[opendmarc-users] pypolicyd-spf integration
Patrick Ben Koetter
p at sys4.de
Tue Mar 25 23:33:58 PDT 2014
* Murray S. Kucherawy <msk at blackops.org>:
> On Tue, 25 Mar 2014, Nic Bernstein wrote:
> >We have been seeing similar behavior with pypolicyd-spf with
> >Postfix (we're using the postfix-policyd-spf-python package with
> >Ubuntu). It looks to us, from extensive snooping on the opendmarc
> >milter connection, that the header added by pypolicyd-spf never
> >gets to opendmarc, so all messages result in a "spf -1" in the
> >history file.
>
> This sounds like a bug in the postfix implementation of milter,
> assuming your investigation didn't miss anything of course. The one
> key factor is that the order of the filters in the MTA configuration
> is significant. For example, in sendmail's configuration, I have:
>
> O InputMailFilters=gmilter, sid-filter, spamass-milter, opendkim, opendmarc
>
> The filters are processed in sequence by the MTA. That means
> changes made by one filter are only visible to filters later in the
> list. Header fields added, modified, or removed by opendkim are
> seen by opendmarc. However, they would not be seen by gmilter,
> sid-filter, or spamass-milter.
>
> Is it possible you just need to swap the order in your MTA configuration?
We tested milters in Postfix recently and we *could not* observe that Postfix
would mix up the the order of the filters in the MTA configuration. It
followed the order at all times.
> >We have also experimented with various SPF milter implementations,
> >also with Postfix, in an effort to get something working, but have
> >been met with problems there, as well. Most SPF milters use the
> >insheader() function to "insert" their header (either
> >Authentication-Results: or Received-SPF:) with index -1, which
> >means before the MTA's first header. In that case, however, the
> >milter-added header isn't seen by subsequent milters, even though
> >one sees it in the resulting email message.
>
> Inserting a header field using smfi_insheader() with an index of -1
> is an error. libmilter will return an error for such requests.
> Maybe that filter is doing something improper and failing to detect
> the resulting error?
>
> >We have modified a version of spf-milter-python (the Ubuntu package
> >name, not sure of the official name) wherein we removed the "-1" index,
> >which allows it to be appended to the header rather than inserted, and
> >that works just fine.
>
> That would work. Also changing the index to 0 or (better) 1 should
> be fine. The position of the header field in the header doesn't
> matter.
>
> >We'd love to find a solution with all native Postfix policy daemons, but
> >at present this isn't possible. We're currently looking into adapting
> >opendmarc from a milter to a policy daemon, to get around this problem.
>
> What's the difference between a milter and a policy daemon?
A policy daemon uses the "Postfix policy delegation protocol". It only sees
SMTP session data. A MILTER additionally sees anything that is transmitted
within DATA and END_OF_DATA.
"Postfix policy delegation protocol"
<http://www.postfix.org/SMTPD_POLICY_README.html>
p at rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the opendmarc-users
mailing list