Re: [dmarc-discuss] newbie question about Source-IP

Thu, 28 Feb 2019 18:18:12 -0800 

Hi Patrick,
You've posted to dmarc-discuss, a list for discussion of the DMARC protocol and broad interoperability issues, however your question relates to the OpenDMARC implementation of DMARC. You're looking for the OpenDMARC forum <https://sourceforge.net/p/opendmarc/discussion/general/>. 

- Roland

------------------------------------------------------------------------

On 1/3/19 6:14 am, Patrick Proniewski via dmarc-discuss wrote:

Hello,

As a followup of my previous question, I would like to get some clarification 
about Source-IP (as shown in failure reports for example).
My setup is described below:


On 26 févr. 2019, at 19:03, Patrick Proniewski via dmarc-discuss 
<dmarc-discuss@dmarc.org> wrote:

Hello,

I'm running OpenDMARC for a couple of days now on my email server. It mostly 
runs ok, but I've just got some weird failure reports.
My setup:
I run Postfix and Amavisd-new as a before queue content filter.
Policyd-SFP checks SPF on the outer SMTP and add proper authentication header.
Amavis checks DKIM and add proper authentication header.
If the mail is acceptable, Amavis handle it to the inner SMTP.

OpenDMARC can't run on outer smtp in a BQCF setup, so it runs on the inner 
SMTP. Then it sees emails coming from 127.0.0.1, no big deal because it's setup 
to trust Policyd-SFP header.
Unfortunately it looks like it does not trust Amavis' DKIM header. But I'm not 
sure about that.

../..

Sample report:

-------------
Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results: my-server; dmarc=fail header.from=gmail.com
Original-Envelope-Id: 4F92A7FB1
Original-Mail-From: framalang-ow...@framalistes.org
Source-IP: 127.0.0.1 (localhost)
Reported-Domain: gmail.com
-------------


So, my setup impose that OpenDMARC sees only 127.0.0.1 as Source-IP. How can I 
be sure that it won't play against me? I can't understand the source code of 
OpenDMARC, so I can't be sure the verification process won't use that IP 
address, for example for SPF, even though SPFIgnoreResults is set to false.

Thanks
patrick
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)




_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)





















					Reply via email to