On 31 January 2018 at 03:44, [email protected] <[email protected]> wrote: > On Tue, 30 Jan 2018 10:50:18 +0000 > Dominic Raferd <[email protected]> wrote: > >> On 30 January 2018 at 10:11, [email protected] >> <[email protected]> wrote: >> > I've installed the opendmarc milter. I'm not rejecting mail from it >> > at the moment. I've noticed that if I send myself a message, the >> > policyd-spf milter isn't run. That in turn causes mail I send >> > myself to fail in opendmarc. Any ideas? >> > >> > The various email verifiers do show that my email passes spf. >> > >> > It is easy enough just to whitelist your own domains from opendmarc, >> > but that would allow spoofed email to get through. >> >> Which version of opendmarc? (opendmarc -V) If you have 1.3.2+ you can >> use opendmarc's own spf instead (SPFSelfValidate True) - not reliable >> for earlier versions though. >> >> Anyway, in general: >> >> /etc/opendmarc.conf: >> ... >> IgnoreAuthenticatedClients true >> IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt >> ... >> >> /etc/opendkim.conf: >> ... >> InternalHosts /etc/postfix/opendmarc-ignorehosts.txt >> ... >> >> /etc/postfix/opendmarc-ignorehosts.txt >> # emails from localhost are not authenticated but should be signed by >> opendkim and not tested by opendmarc >> 127.0.0.1 >> # similarly any ips from which we accept unauthenticated originating >> emails (e.g. lan, or none) > > > opendmarc: OpenDMARC Filter v1.3.2 > SMFI_VERSION 0x1000001 > libmilter version 1.0.1 > Active code options: > WITH_SPF > WITH_SPF2 > > I suppose it is dumb to check spf if authenticated, but then again dkim > is checked. > > I will work on the bypasses as suggested. I kind of like the > python-policyd-spf since...well...it is working. (Something that works > is something I don't like to change.) > > Still I wonder what part of the email food chain determines that spf > wasn't needed. I commented out the local reference in > pythod-policyd-spf, but that didn't change anything. > > Lots of spam gets marked as fail in opendmarc. I can't wait to start > "trusting" it.
It shouldn't be a problem to continue using python-policyd-spf. You would expect it to give a fail when testing mail from authenticated clients. Opendkim needs to run in such cases not to test them but to add the dkim header. I use opendmarc (obvs) but I have to say I don't see it blocking many emails. Looking at my records over a few months: 38000 mails came through of which 50 were rejected by opendmarc and 30 quarantined. Of those 80, 34 appear to have come via mailing lists (including postfix.org) so may just reflect senders using the mailing list but with incompatible dmarc settings on their domain. The reality is that comparatively few domains are set up with dmarc and with p=reject (or p=quarantine). If you see a large number of opendmarc fails (in opendmarc log: action!=2) then I fear there is something wrong with your setup. Here is my entire opendmarc.conf: PidFile /var/run/opendmarc/opendmarc.pid RejectFailures true Syslog true UMask 0002 UserID opendmarc:opendmarc PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat IgnoreAuthenticatedClients true AuthservID myauthserv.tld AuthservIDWithJobID yes IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt Socket inet:8893@localhost HistoryFile /var/tmp/opendmarc.log RecordAllMessages True # ignore any external spf results SPFIgnoreResults True # use internal spf checker SPFSelfValidate True and the matching /etc/opendkim.conf: Syslog yes SyslogSuccess yes UMask 0002 Canonicalization relaxed/relaxed OversignHeaders From InternalHosts /etc/postfix/opendmarc-ignorehosts.txt Domain mydomain1.tld,mydomain2.tld,mydomain3.tld KeyFile /etc/mail/dkim.key Selector mail Statistics /tmp/dkim-stats AuthservID myauthserv.tld AlwaysAddARHeader yes I used postfix-policyd-spf-python until recently and these were my settings in /etc/postfix-policyd-spf-python/policyd-spf.conf: defaultSeedOnly = 1 HELO_reject = False Mail_From_reject = False skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1 # whitelist allows lan clients Whitelist = 192.168.100.0/23 # not sure if Header_Type needs to be AR but it makes headers more consistent (default is SPF) Header_Type = AR # authserv_id must match the setting in opendmarc.conf Authserv_Id = myauthserv.tld
