[opendmarc-users] troubleshooting an opendmarc 1.3.1 auth failure?

Petr Novák novakp43 at gmail.com
Tue May 10 08:06:34 PDT 2016


Hello,

I think you should check if you have properly set up TrustedAuthservIDs, 
SPFIgnoreResults and SPFSelfValidate in your opendmarc.conf . So that 
opendmarc will know which SPF/DKIM results it should use.

In your example it should look like:

SPFIgnoreResults false
SPFSelfValidate false
TrustedAuthservIDs spf.mail.example.com,mail.example.com

Insert the correct hostnames after TrustedAuthservIDs...


BTW Milters work fine with content_filter they just dont work with 
smtpd_proxy_filter because the order of mail processing in postfix is(as 
I read somewhere :) )

- postscreen
- smtpd_*_restrictions
- milter SMTP command inspection
- smtpd_proxy_filter
- header_checks, body_checks
- milter header/body inspection
- content_filter

That means the mail is sent to smtpd_proxy_filter before milter 
header/body inspection. So the milters which needs to check headers/body 
wont work after smtpd_proxy_filter. But that looks like its not your 
case because they clearly work as you can see their results in headers.

Best regards
   Petr Novak

Dne 10.5.2016 v 15:36 jasonsu at mail-central.com napsal(a):
>
>
>>> On Tue, May 10, 2016, at 12:30 AM, Patrick Ben Koetter wrote:
>> * Juri Haberland <juri at sapienti-sat.org>:
>
> Thanks, both, for the comments/info re: the mixing of milters/filters. ( no prob with the German! ;-) )
>
> In any case, it's clear I'd better get this understood, before I cause myself problems :-/
>
> TBH, I don't understand yet why that's a problem when there are different smtpd instances -- one doing the SPF check, one doing the DKIM check, and one doing the DMARC check.  I thought that in that case the message simply gets checked, then passed along.
>
> Local relay/delivery happens after all my checks, and again has its own smtpd instance.  It clearly gets the complete message for delivery ... as the whole message gets delivered.
>
> What am I missing here?
>
> Also, in my OP, that's just one example of a fail.  non-spam mail reports successful delivery
>
> Here, for example, are headers from a subsequent, successful, non-spam message.  As you can see, spf, dkim, and dmarc checks all appear to be completed, and content is spam-scored
>
> 	X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
> 		mail.example.com
> 	X-Spam-Scanned: spamassassin at amavis.mail.example.com
> 	X-Spam-Flag: NO
> 	X-Spam-Score: 1.833
> 	...
> 	DMARC-Filter: OpenDMARC Filter v1.3.1 mail.example.com 2d7l8g9gTLd4bbf
> 	Authentication-Results: dmarc.mail.example.com/2d7l8g9gTLd4bbf; dmarc=none header.from=e.hertzusa.brierleycrm.com
> 	...
> 	Authentication-Results: mail.example.com (amavisd-new);
> 		dkim=pass (1024-bit key) header.d=e.hertzusa.brierleycrm.com
> 	...
> 	Authentication-Results: spf.mail.example.com; spf=pass (sender SPF authorized) smtp.mailfrom=bounce.e.hertzusa.brierleycrm.com (client-ip=141.206.150.29; helo=onfize-twni.cainus.teradatadmc.com; envelope-from=g-4... at bounce.e.hertzusa.brierleycrm.com; receiver=user at example.com)
>
> So I admit to being a little confused -- if what you suggest is the case, that "milters+filters" won't work, why I am I seeing success here?
>
> Jason
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>


More information about the opendmarc-users mailing list