On Wed, 31 Jan 2018 07:43:17 +0000 (UTC) Dominic Raferd <domi...@timedicer.co.uk> wrote:
> On 31 January 2018 at 03:44, li...@lazygranch.com > <li...@lazygranch.com> wrote: > > On Tue, 30 Jan 2018 10:50:18 +0000 > > Dominic Raferd <domi...@timedicer.co.uk> wrote: > > > >> On 30 January 2018 at 10:11, li...@lazygranch.com > >> <li...@lazygranch.com> wrote: > >> > I've installed the opendmarc milter. I'm not rejecting mail from > >> > it at the moment. I've noticed that if I send myself a message, > >> > the policyd-spf milter isn't run. That in turn causes mail I send > >> > myself to fail in opendmarc. Any ideas? > >> > > >> > The various email verifiers do show that my email passes spf. > >> > > >> > It is easy enough just to whitelist your own domains from > >> > opendmarc, but that would allow spoofed email to get through. > >> > >> Which version of opendmarc? (opendmarc -V) If you have 1.3.2+ you > >> can use opendmarc's own spf instead (SPFSelfValidate True) - not > >> reliable for earlier versions though. > >> > >> Anyway, in general: > >> > >> /etc/opendmarc.conf: > >> ... > >> IgnoreAuthenticatedClients true > >> IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt > >> ... > >> > >> /etc/opendkim.conf: > >> ... > >> InternalHosts /etc/postfix/opendmarc-ignorehosts.txt > >> ... > >> > >> /etc/postfix/opendmarc-ignorehosts.txt > >> # emails from localhost are not authenticated but should be signed > >> by opendkim and not tested by opendmarc > >> 127.0.0.1 > >> # similarly any ips from which we accept unauthenticated > >> originating emails (e.g. lan, or none) > > > > > > opendmarc: OpenDMARC Filter v1.3.2 > > SMFI_VERSION 0x1000001 > > libmilter version 1.0.1 > > Active code options: > > WITH_SPF > > WITH_SPF2 > > > > I suppose it is dumb to check spf if authenticated, but then again > > dkim is checked. > > > > I will work on the bypasses as suggested. I kind of like the > > python-policyd-spf since...well...it is working. (Something that > > works is something I don't like to change.) > > > > Still I wonder what part of the email food chain determines that spf > > wasn't needed. I commented out the local reference in > > pythod-policyd-spf, but that didn't change anything. > > > > Lots of spam gets marked as fail in opendmarc. I can't wait to start > > "trusting" it. > > It shouldn't be a problem to continue using python-policyd-spf. You > would expect it to give a fail when testing mail from authenticated > clients. Opendkim needs to run in such cases not to test them but to > add the dkim header. > > I use opendmarc (obvs) but I have to say I don't see it blocking many > emails. Looking at my records over a few months: 38000 mails came > through of which 50 were rejected by opendmarc and 30 quarantined. Of > those 80, 34 appear to have come via mailing lists (including > postfix.org) so may just reflect senders using the mailing list but > with incompatible dmarc settings on their domain. The reality is that > comparatively few domains are set up with dmarc and with p=reject (or > p=quarantine). If you see a large number of opendmarc fails (in > opendmarc log: action!=2) then I fear there is something wrong with > your setup. > > Here is my entire opendmarc.conf: > > PidFile /var/run/opendmarc/opendmarc.pid > RejectFailures true > Syslog true > UMask 0002 > UserID opendmarc:opendmarc > PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat > IgnoreAuthenticatedClients true > AuthservID myauthserv.tld > AuthservIDWithJobID yes > IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt > Socket inet:8893@localhost > HistoryFile /var/tmp/opendmarc.log > RecordAllMessages True > # ignore any external spf results > SPFIgnoreResults True > # use internal spf checker > SPFSelfValidate True > > and the matching /etc/opendkim.conf: > > Syslog yes > SyslogSuccess yes > UMask 0002 > Canonicalization relaxed/relaxed > OversignHeaders From > InternalHosts /etc/postfix/opendmarc-ignorehosts.txt > Domain mydomain1.tld,mydomain2.tld,mydomain3.tld > KeyFile /etc/mail/dkim.key > Selector mail > Statistics /tmp/dkim-stats > AuthservID myauthserv.tld > AlwaysAddARHeader yes > > I used postfix-policyd-spf-python until recently and these were my > settings in /etc/postfix-policyd-spf-python/policyd-spf.conf: > defaultSeedOnly = 1 > HELO_reject = False > Mail_From_reject = False > skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1 > # whitelist allows lan clients > Whitelist = 192.168.100.0/23 > # not sure if Header_Type needs to be AR but it makes headers more > consistent (default is SPF) > Header_Type = AR > # authserv_id must match the setting in opendmarc.conf > Authserv_Id = myauthserv.tld I'm at a loss on the HELO_reject = False. Why wouldn't you use the default "fail". Reading some chatter on the opendmarc forum, they suggested HEADER_Type = AR as you have done, but I don't understand the Authserv_Id field. I don't think opendmarc has an issue reading the spf format. I did re-read the policyd-spf.conf and decided to do whitelisting here rather than in opendmarc. I get email from pobox.com, which always fails.