[opendmarc-users] troubleshooting an opendmarc 1.3.1 auth failure?
Petr Novák
novakp43 at gmail.com
Tue May 10 08:06:34 PDT 2016
Hello,
I think you should check if you have properly set up TrustedAuthservIDs,
SPFIgnoreResults and SPFSelfValidate in your opendmarc.conf . So that
opendmarc will know which SPF/DKIM results it should use.
In your example it should look like:
SPFIgnoreResults false
SPFSelfValidate false
TrustedAuthservIDs spf.mail.example.com,mail.example.com
Insert the correct hostnames after TrustedAuthservIDs...
BTW Milters work fine with content_filter they just dont work with
smtpd_proxy_filter because the order of mail processing in postfix is(as
I read somewhere :) )
- postscreen
- smtpd_*_restrictions
- milter SMTP command inspection
- smtpd_proxy_filter
- header_checks, body_checks
- milter header/body inspection
- content_filter
That means the mail is sent to smtpd_proxy_filter before milter
header/body inspection. So the milters which needs to check headers/body
wont work after smtpd_proxy_filter. But that looks like its not your
case because they clearly work as you can see their results in headers.
Best regards
Petr Novak
Dne 10.5.2016 v 15:36 jasonsu at mail-central.com napsal(a):
>
>
>>> On Tue, May 10, 2016, at 12:30 AM, Patrick Ben Koetter wrote:
>> * Juri Haberland <juri at sapienti-sat.org>:
>
> Thanks, both, for the comments/info re: the mixing of milters/filters. ( no prob with the German! ;-) )
>
> In any case, it's clear I'd better get this understood, before I cause myself problems :-/
>
> TBH, I don't understand yet why that's a problem when there are different smtpd instances -- one doing the SPF check, one doing the DKIM check, and one doing the DMARC check. I thought that in that case the message simply gets checked, then passed along.
>
> Local relay/delivery happens after all my checks, and again has its own smtpd instance. It clearly gets the complete message for delivery ... as the whole message gets delivered.
>
> What am I missing here?
>
> Also, in my OP, that's just one example of a fail. non-spam mail reports successful delivery
>
> Here, for example, are headers from a subsequent, successful, non-spam message. As you can see, spf, dkim, and dmarc checks all appear to be completed, and content is spam-scored
>
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
> mail.example.com
> X-Spam-Scanned: spamassassin at amavis.mail.example.com
> X-Spam-Flag: NO
> X-Spam-Score: 1.833
> ...
> DMARC-Filter: OpenDMARC Filter v1.3.1 mail.example.com 2d7l8g9gTLd4bbf
> Authentication-Results: dmarc.mail.example.com/2d7l8g9gTLd4bbf; dmarc=none header.from=e.hertzusa.brierleycrm.com
> ...
> Authentication-Results: mail.example.com (amavisd-new);
> dkim=pass (1024-bit key) header.d=e.hertzusa.brierleycrm.com
> ...
> Authentication-Results: spf.mail.example.com; spf=pass (sender SPF authorized) smtp.mailfrom=bounce.e.hertzusa.brierleycrm.com (client-ip=141.206.150.29; helo=onfize-twni.cainus.teradatadmc.com; envelope-from=g-4... at bounce.e.hertzusa.brierleycrm.com; receiver=user at example.com)
>
> So I admit to being a little confused -- if what you suggest is the case, that "milters+filters" won't work, why I am I seeing success here?
>
> Jason
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
More information about the opendmarc-users
mailing list