pypolicyd-spf

Integration with opendmarc and postfix

Asked by Cristian Mammoli

Hi, I was trying to integrate pypolicyd-spf with postfix and opendmarc.

This is my configuration:
debugLevel = 1
defaultSeedOnly = 1

HELO_reject = False
Mail_From_reject = False

PermError_reject = False
TempError_Defer = False
Header_Type = AR
Authserv_Id = mail.bzone.it

skip_addresses = 127.0.0.0/8

master.cf line:
policyd-spf unix - n n - - spawn
     user=nobody argv=/usr/libexec/postfix/policyd-spf

main.cf:
smtpd_recipient_restrictions =
        ...
        check_policy_service unix:private/policyd-spf,
        ...

smtpd_milters = inet:localhost:8891,
                inet:localhost:8893,
                unix:/var/run/clamav/clamav-milter.sock,
                unix:/var/run/spamass-milter/postfix/sock

Where 8891 is opendkim milter and 8893 os opendmarc milter

Authentication-Results headers are correctly inserted:
Authentication-Results: mail.bzone.it; spf=pass (sender SPF authorized) smtp.mailfrom=apra.it (client-ip=89.97.236.28; helo=mail.apra.it; <email address hidden>; <email address hidden>)

But someway opendmarc always fails spf check according to the histoyfile...
job A81E914C021B
reporter mail.bzone.it
received 1395150648
ipaddr 89.97.236.28
from apra.it
mfrom apra.it
dkim apra.it 0
spf -1
pdomain apra.it
policy 15
rua -
pct 100
adkim 115
aspf 115
p 114
sp 114
align_dkim 4
align_spf 5
action 2

Environment:
Centos 6 x64
postfix 2.10
opendmarc 1.1.3
pypolicy-spf 1.2.3

Question information

Language:
English Edit question
Status:
Answered
For:
pypolicyd-spf Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Cristian Mammoli (cristian-mammoli) said : 		#1

Found out that a bug was preventing opendmarc to validate headers with smtp.mailfrom=<domain> like the ones that pypolicyd adds:

        Fix bug #58: The "smtp.mailfrom" part of an Authentication-Results
                field might contain only a domain name. Problem noted by Scott
                Kitterman.

Now i'm trying with opendmarc 1.2.0 and running the test from command line the spf check passes:

opendmarc -t test4 -v
opendmarc: test4: mlfi_eom() returned SMFIS_ACCEPT

job DEBUG-i
reporter DEBUG-j
received 1395749546
ipaddr 127.0.0.1
from apra.it
mfrom example.org
spf 0 <------
dkim apra.it 0
pdomain apra.it
policy 15
rua -
pct 100
adkim 115
aspf 115
p 114
sp 114
align_dkim 4
align_spf 4
action 2

However this does not work when the email il processed by postfix:
job 27B6114C01C6
reporter mail.bzone.it
received 1395749576
ipaddr 89.97.236.28
from apra.it
mfrom apra.it
dkim apra.it 0
spf -1 <---------
pdomain apra.it
policy 15
rua -

pct 100
adkim 115
aspf 115
p 114
sp 114
align_dkim 4
align_spf 5
action 2

Revision history for this message
Scott Kitterman (kitterman) said : 		#2

I see you started a discussion over on the opendmarc users list. I think that is a better place to continue as you have the policy server set upcorrectly.

Can you help with this problem?

Provide an answer of your own, or ask Cristian Mammoli for more information if necessary.

To post a message you must log in.