[opendmarc-users] opendmarc & smf-spf

Scott Kitterman sklist at kitterman.com
Mon Nov 30 14:51:12 PST 2015


On Monday, November 30, 2015 02:15:39 PM Steve Jenkins wrote:
> On Mon, Nov 30, 2015 at 7:12 AM, Benny Pedersen <me at junc.eu> wrote:
> > A. Schulze skrev den 2015-11-30 15:38:
> >> Am 30.11.2015 um 11:52 schrieb Django [BOfH]:
> >>> How good is opendmarc's own spf-implementation? Is it robust enough for
> >>> production.use? Or exists a nother milter for spf review?
> >> 
> >> I do not use nor recommend opendmarc's own spf-implementation.
> > 
> > why not ?
> > 
> > but prefer smf-spf with my own set of patches (
> > 
> >> https://andreasschulze.de/spf)
> > 
> > neat patches, but i dont use smf-spf
> > 
> > would it not make sense to make opendmarc spf safe(r) on its own ?
> > 
> > yes i have sayed it before and properly again :(
> > 
> > make opendkim sign only, and make opendmarc verify spf / dkim
> > 
> > and opendkim could still do the verify aswell, redesign librarys to latest
> > rfcs that is then used in openspf/opendkim/opendmarc, that way we make
> > sure
> > all is up2date with latest rfcs, but stiill have the flexibility to
> > install
> > and use as we wish
> > 
> > Also remember that SPF-Results added by a postfix policy daemon
> > 
> >> require a recent version of postfix ( > 2.10.x ? )
> >> A SFP-Milter work also with older postfix versions.
> > 
> > same does pypolicyd-spf
> > 
> > see headers from this maillists here breaks dkim :(
> 
> I don't remember the exact examples right now, but I do remember a
> discussion where we demonstrated at least one case where the libspf2
> library did a better job of appropriately verifying inbound SPF records
> than opendmarc.
> 
> Matt Domsch (https://github.com/mdomsch) and I co-maintain the libspf2
> package for Fedora and do our best to keep it up-to-date, and the Fedora
> opendmarc package builds against the Fedora libspf2.
> 
> I know that Scott Kitterman does the same for opendmarc on FreeBSD.
> 
> Anyone remember why we all agreed it was "better?" :)

Actually I do it for Debian, which the also flows to derivatives like Ubuntu. 

The one thing I could never find in the embedded code was where the processing 
limits were enforced.  I'm not an ace C programmer, so I can't swear it's not 
there.  Personally, I think that an SPF implementation that doesn't support at 
least the RFC 4408 processing limits should never be used.

Scott K


More information about the opendmarc-users mailing list