsC4F3LrgZyCMC4AuHpjeVyA5jfOo=;
>>> b=jZobihA3nuRSbCmvYfTOIEPekkcFXLGTI9jJhuztBd+31/G9vbgckfzW3EgpzTmjhH
>>> t06JI+rNJYLtxAW8c9HlW61VUYVjIAWml3zBP/mRoCzz13pOJjkkt2tZ3Q6FxODc6kKh
>>> BsI7mNGtF/GUgJCnYmXAD8JWEtulUWD/NzVG47cLiQQY0DmvgMdPlQHVFutO2iUyqKLP
>>> tGeymgsjAMJAzCMknwVTb560Khuv3OduxFgitnaUK7CP/yGsUuWDCn339XeWCoVrysIG
>>> HQos4Gr7FLSWjoR0WZ8tnirAWPrNrTCex9i9kO1rxQuV9WGVSbf+eKj76fCILKaFQSt5
>>>     G8lQ==
>>> X-Received: by 10.180.73.235 with SMTP id 
>>> o11mr25722870wiv.41.1407763517782;
>>>     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>>> Received: from eos.fc.univie.ac.at 
>>> ([2001:62a:4:2401:1aa9:5ff:fef0:6c47])
>>>     by mx.google.com with ESMTPSA id 
>>> dc3sm1598986wjc.27.2014.08.11.06.25.17
>>>     for <christoph at mydomain.com>
>>>     (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>>>     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>>> Message-ID: <53e8c43d.03b3c20a.718e.617d at mx.google.com>
>>> Date: Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>>> From: test at gmail.com
>>> Authentication-Results: mydomain.com; dmarc=pass header.from=gmail.com
>>> DMARC-Filter: OpenDMARC Filter v1.3.0 mydomain.com 96E56AC0303
>>> ...
>>> #########################
>>>
>>>
>>> mail.log (system):
>>> #########################
>>> ...
>>> policyd-spf[6312]: None; identity=helo; client-ip=74.125.82.50; 
>>> helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com; 
>>> receiver=christoph at mydomain.com
>>> policyd-spf[6312]: Pass; identity=mailfrom; client-ip=74.125.82.50; 
>>> helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com; 
>>> receiver=christoph at mydomain.com
>>> postfix/smtpd[6309]: A6290AC0303: 
>>> client=mail-wg0-f50.google.com[74.125.82.50]
>>> postfix/cleanup[6313]: A6290AC0303: 
>>> message-id=<53e8c302.26bbb40a.1ef5.ffff8f32 at mx.google.com>
>>> opendkim[12505]: A6290AC0303: mail-wg0-f50.google.com [74.125.82.50] 
>>> not internal
>>> opendkim[12505]: A6290AC0303: not authenticated
>>> opendkim[12505]: A6290AC0303: s=20120113 d=gmail.com SSL
>>> opendmarc[2145]: A6290AC0303: gmail.com pass
>>> ...
>>> #########################
>>>
>>>
>>> main.cf (postfix):
>>> #########################
>>> ...
>>> smtpd_recipient_restrictions = reject_unknown_client_hostname,
>>>     reject_unknown_sender_domain, reject_unknown_recipient_domain,
>>>     reject_unauth_pipelining, permit_mynetworks,
>>>     permit_sasl_authenticated, reject_unauth_destination,
>>>     reject_invalid_hostname, reject_non_fqdn_sender, 
>>> check_policy_service unix:private/policy-spf
>>> ...
>>> policy-spf_time_limit = 3600s
>>> ...
>>> smtpd_milters = unix:/var/run/opendkim/opendkim.sock 
>>> unix:/var/run/opendmarc/opendmarc.sock
>>> ...
>>> #########################
>>>
>>>
>>> master.cf (postfix):
>>> #########################
>>> ...
>>> policy-spf  unix  -       n       n       -       0 spawn
>>>      user=policyd-spf argv=/usr/bin/policyd-spf
>>> ...
>>> #########################
>>> _______________________________________________
>>> opendmarc-users mailing list
>>> opendmarc-users at trusteddomain.org
>>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>>
>> -- 
>> Nic Bernsteinnic at onlight.com
>> Onlight llc.www.onlight.com
>> 219 N. Milwaukee St., Ste. 2A	          v. 414.272.4477
>> Milwaukee, Wisconsin  53202		  f. 414.290.0335
>

-- 
Nic Bernstein                             nic at onlight.com
Onlight llc.                              www.onlight.com
219 N. Milwaukee St., Ste. 2A	          v. 414.272.4477
Milwaukee, Wisconsin  53202		  f. 414.290.0335

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20140812/45df504e/attachment.htm>

More information about the opendmarc-users mailing list