Hi Nic, I have a similar setup: Postfix 2.9.6, python-policyd-spf 1.0, OpenDKIM 2.7.4. OpenDMARC 1.1.2. In my case it works fine. I see the Received-SPF field added at the top of the message header and Authentication-Results fields for DKIM and DMARC added at the bottom of the header. As far as I know, the DMARC results also take SPF into account.
My master.cf has: # SPF policy server policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf And main.cf: # spf policy server smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service unix:private/policyd-spf policyd-spf_time_limit = 3600 #milter_default_action = accept #milter_protocol = 2 smtpd_milters = unix:private/opendkim unix:private/opendmarc non_smtpd_milters = unix:private/opendkim Best, Maarten On 16 aug. 2013, at 22:43, Nic Bernstein wrote: > Folks, > We are attempting to deploy opendmarc(1.1.3) for receiving, with Postfix > (2.9.2), pypolicyd-spf(1.2) and OpenDKIM(2.6.8). We are getting mixed > results, in that while we do see the proper Authentication-Results headers in > our messages, opendmarc seems not to see the SPF headers. Here is a sample > from a recent test message: > Authentication-Results: smtp.onlight.com; spf=pass (sender SPF authorized) > smtp.mailfrom=gmail.com (client-ip=209.85.212.68; > helo=mail-vb0-f68.google.com; [email protected]; > [email protected]) > Authentication-Results: smtp.onlight.com; dkim=pass > reason="2048-bit key; insecure key" > header.d=gmail.com [email protected] header.b=gzXzLLLE; > dkim-adsp=pass; dkim-atps=neutral > <...> > Authentication-Results: ujiji.onlight.com/E85322025F; dmarc=pass > header.from=gmail.com > However, in the history file we see this: > job E85322025F > reporter smtp.onlight.com > received 1376684253 > ipaddr 209.85.212.68 > from gmail.com > mfrom gmail.com > dkim gmail.com 0 > spf -1 > pdomain gmail.com > policy 15 > rua mailto:[email protected] > pct 100 > adkim 114 > aspf 114 > p 110 > sp 0 > align_dkim 4 > align_spf 5 > action 2 > We have postfix configured like so: > /etc/postfix/main.cf: > smtpd_recipient_restrictions = permit_sasl_authenticated, > permit_mynetworks, > reject_unknown_recipient_domain, > reject_unauth_pipelining, > reject_unauth_destination, > check_policy_service unix:private/policyd-spf, > permit_auth_destination, > reject > smtpd_milters = unix:/var/run/opendkim/opendkim.sock > unix:/var/run/opendmarc/opendmarc.sock > /etc/postfix/master.cf: > policyd-spf unix - n n - 0 spawn > user=nobody argv=/usr/bin/policyd-spf > Yet it appears that the Authentication-Results header from pypolicyd-spf is > not in the message when it is processed by opendmarc. We turned on full > debugging in pypolicyd-spf, and added some debugging to mlfi_eom in an effort > to see what's going on, but while we do see the opendkim headers being > processed (result_method=1,5,7), we do not see the SPF(result_method=4) stuff > at all. It appears we're not even entering the "if > (ar.ares_result[c].result_method == ARES_METHOD_SPF)" section of mlfi_eom(), > even though pypolicyd-spf appears to be prepending the proper header, and we > do see that header in the final email: > Aug 16 15:17:26 ujiji postfix/postscreen[10307]: CONNECT from > [209.85.212.68]:57743 to [10.10.1.25]:25 > Aug 16 15:17:32 ujiji postfix/postscreen[10307]: PASS NEW > [209.85.212.68]:57743 > Aug 16 15:17:32 ujiji postfix/smtpd[10308]: connect from > mail-vb0-f68.google.com[209.85.212.68] > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "request=smtpd_access_policy" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "protocol_state=RCPT" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "protocol_name=ESMTP" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "client_address=209.85.212.68" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "client_name=mail-vb0-f68.google.com" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "reverse_client_name=mail-vb0-f68.google.com" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "helo_name=mail-vb0-f68.google.com" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "[email protected]" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "[email protected]" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "recipient_count=0" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "queue_id=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "instance=2844.520e88dc.c27e5.0" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "size=0" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "etrn_domain=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "stress=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "sasl_method=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "sasl_username=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "sasl_sender=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "ccert_subject=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "ccert_issuer=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "ccert_fingerprint=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "ccert_pubkey_fingerprint=" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "encryption_protocol=TLSv1" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: > "encryption_cipher=RC4-SHA" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "encryption_keysize=128" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Read line: "" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Found the end of entry > Aug 16 15:17:32 ujiji policyd-spf[10329]: Config: {'Mail_From_reject': > 'Fail', 'Header_Type': 'AR', 'Whitelist': '10.10.1.0/24,10.8.0.0/24', > 'PermError_reject': 'False', 'HELO_reject': 'SPF_Not_Pass', 'Authserv_Id': > 'smtp.onlight.com', 'defaultSeedOnly': 1, 'debugLevel': 9, 'skip_addresses': > '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'TempError_Defer': 'False'} > Aug 16 15:17:32 ujiji policyd-spf[10329]: Cached data for this instance: [] > Aug 16 15:17:32 ujiji policyd-spf[10329]: spfcheck: pyspf result: "['None', > '', 'helo']" > Aug 16 15:17:32 ujiji policyd-spf[10329]: None; identity=helo; > client-ip=209.85.212.68; helo=mail-vb0-f68.google.com; > [email protected]; [email protected] > Aug 16 15:17:32 ujiji policyd-spf[10329]: spfcheck: pyspf result: "['Pass', > 'sender SPF authorized', 'mailfrom']" > Aug 16 15:17:32 ujiji policyd-spf[10329]: Pass; identity=mailfrom; > client-ip=209.85.212.68; helo=mail-vb0-f68.google.com; > [email protected]; [email protected] > Aug 16 15:17:32 ujiji policyd-spf[10329]: Action: prepend: Text: > Authentication-Results: smtp.onlight.com; spf=pass (sender SPF authorized) > smtp.mailfrom=gmail.com (client-ip=209.85.212.68; > helo=mail-vb0-f68.google.com; [email protected]; > [email protected]) > Aug 16 15:17:32 ujiji postfix/smtpd[10308]: E85322025F: > client=mail-vb0-f68.google.com[209.85.212.68] > Aug 16 15:17:33 ujiji postfix/cleanup[10349]: E85322025F: > message-id=<caauc_hbtw3iqgdknduz+g71umh_bfzzdkr0xrybnwwup7co...@mail.gmail.com> > Aug 16 15:17:33 ujiji opendmarc[9419]: mlfi_eom: entered > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: > hdr_name=Authentication-Results > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=Received > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=DKIM-Signature > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=DomainKey-Signature > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=Received > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=Subject > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=From > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=Reply-To > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=To > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=Date > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=Message-ID > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=X-Mailer > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=X-Campaign > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=X-campaignid > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=X-Report-Abuse > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=X-MC-User > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=x-accounttype > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=List-Unsubscribe > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=Sender > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=x-mcda > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=Content-Type > Aug 16 15:17:33 ujiji opendmarc[8186]: mlfi_eom: hdr_name=MIME-Version > Aug 16 15:17:33 ujiji opendmarc[9419]: mlfi_eom: c=0 result_method=1 > result_result=0 > Aug 16 15:17:33 ujiji opendmarc[9419]: mlfi_eom: c=1 result_method=5 > result_result=0 > Aug 16 15:17:33 ujiji opendmarc[9419]: mlfi_eom: c=2 result_method=7 > result_result=3 > Aug 16 15:17:33 ujiji opendmarc[9419]: E85322025F: gmail.com pass > Aug 16 15:17:33 ujiji postfix/qmgr[9995]: E85322025F: > from=<[email protected]>, size=1964, nrcpt=1 (queue active) > Anyone have any thoughts? It seems as though the milters are getting the > message before the policy daemon, and yet the logs would appear to say > otherwise (and they should get it after). > > Any guidance would be greatly appreciated. > > Best regards, > -nic > -- > Nic Bernstein [email protected] > Onlight, Inc. www.onlight.com > 219 N. Milwaukee St., Suite 2a v. 414.272.4477 > Milwaukee, Wisconsin 53202 > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html)
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
