opedmarc and opendkim

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

opedmarc and opendkim

Maurizio Caloro-2

After integrate tls 1.2, 1.3 now hopefully the last point I will watch…..

Please why i will recieve the following fail from Caloro.ch (that’s me)

 

Mar 31 nmail opendkim[12519]: 7E66B40237: no signing table match for '[hidden email]'

Mar 31 nmail opendkim[12519]: 7E66B40237: no signature data

Mar 31 nmail opendmarc[1380]: 7E66B40237: SPF(mailfrom): [hidden email] fail

Mar 31 nmail opendmarc[1380]: 7E66B40237: caloro.ch fail

 

All other domains will be “pass”

Mar 31 nmail opendkim[12519]: BCF4840237: mout-xforward.gmx.net [82.165.159.12] not internal

Mar 31 nmail opendkim[12519]: BCF4840237: not authenticated

Mar 31 nmail opendkim[12519]: BCF4840237: DKIM verification successful

Mar 31 nmail opendkim[12519]: BCF4840237: s=selector1 d=hotmail.com SSL

Mar 31 nmail opendmarc[1380]: BCF4840237: SPF(mailfrom): [hidden email] pass

Mar 31 nmail opendmarc[1380]: BCF4840237: hotmail.com pass

 

# cat /etc/opendmarc.conf

AuthservID nmail.caloro.ch caloro.ch

PidFile /run/opendmarc/opendmarc.pid

RejectFailures false

Syslog true

SyslogFacility mail

TrustedAuthservIDs nmail.caloro.ch

UMask 0002

UserID opendmarc:postfix

Socket local:/var/spool/postfix/opendmarc/opendmarc.sock

SPFIgnoreResults true

SPFSelfValidate true

RequiredHeaders true

PublicSuffixList /usr/share/publicsuffix/

IgnoreHosts /etc/opendmarc/ignore.hosts

HistoryFile /var/spool/postfix/opendmarc/opendmarc.dat

SoftwareHeader true

 

 

Regards

Mauri

Reply | Threaded
Open this post in threaded view
|

Re: opedmarc and opendkim

Benny Pedersen-2
On 2021-03-31 17:51, Maurizio Caloro wrote:

> SPFIgnoreResults true
> SPFSelfValidate true

set both to false

and dont use libspf2

problem is your setup used Sender-ID with is long time depricated
Reply | Threaded
Open this post in threaded view
|

Re: opedmarc and opendkim

Dan Mahoney (Gushi)
Why would you advise not using libspf2?

Sent from my iPad

> On Mar 31, 2021, at 09:01, Benny Pedersen <[hidden email]> wrote:
>
> On 2021-03-31 17:51, Maurizio Caloro wrote:
>
>> SPFIgnoreResults true
>> SPFSelfValidate true
>
> set both to false
>
> and dont use libspf2
>
> problem is your setup used Sender-ID with is long time depricated

Reply | Threaded
Open this post in threaded view
|

Re: opedmarc and opendkim

Benny Pedersen-2
On 2021-03-31 18:21, Dan Mahoney wrote:

>> problem is your setup used Sender-ID with is long time depricated
> Why would you advise not using libspf2?

atleast not in opendmarc, sid-milter is imho fine

but it bulds in both cases of depricated Sender-ID
Reply | Threaded
Open this post in threaded view
|

Re: opedmarc and opendkim

Dominic Raferd
On 31/03/2021 17:29, Benny Pedersen wrote:
> On 2021-03-31 18:21, Dan Mahoney wrote:
>
>>> problem is your setup used Sender-ID with is long time depricated
>> Why would you advise not using libspf2?
> atleast not in opendmarc, sid-milter is imho fine
>
> but it bulds in both cases of depricated Sender-ID

opendmarc's internal spf checking with libspf2 works fine with versions
1.3.2 or higher, so you don't need to use an external spf checker
(unless you want such for another purpose).

Reply | Threaded
Open this post in threaded view
|

Re: opedmarc and opendkim

Benny Pedersen-2
On 2021-03-31 18:33, Dominic Raferd wrote:

> On 31/03/2021 17:29, Benny Pedersen wrote:
>> On 2021-03-31 18:21, Dan Mahoney wrote:
>>
>>>> problem is your setup used Sender-ID with is long time depricated
>>> Why would you advise not using libspf2?
>> atleast not in opendmarc, sid-milter is imho fine
>>
>> but it bulds in both cases of depricated Sender-ID
>
> opendmarc's internal spf checking with libspf2 works fine with
> versions 1.3.2 or higher, so you don't need to use an external spf
> checker (unless you want such for another purpose).

pypolicyd-spf uses imho another rfc with is not yet in libspf2 or
opendmarc ?
Reply | Threaded
Open this post in threaded view
|

Re: opedmarc and opendkim

David Bürgin
In reply to this post by Dominic Raferd
Dominic Raferd:

> On 31/03/2021 17:29, Benny Pedersen wrote:
>> On 2021-03-31 18:21, Dan Mahoney wrote:
>>
>>>> problem is your setup used Sender-ID with is long time depricated
>>> Why would you advise not using libspf2?
>> atleast not in opendmarc, sid-milter is imho fine
>>
>> but it bulds in both cases of depricated Sender-ID
>
> opendmarc's internal spf checking with libspf2 works fine with versions 1.3.2 or higher, so you don't need to use an external spf checker (unless you want such for another purpose).

Yeah, I found libspf2 as used in OpenDMARC to be reliable enough. But
it’s true that it was written for now obsolete RFC 4408. For example,
the ‘void lookup limit’ is not implemented in libspf2.

(I now use my own SPF Milter, which implements RFC 7208. Here for those
interested: https://gitlab.com/glts/spf-milter)
Reply | Threaded
Open this post in threaded view
|

Re: opedmarc and opendkim

Dan Mahoney (Gushi)


> On Mar 31, 2021, at 1:09 PM, David Bürgin <[hidden email]> wrote:
>
> Dominic Raferd:
>> On 31/03/2021 17:29, Benny Pedersen wrote:
>>> On 2021-03-31 18:21, Dan Mahoney wrote:
>>>
>>>>> problem is your setup used Sender-ID with is long time depricated
>>>> Why would you advise not using libspf2?
>>> atleast not in opendmarc, sid-milter is imho fine
>>>
>>> but it bulds in both cases of depricated Sender-ID
>> opendmarc's internal spf checking with libspf2 works fine with versions 1.3.2 or higher, so you don't need to use an external spf checker (unless you want such for another purpose).
>
> Yeah, I found libspf2 as used in OpenDMARC to be reliable enough. But
> it’s true that it was written for now obsolete RFC 4408. For example,
> the ‘void lookup limit’ is not implemented in libspf2.

To be clear, that’s a SHOULD, RECOMMENDED implementation detail, not a MUST.

That said, yeah it would be nice if LibSPF2 were updated to reflect the most recent RFC.

In OpenDMARC, we’re generally recommending that everyone use LibSPF2 (or something else) and not rely on the inbuilt SPF libs (and may even rip them out at some point), but we don’t want to do that between a 1.4.0 and a 1.4.1 release.  There’s also been a CVE raised because pypolicyd trusts the HELO string, which causes opendmarc to return a false pass.

I’m the FreeBSD port maintainer for opendmarc — if someone hasn’t packaged your milter for FreeBSD, we should talk.

-Dan