[opendmarc-users] OpenDMARC useless with Postfix

Urban Loesch bind at enas.net
Thu Sep 18 10:11:23 PDT 2014


 > But in Postfix
 > one milter does not see headers that some other milter inserts.

Postfix does not pass the first header line to the milter, but it passes
all other header lines inserted by milters to the milters they came after.

This seems a normal behaviour according to sendmail milter 
specification. I read about it some weeks ago as I had the same problem. 
But can't find the link anymore.

This was my initial postfix configuration:

1) policyd-spf-python as a policy service in "smtpd_data_restrictions" 
adds the Authentication-Result Header for SPF
2) opendkim as the first milter adds the Authentication-Result Header 
for DKIM
3) opendmarcf as the second milter the Authentication-Result Header for 

As I just said: postfix doesn't pass the first header line to the 
milters. So DMARC will always fail due to lack of SPF/DIKM results header.

I solved it like this:
As a first action I always add a pseudo headerline in 
smtpd_data_restrictions. So the headerline for SPF will became the 
second one and postfix passes it to the milters.

Config in main.cf is:
smtpd_data_restrictions = check_sender_access 
                           check_policy_service unix:private/policyd-spf

The file "/etc/postfix/add_header_to_all.regexp" contains only the 
following line:
/.\@./ PREPEND X-MY: Auth-Res

Milters came with smtp_milter = DKIM-MILTER,DMAR-MILTER,etc.

For me this works like a charm and has negligible overhead.

Hope that helps.


I have disabled native SPF support in Opendmarc.

Am 18.09.2014 18:32, schrieb Joachim Fahrner:
> Hi,
> I found that OpenDMARC is useless in Postfix environments. OpenDMARC
> does not calculate and verify DKIM hashes on its own, but relies on
> Authentication-Result headers from SPF and DKIM milters. But in Postfix
> one milter does not see headers that some other milter inserts.
> You can compile OpenDMARC with SPF support and let it check SPF on its
> own, but that makes no sense when DKIM support is missing. So running
> OpenDMARC as a Postfix milter is only a placebo (you can do the same
> checks with a spf policy daemon).
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users

More information about the opendmarc-users mailing list