Postfix › Postfix Users

opedmarc and opendkim

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

8 messages Options

Maurizio Caloro-2

opedmarc and opendkim

After integrate tls 1.2, 1.3 now hopefully the last point I will watch…..

Please why i will recieve the following fail from Caloro.ch (that’s me)

Mar 31 nmail opendkim[12519]: 7E66B40237: no signing table match for '[hidden email]'

Mar 31 nmail opendkim[12519]: 7E66B40237: no signature data

Mar 31 nmail opendmarc[1380]: 7E66B40237: SPF(mailfrom): [hidden email] fail

Mar 31 nmail opendmarc[1380]: 7E66B40237: caloro.ch fail

All other domains will be “pass”

Mar 31 nmail opendkim[12519]: BCF4840237: mout-xforward.gmx.net [82.165.159.12] not internal

Mar 31 nmail opendkim[12519]: BCF4840237: not authenticated

Mar 31 nmail opendkim[12519]: BCF4840237: DKIM verification successful

Mar 31 nmail opendkim[12519]: BCF4840237: s=selector1 d=hotmail.com SSL

Mar 31 nmail opendmarc[1380]: BCF4840237: SPF(mailfrom): [hidden email] pass

Mar 31 nmail opendmarc[1380]: BCF4840237: hotmail.com pass

# cat /etc/opendmarc.conf

AuthservID nmail.caloro.ch caloro.ch

PidFile /run/opendmarc/opendmarc.pid

RejectFailures false

Syslog true

SyslogFacility mail

TrustedAuthservIDs nmail.caloro.ch

UMask 0002

UserID opendmarc:postfix

Socket local:/var/spool/postfix/opendmarc/opendmarc.sock

SPFIgnoreResults true

SPFSelfValidate true

RequiredHeaders true

PublicSuffixList /usr/share/publicsuffix/

IgnoreHosts /etc/opendmarc/ignore.hosts

HistoryFile /var/spool/postfix/opendmarc/opendmarc.dat

SoftwareHeader true

Regards

Mauri

Benny Pedersen-2

Re: opedmarc and opendkim

On 2021-03-31 17:51, Maurizio Caloro wrote:

> SPFIgnoreResults true
> SPFSelfValidate true

set both to false

and dont use libspf2

problem is your setup used Sender-ID with is long time depricated

Dan Mahoney (Gushi)

Re: opedmarc and opendkim

Why would you advise not using libspf2?

Sent from my iPad

> On Mar 31, 2021, at 09:01, Benny Pedersen <[hidden email]> wrote:
>
> On 2021-03-31 17:51, Maurizio Caloro wrote:
>
>> SPFIgnoreResults true
>> SPFSelfValidate true
>
> set both to false
>
> and dont use libspf2
>
> problem is your setup used Sender-ID with is long time depricated

Benny Pedersen-2

Re: opedmarc and opendkim

On 2021-03-31 18:21, Dan Mahoney wrote:

>> problem is your setup used Sender-ID with is long time depricated
> Why would you advise not using libspf2?

atleast not in opendmarc, sid-milter is imho fine

but it bulds in both cases of depricated Sender-ID

Dominic Raferd

Re: opedmarc and opendkim

On 31/03/2021 17:29, Benny Pedersen wrote:
> On 2021-03-31 18:21, Dan Mahoney wrote:
>
>>> problem is your setup used Sender-ID with is long time depricated
>> Why would you advise not using libspf2?
> atleast not in opendmarc, sid-milter is imho fine
>
> but it bulds in both cases of depricated Sender-ID

opendmarc's internal spf checking with libspf2 works fine with versions
1.3.2 or higher, so you don't need to use an external spf checker
(unless you want such for another purpose).

Benny Pedersen-2

Re: opedmarc and opendkim

On 2021-03-31 18:33, Dominic Raferd wrote:

> On 31/03/2021 17:29, Benny Pedersen wrote:
>> On 2021-03-31 18:21, Dan Mahoney wrote:
>>
>>>> problem is your setup used Sender-ID with is long time depricated
>>> Why would you advise not using libspf2?
>> atleast not in opendmarc, sid-milter is imho fine
>>
>> but it bulds in both cases of depricated Sender-ID
>
> opendmarc's internal spf checking with libspf2 works fine with
> versions 1.3.2 or higher, so you don't need to use an external spf
> checker (unless you want such for another purpose).

pypolicyd-spf uses imho another rfc with is not yet in libspf2 or
opendmarc ?

David Bürgin

Re: opedmarc and opendkim

In reply to this post by Dominic Raferd

Dominic Raferd:

> On 31/03/2021 17:29, Benny Pedersen wrote:
>> On 2021-03-31 18:21, Dan Mahoney wrote:
>>
>>>> problem is your setup used Sender-ID with is long time depricated
>>> Why would you advise not using libspf2?
>> atleast not in opendmarc, sid-milter is imho fine
>>
>> but it bulds in both cases of depricated Sender-ID
>
> opendmarc's internal spf checking with libspf2 works fine with versions 1.3.2 or higher, so you don't need to use an external spf checker (unless you want such for another purpose).

Yeah, I found libspf2 as used in OpenDMARC to be reliable enough. But
it’s true that it was written for now obsolete RFC 4408. For example,
the ‘void lookup limit’ is not implemented in libspf2.

(I now use my own SPF Milter, which implements RFC 7208. Here for those
interested: https://gitlab.com/glts/spf-milter)

Dan Mahoney (Gushi)

Re: opedmarc and opendkim

> On Mar 31, 2021, at 1:09 PM, David Bürgin <[hidden email]> wrote:
>
> Dominic Raferd:
>> On 31/03/2021 17:29, Benny Pedersen wrote:
>>> On 2021-03-31 18:21, Dan Mahoney wrote:
>>>
>>>>> problem is your setup used Sender-ID with is long time depricated
>>>> Why would you advise not using libspf2?
>>> atleast not in opendmarc, sid-milter is imho fine
>>>
>>> but it bulds in both cases of depricated Sender-ID
>> opendmarc's internal spf checking with libspf2 works fine with versions 1.3.2 or higher, so you don't need to use an external spf checker (unless you want such for another purpose).
>
> Yeah, I found libspf2 as used in OpenDMARC to be reliable enough. But
> it’s true that it was written for now obsolete RFC 4408. For example,
> the ‘void lookup limit’ is not implemented in libspf2.

To be clear, that’s a SHOULD, RECOMMENDED implementation detail, not a MUST.

That said, yeah it would be nice if LibSPF2 were updated to reflect the most recent RFC.

In OpenDMARC, we’re generally recommending that everyone use LibSPF2 (or something else) and not rely on the inbuilt SPF libs (and may even rip them out at some point), but we don’t want to do that between a 1.4.0 and a 1.4.1 release. There’s also been a CVE raised because pypolicyd trusts the HELO string, which causes opendmarc to return a false pass.

I’m the FreeBSD port maintainer for opendmarc — if someone hasn’t packaged your milter for FreeBSD, we should talk.

-Dan