[opendmarc-users] Validation problem with postfix-policyd-spf-python module

Urban Loesch bind at enas.net
Wed Aug 13 03:00:11 PDT 2014 

I have the same problem.

This seems to work:
https://groups.google.com/forum/#!topic/mailing.postfix.users/FyFdakjwZ-s

But has a little bit of overhead. Perhaps it should be ease to write a small
policy daemon which puts a "pseudo-header" before the SPF header.

Regards
Urban


Am 12.08.2014 20:44, schrieb Nic Bernstein:
> Christoph,
> We weren't happy running hacked code, so what we've settled on is described here:
>> We ultimately adopted Scott's solution of using policyd-spf in the
>> primary instance of smtpd, and then applying opendkim/opendmarc milters
>> in the post-content-filter instance.  We're not currently rejecting
>> based on DMARC, so have not yet considered the ramifications of this in
>> re back-scatter, as Andreas has pointed out.
> Scott Kitterman's original explanation of that is here:
> 
>> Instead of doing everything in one smtpd process, I have two.
>>
>> Usual:
>>
>> smtpd ------> post-delivery processing (massive oversimplification)
>>     |
>>     |
>> SPF policy daemon
>> opendkim
>> opendmarc
>>
>> Mine:
>>
>> smtpd    -> transparent    -> smtpd    -> post-delivery processing
>>     |   filter (spam/virus)     |
>> SPF policyd                  opendkim
>>                              opendmarc
>>
>> My reason to do it this way was to mimimize pre-queue filtering, but as a side 
>> benefit, the SPF authentication results has already been inserted by a previous 
>> process before the smtpd that sends it to the milters acts on it.  That 
>> should, I think, avoid the problem.
>>
>> Also, you can't do DKIM/DMARC as a policy daemon because the information you 
>> need isn't exposed to the policy interface.
> 
> Perhaps you'll have better luck with this approach.
> 
> Cheers,
>     -nic
> 
> On 08/12/2014 12:44 PM, Christoph Steindl wrote:
>> Hey Nic,
>>
>> Thanks for the references. I switched to the spf-milter-python package but there is still one problem. You said that it is necessary to change the
>> index where to put the spf header. I did so but now the spf validation results in "spf 1" in the history file. I attached my changes as *.diff (the
>> changes are around line 295). I tried different indices which had an effect on the spf header position, but always resulted in "spf -1" or "spf 1".
>> In case you have any ideas please let me know.
>>
>> Regards,
>> Christoph
>>
>> Am 2014-08-12 00:30, schrieb Nic Bernstein:
>>> Please take a look in this mailing list's archives for these subject lines:
>>>
>>>   * "pypolicyd-spf integration" from March of this year
>>>   * "OpenDMARC Postfix SPF implementation" from April of this year
>>>
>>> Those messages will tell you all you need to get this working.
>>>
>>> Cheers,
>>>     -nic
>>>
>>> Archives are here: http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>>>
>>> On 08/11/2014 09:05 AM, Christoph Steindl wrote:
>>>> Hello,
>>>>
>>>> I still have some troubles with the spf validation in opendmarc. Currently I'm using postfix with opendkim, postfix-policyd-spf-python and
>>>> opendmarc (v. 1.3.0). The spf module adds a "Received-SPF:" header with the right results and the opendkim milter adds an
>>>> "Authentication-Results:" header with the right results. But in the history files, which are used to generate the reports, spf always fails (spf =
>>>> -1). See the logs for an email from gmail to my own domain below. It would be great if somebody could help me with this problem.
>>>>
>>>> Thanks in advance,
>>>> Christoph
>>>>
>>>>
>>>>
>>>> history file (opendmarc):
>>>> #########################
>>>> job 2922AAC0303
>>>> reporter dmarctest.info
>>>> received 1407764522
>>>> ipaddr 209.85.212.180
>>>> from gmail.com
>>>> mfrom gmail.com
>>>> dkim gmail.com 0       # dkim is ok
>>>> spf -1                         # spf has a problem
>>>> pdomain gmail.com
>>>> policy 15
>>>> rua mailto:mailauth-reports at google.com
>>>> pct 100
>>>> adkim 114
>>>> aspf 114
>>>> p 110
>>>> sp 0
>>>> align_dkim 4
>>>> align_spf 5
>>>> action 2
>>>> #########################
>>>>
>>>>
>>>> Mail header:
>>>> #########################
>>>> Return-Path: <test at gmail.com>
>>>> X-Original-To: christoph at mydomain.com
>>>> Delivered-To: christoph at mydomain.com
>>>> Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.212.179; helo=mail-wi0-f179.google.com;
>>>> envelope-from=test at gmail.com; receiver=christoph at mydomain.com
>>>> Authentication-Results: mydomain.com; dkim=pass
>>>>     reason="2048-bit key; unprotected key"
>>>>     header.d=gmail.com header.i=@gmail.com header.b=jZobihA3;
>>>>     dkim-adsp=pass; dkim-atps=neutral
>>>> Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179])
>>>>     (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
>>>>     (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK))
>>>>     by mydomain.com (Postfix) with ESMTPS id 96E56AC0303
>>>>     for <christoph at mydomain.com>; Mon, 11 Aug 2014 15:22:37 +0200 (CEST)
>>>> Received: by mail-wi0-f179.google.com with SMTP id f8so4191754wiw.6
>>>>     for <christoph at mydomain.com>; Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>>>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>>>>     d=gmail.com; s=20120113;
>>>>     h=message-id:date:from;
>>>>     bh=+5MTaFlEEPuOhZYsC4F3LrgZyCMC4AuHpjeVyA5jfOo=;
>>>> b=jZobihA3nuRSbCmvYfTOIEPekkcFXLGTI9jJhuztBd+31/G9vbgckfzW3EgpzTmjhH
>>>> t06JI+rNJYLtxAW8c9HlW61VUYVjIAWml3zBP/mRoCzz13pOJjkkt2tZ3Q6FxODc6kKh
>>>> BsI7mNGtF/GUgJCnYmXAD8JWEtulUWD/NzVG47cLiQQY0DmvgMdPlQHVFutO2iUyqKLP
>>>> tGeymgsjAMJAzCMknwVTb560Khuv3OduxFgitnaUK7CP/yGsUuWDCn339XeWCoVrysIG
>>>> HQos4Gr7FLSWjoR0WZ8tnirAWPrNrTCex9i9kO1rxQuV9WGVSbf+eKj76fCILKaFQSt5
>>>>     G8lQ==
>>>> X-Received: by 10.180.73.235 with SMTP id o11mr25722870wiv.41.1407763517782;
>>>>     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>>>> Received: from eos.fc.univie.ac.at ([2001:62a:4:2401:1aa9:5ff:fef0:6c47])
>>>>     by mx.google.com with ESMTPSA id dc3sm1598986wjc.27.2014.08.11.06.25.17
>>>>     for <christoph at mydomain.com>
>>>>     (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>>>>     Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>>>> Message-ID: <53e8c43d.03b3c20a.718e.617d at mx.google.com>
>>>> Date: Mon, 11 Aug 2014 06:25:17 -0700 (PDT)
>>>> From: test at gmail.com
>>>> Authentication-Results: mydomain.com; dmarc=pass header.from=gmail.com
>>>> DMARC-Filter: OpenDMARC Filter v1.3.0 mydomain.com 96E56AC0303
>>>> ...
>>>> #########################
>>>>
>>>>
>>>> mail.log (system):
>>>> #########################
>>>> ...
>>>> policyd-spf[6312]: None; identity=helo; client-ip=74.125.82.50; helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com;
>>>> receiver=christoph at mydomain.com
>>>> policyd-spf[6312]: Pass; identity=mailfrom; client-ip=74.125.82.50; helo=mail-wg0-f50.google.com; envelope-from=test at gmail.com;
>>>> receiver=christoph at mydomain.com
>>>> postfix/smtpd[6309]: A6290AC0303: client=mail-wg0-f50.google.com[74.125.82.50]
>>>> postfix/cleanup[6313]: A6290AC0303: message-id=<53e8c302.26bbb40a.1ef5.ffff8f32 at mx.google.com>
>>>> opendkim[12505]: A6290AC0303: mail-wg0-f50.google.com [74.125.82.50] not internal
>>>> opendkim[12505]: A6290AC0303: not authenticated
>>>> opendkim[12505]: A6290AC0303: s=20120113 d=gmail.com SSL
>>>> opendmarc[2145]: A6290AC0303: gmail.com pass
>>>> ...
>>>> #########################
>>>>
>>>>
>>>> main.cf (postfix):
>>>> #########################
>>>> ...
>>>> smtpd_recipient_restrictions = reject_unknown_client_hostname,
>>>>     reject_unknown_sender_domain, reject_unknown_recipient_domain,
>>>>     reject_unauth_pipelining, permit_mynetworks,
>>>>     permit_sasl_authenticated, reject_unauth_destination,
>>>>     reject_invalid_hostname, reject_non_fqdn_sender, check_policy_service unix:private/policy-spf
>>>> ...
>>>> policy-spf_time_limit = 3600s
>>>> ...
>>>> smtpd_milters = unix:/var/run/opendkim/opendkim.sock unix:/var/run/opendmarc/opendmarc.sock
>>>> ...
>>>> #########################
>>>>
>>>>
>>>> master.cf (postfix):
>>>> #########################
>>>> ...
>>>> policy-spf  unix  -       n       n       -       0       spawn
>>>>      user=policyd-spf argv=/usr/bin/policyd-spf
>>>> ...
>>>> #########################
>>>> _______________________________________________
>>>> opendmarc-users mailing list
>>>> opendmarc-users at trusteddomain.org
>>>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>>>
>>> -- 
>>> Nic Bernstein                             nic at onlight.com
>>> Onlight llc.                              www.onlight.com
>>> 219 N. Milwaukee St., Ste. 2A	          v. 414.272.4477
>>> Milwaukee, Wisconsin  53202		  f. 414.290.0335
>>
> 
> -- 
> Nic Bernstein                             nic at onlight.com
> Onlight llc.                              www.onlight.com
> 219 N. Milwaukee St., Ste. 2A	          v. 414.272.4477
> Milwaukee, Wisconsin  53202		  f. 414.290.0335
> 
> 
> 
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>

More information about the opendmarc-users mailing list