Re: Opendmarc in after-Amavis smtpd fails

Tue, 13 Apr 2021 03:04:35 -0700

I did not get any replies to the message below.  So I'm trying again, with a few additional details and questions added at the end. 

On 2021-04-04 15:13, I wrote:
I use postfix 3.4.14 (Debian Buster) with amavisd-new as a pre-queue filter (smtpd_proxy_filter). 


I use Amavis to generate and verify DKIM signatures, and 
policyd-spf-python to preform SPF checks.



This works fine.  But now I would like to add DMARC verification. 
Since DMARC needs the DKIM result from Amavis, my plan was to use the 
opendmarc milter in the after-Amavis smtpd instance.



But this does not seem to work.  Opendmarc logs "ignoring connection 
from localhost" and seems to do nothing.



The after-Amavis smtpd listens at port 10028; opendmarc listens at 
port 10030.


I have placed configuration information and tcpdump examples at
    https://www.dybdal.dk/opendmarc-problem/


I have verified with tcpdump that Amavis does provide an XFORWARD 
command to the after-Amavis smtpd.
I have verified with tcpdump that the after-Amavis smtpd does connect 
to opendmarc and that they have a (very short) dialog.



I don't know the milter protocol.  The short dialog between the 
after-Amavis smtpd and opendmarc contains "127.0.0.1" a few times, but 
not the XFORWARD address, but I do not know if that is suspicious.



I would very much appreciate it if somebody can tell me what is going 
on - and what opendmarc means with that error message.





Since then, I've had a look at the milter protocol.  And yes, one of the 
127.0.0.1 addresses transmitted to the milter is the client IP address.  
But I do not understand why a DMARC check should even consider the 
client IP address - I would have thought that it should be concerned 
only with the "From:" and "Authentication-Results" headers.



Also, I've found an old thread, in which it seems that the poster has 
succeeded in doing exactly what I'm trying - I can't see why it should 
be different from my setup:


On 2019-02-25 19:43, Patrick Proniewski wrote:

Then, I'm currently trying another approach. In my current setup, I've an amavisd 
sandwich: outer-smtp->amavisd->inner-smtp. I can't put opendmarc or any milter 
on the outer-smtp, so I've put opendmarc on the inner-smtp. It's working OK so far, 
but I'll need extensive testing to check all possible case.



An alternative solution might be to use the milter variant of amsvis: 
policyd-spf, amavis-milter (doing DKIM), openDMARC milter. Would that 
work?  (I hesitate to do major changes, since this is a production system.)


Any help would be greatly appreciated.

--
Jesper Dybdal
https://www.dybdal.dk























					Reply via email to