[opendmarc-users] pypolicyd-spf integration

Nic Bernstein nic at onlight.com
Tue Mar 25 09:45:33 PDT 2014 

Cristian,
We have been seeing similar behavior with pypolicyd-spf  with Postfix
(we're using the postfix-policyd-spf-python package with Ubuntu).  It
looks to us, from extensive snooping on the opendmarc milter connection,
that the header added by pypolicyd-spf never gets to opendmarc, so all
messages result in a "spf -1" in the history file. 

We did report this issue previously (via this list on 16 Aug, 2013) and
never heard of any resolution.  But, we didn't fully understand the
issue at the time. 

>From our investigations, it appears that the policy daemon modified
headers are not passed along to the milters.

We have also experimented with various SPF milter implementations, also
with Postfix, in an effort to get something working, but have been met
with problems there, as well.  Most SPF milters use the insheader()
function to "insert" their header (either Authentication-Results: or
Received-SPF:) with index -1, which means before the MTA's first
header.  In that case, however, the milter-added header isn't seen by
subsequent milters, even though one sees it in the resulting email message.

We have modified a version of spf-milter-python (the Ubuntu package
name, not sure of the official name) wherein we removed the "-1" index,
which allows it to be appended to the header rather than inserted, and
that works just fine.

We'd love to find a solution with all native Postfix policy daemons, but
at present this isn't possible.  We're currently looking into adapting
opendmarc from a milter to a policy daemon, to get around this problem.

Cheers,
    -nic

On 03/25/2014 09:09 AM, Cristian Mammoli wrote:
> Sorry for the noise, but I can't really find a way to make opendmarc
> work with pypolicyd-spf...
> Before updating to 1.2.0 opendmarc reported fail even if running from
> command line with -t parameters.
>
> Tha was caused by bug #58 ("smtp.mailfrom" part of an
> Authentication-Results field might contain only a domain name. Problem
> noted by Scott Kitterman.)
>
>
> sample test message:
>
> Return-Path: <c.mammoli at apra.it>
> Delivered-To: admin at bzone.it
> Authentication-Results: mail.bzone.it; spf=pass (sender SPF
> authorized) smtp.mailfrom=apra.it (client-ip=89.97.236.28;
> helo=mail.apra.it; envelope-from=c.mammoli at apra.it;
> receiver=admin at bzone.it)
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.1 at mail.bzone.it
> Authentication-Results: mail.bzone.it; dkim=pass
>         reason="1024-bit key; unprotected key"
>         header.d=apra.it header.i=@apra.it header.b=N6T0R0ue;
> dkim-adsp=pass
> Received: from mail.apra.it (mail.apra.it [89.97.236.28])
>         by mail.bzone.it (Postfix) with SMTP id 827F714C0213
>         for <admin at bzone.it>; Tue, 25 Mar 2014 12:28:25 +0100 (CET)
> Received: (qmail 8961 invoked by uid 453); 25 Mar 2014 11:28:25 -0000
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=apra.it;
> h=received:from:subject:date:message-id; s=default;
> bh=7uqDQo3EVTnDX6HK/OlpR/tasWM=;
> b=N6T0R0ueVD3hbFreZMf/JAclQpTH9e4LkxuzqDsqb02FBxk9Py2a9qj50tmhEwaMsPjAFuPkEbh3NZf7QjFwDfEl6jjnN6lf1xPWce0548wZJrhEE2GKWxvz++VGZTqVaXk+8TBUMyDOFnqcRIItYzJZ6vGL3kqMz43h2/y/Ihw=
> Received: from Unknown (HELO nb-mammoli.apra.it) (192.168.3.9)
>     by apra.it (qpsmtpd/0.84) with ESMTP; Tue, 25 Mar 2014 12:28:25 +0100
> Date: Tue, 25 Mar 2014 12:28:25 +0100
> To: admin at bzone.it
> From: c.mammoli at apra.it
> Subject: test Tue, 25 Mar 2014 12:28:25 +0100
> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
> X-Virus-Checked: Checked by ClamAV on apra.it
> X-Spam-Status: No, score=-0.1 required=8.0
> tests=AWL,DKIM_SIGNED,DKIM_VALID,
> DKIM_VALID_AU,MISSING_MID,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,UNPARSEABLE_RELAY
>
>         shortcircuit=no autolearn=ham version=3.3.1
> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.bzone.it
>
>
> [root at mail ~]# opendmarc -t test4 -vv
> opendmarc: mlfi_connect() returned SMFIS_CONTINUE
> opendmarc: test4: mlfi_envfrom() returned SMFIS_CONTINUE
> opendmarc: test4: line 1: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 2: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 3: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 4: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 5: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 6: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 9: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 12: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 13: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 14: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 16: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 17: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 18: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 19: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 20: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 21: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 22: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: test4: line 25: mlfi_header() returned SMFIS_CONTINUE
> ### INSHEADER: idx=1 hname='Authentication-Results'
> hvalue='mail.bzone.it; dmarc=pass header.from=apra.it'
> opendmarc: test4: mlfi_eom() returned SMFIS_ACCEPT
> opendmarc: mlfi_close() returned SMFIS_CONTINUE
>
> Relevant line in opendmarc.dat:
>
> job DEBUG-i
> reporter DEBUG-j
> received 1395756212
> ipaddr 127.0.0.1
> from apra.it
> mfrom example.org
> spf 0
> dkim apra.it 0
> pdomain apra.it
> policy 15
> rua -
> pct 100
> adkim 115
> aspf 115
> p 114
> sp 114
> align_dkim 4
> align_spf 4
> action 2
>
> But all the mail that pass through postfix result in "spf -1"...
>
> smtpd_recipient_restrictions =
>         ...
>  check_policy_service unix:private/policyd-spf,
>         ...
>
> smtpd_milters = inet:localhost:8891,
>   inet:localhost:8893,
>   unix:/var/run/clamav/clamav-milter.sock,
>   unix:/var/run/spamass-milter/postfix/sock
>
> Where 8891 is opendkim milter and 8893 os opendmarc milter
>
> I even opened a bug report on the pypolicyd-spf project page, I really
> can't understand where is the problem
>
> Thanks
>
>
>
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users

-- 
Nic Bernstein                             nic at onlight.com
Onlight, Inc.                             www.onlight.com
219 N. Milwaukee St., Suite 2a            v. 414.272.4477
Milwaukee, Wisconsin  53202

More information about the opendmarc-users mailing list