<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Christoph,<br>
We weren't happy running hacked code, so what we've settled on is
described here:<br>
<blockquote type="cite">
<pre wrap="">We ultimately adopted Scott's solution of using policyd-spf in the
primary instance of smtpd, and then applying opendkim/opendmarc milters
in the post-content-filter instance. We're not currently rejecting
based on DMARC, so have not yet considered the ramifications of this in
re back-scatter, as Andreas has pointed out.</pre>
</blockquote>
Scott Kitterman's original explanation of that is here:<br>
<pre><blockquote type="cite"><pre wrap="">Instead of doing everything in one smtpd process, I have two.
Usual:
smtpd ------> post-delivery processing (massive oversimplification)
|
|
SPF policy daemon
opendkim
opendmarc
Mine:
smtpd -> transparent -> smtpd -> post-delivery processing
| filter (spam/virus) |
SPF policyd opendkim
opendmarc
My reason to do it this way was to mimimize pre-queue filtering, but as a side
benefit, the SPF authentication results has already been inserted by a previous
process before the smtpd that sends it to the milters acts on it. That
should, I think, avoid the problem.
Also, you can't do DKIM/DMARC as a policy daemon because the information you
need isn't exposed to the policy interface.
</pre></blockquote>
Perhaps you'll have better luck with this approach.
</pre>
Cheers,<br>
-nic<br>
<br>
<div class="moz-cite-prefix">On 08/12/2014 12:44 PM, Christoph
Steindl wrote:<br>
</div>
<blockquote cite="mid:53EA5261.8080804@univie.ac.at" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hey Nic,<br>
<br>
Thanks for the references. I switched to the spf-milter-python
package but there is still one problem. You said that it is
necessary to change the index where to put the spf header. I did
so but now the spf validation results in "spf 1" in the history
file. I attached my changes as *.diff (the changes are around line
295). I tried different indices which had an effect on the spf
header position, but always resulted in "spf -1" or "spf 1". In
case you have any ideas please let me know.<br>
<br>
Regards,<br>
Christoph<br>
<br>
<div class="moz-cite-prefix">Am 2014-08-12 00:30, schrieb Nic
Bernstein:<br>
</div>
<blockquote cite="mid:53E943FF.3020801@onlight.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Please take a look in this mailing list's archives for these
subject lines:<br>
<ul>
<li>"pypolicyd-spf integration" from March of this year</li>
<li>"OpenDMARC Postfix SPF implementation" from April of this
year<br>
</li>
</ul>
Those messages will tell you all you need to get this working.<br>
<br>
Cheers,<br>
-nic<br>
<br>
Archives are here: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.trusteddomain.org/mailman/listinfo/opendmarc-users">http://www.trusteddomain.org/mailman/listinfo/opendmarc-users</a><br>
<br>
<div class="moz-cite-prefix">On 08/11/2014 09:05 AM, Christoph
Steindl wrote:<br>
</div>
<blockquote cite="mid:53E8CD91.6060609@univie.ac.at" type="cite">Hello,
<br>
<br>
I still have some troubles with the spf validation in
opendmarc. Currently I'm using postfix with opendkim,
postfix-policyd-spf-python and opendmarc (v. 1.3.0). The spf
module adds a "Received-SPF:" header with the right results
and the opendkim milter adds an "Authentication-Results:"
header with the right results. But in the history files, which
are used to generate the reports, spf always fails (spf = -1).
See the logs for an email from gmail to my own domain below.
It would be great if somebody could help me with this problem.
<br>
<br>
Thanks in advance, <br>
Christoph <br>
<br>
<br>
<br>
history file (opendmarc): <br>
######################### <br>
job 2922AAC0303 <br>
reporter dmarctest.info <br>
received 1407764522 <br>
ipaddr 209.85.212.180 <br>
from gmail.com <br>
mfrom gmail.com <br>
dkim gmail.com 0 # dkim is ok <br>
spf -1 # spf has a problem <br>
pdomain gmail.com <br>
policy 15 <br>
rua <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="mailto:mailauth-reports@google.com">mailto:mailauth-reports@google.com</a>
<br>
pct 100 <br>
adkim 114 <br>
aspf 114 <br>
p 110 <br>
sp 0 <br>
align_dkim 4 <br>
align_spf 5 <br>
action 2 <br>
######################### <br>
<br>
<br>
Mail header: <br>
######################### <br>
Return-Path: <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E" href="mailto:test@gmail.com"><test@gmail.com></a>
<br>
X-Original-To: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:christoph@mydomain.com">christoph@mydomain.com</a>
<br>
Delivered-To: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:christoph@mydomain.com">christoph@mydomain.com</a>
<br>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=209.85.212.179; helo=mail-wi0-f179.google.com; <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:envelope-from=test@gmail.com">envelope-from=test@gmail.com</a>;
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:receiver=christoph@mydomain.com">receiver=christoph@mydomain.com</a>
<br>
Authentication-Results: mydomain.com; dkim=pass <br>
reason="2048-bit key; unprotected key" <br>
header.d=gmail.com <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:header.i=@gmail.com">header.i=@gmail.com</a>
header.b=jZobihA3; <br>
dkim-adsp=pass; dkim-atps=neutral <br>
Received: from mail-wi0-f179.google.com
(mail-wi0-f179.google.com [209.85.212.179]) <br>
(using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128
bits)) <br>
(Client CN "smtp.gmail.com", Issuer "Google Internet
Authority G2" (verified OK)) <br>
by mydomain.com (Postfix) with ESMTPS id 96E56AC0303 <br>
for <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:christoph@mydomain.com"><christoph@mydomain.com></a>;
Mon, 11 Aug 2014 15:22:37 +0200 (CEST) <br>
Received: by mail-wi0-f179.google.com with SMTP id
f8so4191754wiw.6 <br>
for <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:christoph@mydomain.com"><christoph@mydomain.com></a>;
Mon, 11 Aug 2014 06:25:17 -0700 (PDT) <br>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; <br>
d=gmail.com; s=20120113; <br>
h=message-id:date:from; <br>
bh=+5MTaFlEEPuOhZYsC4F3LrgZyCMC4AuHpjeVyA5jfOo=; <br>
b=jZobihA3nuRSbCmvYfTOIEPekkcFXLGTI9jJhuztBd+31/G9vbgckfzW3EgpzTmjhH
<br>
t06JI+rNJYLtxAW8c9HlW61VUYVjIAWml3zBP/mRoCzz13pOJjkkt2tZ3Q6FxODc6kKh
<br>
BsI7mNGtF/GUgJCnYmXAD8JWEtulUWD/NzVG47cLiQQY0DmvgMdPlQHVFutO2iUyqKLP
<br>
tGeymgsjAMJAzCMknwVTb560Khuv3OduxFgitnaUK7CP/yGsUuWDCn339XeWCoVrysIG
<br>
HQos4Gr7FLSWjoR0WZ8tnirAWPrNrTCex9i9kO1rxQuV9WGVSbf+eKj76fCILKaFQSt5
<br>
G8lQ== <br>
X-Received: by 10.180.73.235 with SMTP id
o11mr25722870wiv.41.1407763517782; <br>
Mon, 11 Aug 2014 06:25:17 -0700 (PDT) <br>
Received: from eos.fc.univie.ac.at
([2001:62a:4:2401:1aa9:5ff:fef0:6c47]) <br>
by mx.google.com with ESMTPSA id
dc3sm1598986wjc.27.2014.08.11.06.25.17 <br>
for <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:christoph@mydomain.com"><christoph@mydomain.com></a>
<br>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256
bits=128/128); <br>
Mon, 11 Aug 2014 06:25:17 -0700 (PDT) <br>
Message-ID: <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:53e8c43d.03b3c20a.718e.617d@mx.google.com"><53e8c43d.03b3c20a.718e.617d@mx.google.com></a>
<br>
Date: Mon, 11 Aug 2014 06:25:17 -0700 (PDT) <br>
From: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:test@gmail.com">test@gmail.com</a> <br>
Authentication-Results: mydomain.com; dmarc=pass
header.from=gmail.com <br>
DMARC-Filter: OpenDMARC Filter v1.3.0 mydomain.com 96E56AC0303
<br>
... <br>
######################### <br>
<br>
<br>
mail.log (system): <br>
######################### <br>
... <br>
policyd-spf[6312]: None; identity=helo;
client-ip=74.125.82.50; helo=mail-wg0-f50.google.com; <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:envelope-from=test@gmail.com">envelope-from=test@gmail.com</a>;
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:receiver=christoph@mydomain.com">receiver=christoph@mydomain.com</a>
<br>
policyd-spf[6312]: Pass; identity=mailfrom;
client-ip=74.125.82.50; helo=mail-wg0-f50.google.com; <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:envelope-from=test@gmail.com">envelope-from=test@gmail.com</a>;
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:receiver=christoph@mydomain.com">receiver=christoph@mydomain.com</a>
<br>
postfix/smtpd[6309]: A6290AC0303:
client=mail-wg0-f50.google.com[74.125.82.50] <br>
postfix/cleanup[6313]: A6290AC0303: message-id=<a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:53e8c302.26bbb40a.1ef5.ffff8f32@mx.google.com"><53e8c302.26bbb40a.1ef5.ffff8f32@mx.google.com></a>
<br>
opendkim[12505]: A6290AC0303: mail-wg0-f50.google.com
[74.125.82.50] not internal <br>
opendkim[12505]: A6290AC0303: not authenticated <br>
opendkim[12505]: A6290AC0303: s=20120113 d=gmail.com SSL <br>
opendmarc[2145]: A6290AC0303: gmail.com pass <br>
... <br>
######################### <br>
<br>
<br>
main.cf (postfix): <br>
######################### <br>
... <br>
smtpd_recipient_restrictions = reject_unknown_client_hostname,
<br>
reject_unknown_sender_domain,
reject_unknown_recipient_domain, <br>
reject_unauth_pipelining, permit_mynetworks, <br>
permit_sasl_authenticated, reject_unauth_destination, <br>
reject_invalid_hostname, reject_non_fqdn_sender,
check_policy_service unix:private/policy-spf <br>
... <br>
policy-spf_time_limit = 3600s <br>
... <br>
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
unix:/var/run/opendmarc/opendmarc.sock <br>
... <br>
######################### <br>
<br>
<br>
master.cf (postfix): <br>
######################### <br>
... <br>
policy-spf unix - n n - 0
spawn <br>
user=policyd-spf argv=/usr/bin/policyd-spf <br>
... <br>
######################### <br>
_______________________________________________ <br>
opendmarc-users mailing list <br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:opendmarc-users@trusteddomain.org">opendmarc-users@trusteddomain.org</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.trusteddomain.org/mailman/listinfo/opendmarc-users">http://www.trusteddomain.org/mailman/listinfo/opendmarc-users</a>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Nic Bernstein <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:nic@onlight.com">nic@onlight.com</a>
Onlight llc. <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.onlight.com">www.onlight.com</a>
219 N. Milwaukee St., Ste. 2A v. 414.272.4477
Milwaukee, Wisconsin 53202 f. 414.290.0335
</pre>
</blockquote>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Nic Bernstein <a class="moz-txt-link-abbreviated" href="mailto:nic@onlight.com">nic@onlight.com</a>
Onlight llc. <a class="moz-txt-link-abbreviated" href="http://www.onlight.com">www.onlight.com</a>
219 N. Milwaukee St., Ste. 2A v. 414.272.4477
Milwaukee, Wisconsin 53202 f. 414.290.0335
</pre>
</body>
</html>