[opendmarc-users] opendmarc & smf-spf

[Steve Jenkins]

On Mon, Nov 30, 2015 at 7:12 AM, Benny Pedersen <me at junc.eu> wrote:

> A. Schulze skrev den 2015-11-30 15:38:
>
>> Am 30.11.2015 um 11:52 schrieb Django [BOfH]:
>>
>>> How good is opendmarc's own spf-implementation? Is it robust enough for
>>> production.use? Or exists a nother milter for spf review?
>>>
>>
>> I do not use nor recommend opendmarc's own spf-implementation.
>>
>
> why not ?
>
> but prefer smf-spf with my own set of patches (
>> https://andreasschulze.de/spf)
>>
>
> neat patches, but i dont use smf-spf
>
> would it not make sense to make opendmarc spf safe(r) on its own ?
>
> yes i have sayed it before and properly again :(
>
> make opendkim sign only, and make opendmarc verify spf / dkim
>
> and opendkim could still do the verify aswell, redesign librarys to latest
> rfcs that is then used in openspf/opendkim/opendmarc, that way we make sure
> all is up2date with latest rfcs, but stiill have the flexibility to install
> and use as we wish
>
> Also remember that SPF-Results added by a postfix policy daemon
>> require a recent version of postfix ( > 2.10.x ? )
>> A SFP-Milter work also with older postfix versions.
>>
>
> same does pypolicyd-spf
>
> see headers from this maillists here breaks dkim :(


I don't remember the exact examples right now, but I do remember a
discussion where we demonstrated at least one case where the libspf2
library did a better job of appropriately verifying inbound SPF records
than opendmarc.

Matt Domsch (https://github.com/mdomsch) and I co-maintain the libspf2
package for Fedora and do our best to keep it up-to-date, and the Fedora
opendmarc package builds against the Fedora libspf2.

I know that Scott Kitterman does the same for opendmarc on FreeBSD.

Anyone remember why we all agreed it was "better?" :)

SteveJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20151130/880e9e86/attachment.htm>