[opendmarc-users] pypolicyd-spf integration

Murray S. Kucherawy msk at blackops.org
Tue Mar 25 11:19:30 PDT 2014 

On Tue, 25 Mar 2014, Nic Bernstein wrote:
> We have been seeing similar behavior with pypolicyd-spf with Postfix 
> (we're using the postfix-policyd-spf-python package with Ubuntu).  It 
> looks to us, from extensive snooping on the opendmarc milter connection, 
> that the header added by pypolicyd-spf never gets to opendmarc, so all 
> messages result in a "spf -1" in the history file.

This sounds like a bug in the postfix implementation of milter, assuming 
your investigation didn't miss anything of course.  The one 
key factor is that the order of the filters in the MTA 
configuration is significant.  For example, in sendmail's 
configuration, I have:

O InputMailFilters=gmilter, sid-filter, spamass-milter, opendkim, opendmarc

The filters are processed in sequence by the MTA.  That means changes made 
by one filter are only visible to filters later in the list.  Header 
fields added, modified, or removed by opendkim are seen by opendmarc. 
However, they would not be seen by gmilter, sid-filter, or spamass-milter.

Is it possible you just need to swap the order in your MTA configuration?

> We have also experimented with various SPF milter implementations, also 
> with Postfix, in an effort to get something working, but have been met 
> with problems there, as well.  Most SPF milters use the insheader() 
> function to "insert" their header (either Authentication-Results: or 
> Received-SPF:) with index -1, which means before the MTA's first header. 
> In that case, however, the milter-added header isn't seen by subsequent 
> milters, even though one sees it in the resulting email message.

Inserting a header field using smfi_insheader() with an index of -1 is an 
error.  libmilter will return an error for such requests.  Maybe that 
filter is doing something improper and failing to detect the resulting 
error?

> We have modified a version of spf-milter-python (the Ubuntu package
> name, not sure of the official name) wherein we removed the "-1" index,
> which allows it to be appended to the header rather than inserted, and
> that works just fine.

That would work.  Also changing the index to 0 or (better) 1 should be 
fine.  The position of the header field in the header doesn't matter.

> We'd love to find a solution with all native Postfix policy daemons, but
> at present this isn't possible.  We're currently looking into adapting
> opendmarc from a milter to a policy daemon, to get around this problem.

What's the difference between a milter and a policy daemon?

-MSK

More information about the opendmarc-users mailing list