[opendmarc-users] SPF checks in OpenDMARC 1.3.x

Wouter de Jong maddog2k at maddog2k.net
Sun May 17 03:28:01 PDT 2015


Hi,

(perhaps this should have gone to opendmarc-dev, not 100% sure)

I'm testing openDMARC 1.3.1 as a milter in Postfix (in combination with
openDKIM) to verify DMARC policy on incoming messages
Ultimate goal would be to honour the reject policy, unless people would
strongly suggest not to :)

I stumbled upon a few things so far :

1) Does anyone know how if and how the quarantine policy would honoured in
combination with Postfix (2.11) ?
I read in the 1.3.0 release notes it requests quarantine from the MTA, but
haven't yet stumbled across something that 
tells me what Postfix in this case would do with the message...

2) I let openDMARC do it's own SPF checking
I noticed that the result of the SPF checking was always a 'pass', even for
one of my own test domain with SPF record "v=spf1 -all"

After looking at the code in opendmarc.c, this seems to 'fix' that in :

@@ -2524,11 +2523,14 @@
 
spf_result,
 
spf_mode,
                                                                     human);
-                       switch (spf_mode)
+                       switch (spf_result)
                        {
                            case DMARC_POLICY_SPF_OUTCOME_PASS:
                                pass_fail = "pass";
                                dfc->mctx_spfresult = ARES_RESULT_PASS;



Later I came across a post on opendmarc-dev that had already mentioned this
as well :

http://www.trusteddomain.org/pipermail/opendmarc-dev/2014-October/000234.htm
l



3) What is the policy for 'softfail' of SPF in DMARC ... is it defined
somewhere ?

As I noticed that in the call to opendmarc_spf_test / opendmarc_spf2_test
the argument for softfail_ok_flag is explicitely passed as FALSE, 
thus making a soft fail a hard fail.


4) I also noticed that with an empty/null envelope sender, the
Authentication-Results header would always show an empty 'smtp.helo='
After debugging, the whole 'mlfi_helo' code did not seem to get called at
all.

Removing 'SMFIP_NOHELO' in mlfi_negotiate  seems to 'fix' that, as now I
seem to get correct results for smtp.helo

--- opendmarc/opendmarc.c       2015-05-17 11:03:27.212668728 +0200
+++ opendmarc/opendmarc.c-new   2015-05-17 11:03:20.086610634 +0200
@@ -1585,8 +1585,7 @@
 {
        unsigned long reqactions = SMFIF_ADDHDRS|SMFIF_QUARANTINE;
        unsigned long wantactions = 0;
-       unsigned long protosteps = (SMFIP_NOHELO |
-                                   SMFIP_NOUNKNOWN |
+       unsigned long protosteps = (SMFIP_NOUNKNOWN |
                                    SMFIP_NOBODY |
                                    SMFIP_NODATA |
                                    SMFIP_SKIP );


But maybe SMFIP_NOHELO was in there for a good reason ?



Best regards,

Wouter



More information about the opendmarc-users mailing list