----- Message from Jesper Dybdal <jd-postfix-us...@dybdal.dk> ---------
Date: Tue, 13 Apr 2021 12:03:33 +0200
From: Jesper Dybdal <jd-postfix-us...@dybdal.dk>
Subject: Re: Opendmarc in after-Amavis smtpd fails
To: postfix-users@postfix.org
I did not get any replies to the message below. So I'm trying
again, with a few additional details and questions added at the end.
On 2021-04-04 15:13, I wrote:
I use postfix 3.4.14 (Debian Buster) with amavisd-new as a
pre-queue filter (smtpd_proxy_filter).
I use Amavis to generate and verify DKIM signatures, and
policyd-spf-python to preform SPF checks.
This works fine. But now I would like to add DMARC verification.
Since DMARC needs the DKIM result from Amavis, my plan was to use
the opendmarc milter in the after-Amavis smtpd instance.
But this does not seem to work. Opendmarc logs "ignoring
connection from localhost" and seems to do nothing.
The after-Amavis smtpd listens at port 10028; opendmarc listens at
port 10030.
I have placed configuration information and tcpdump examples at
https://www.dybdal.dk/opendmarc-problem/
I have verified with tcpdump that Amavis does provide an XFORWARD
command to the after-Amavis smtpd.
I have verified with tcpdump that the after-Amavis smtpd does
connect to opendmarc and that they have a (very short) dialog.
I don't know the milter protocol. The short dialog between the
after-Amavis smtpd and opendmarc contains "127.0.0.1" a few times,
but not the XFORWARD address, but I do not know if that is
suspicious.
I would very much appreciate it if somebody can tell me what is
going on - and what opendmarc means with that error message.
Since then, I've had a look at the milter protocol. And yes, one of
the 127.0.0.1 addresses transmitted to the milter is the client IP
address. But I do not understand why a DMARC check should even
consider the client IP address - I would have thought that it should
be concerned only with the "From:" and "Authentication-Results"
headers.
Also, I've found an old thread, in which it seems that the poster
has succeeded in doing exactly what I'm trying - I can't see why it
should be different from my setup:
On 2019-02-25 19:43, Patrick Proniewski wrote:
Then, I'm currently trying another approach. In my current setup,
I've an amavisd sandwich: outer-smtp->amavisd->inner-smtp. I can't
put opendmarc or any milter on the outer-smtp, so I've put
opendmarc on the inner-smtp. It's working OK so far, but I'll need
extensive testing to check all possible case.
An alternative solution might be to use the milter variant of
amsvis: policyd-spf, amavis-milter (doing DKIM), openDMARC milter.
Would that work? (I hesitate to do major changes, since this is a
production system.)
Any help would be greatly appreciated.
Hi Jesper,
Looks like opendmarc is seeing the injected amavis mail as localhost,
which I assume it is... by default opendmarc will ignore that.
For what it is worth, this is my config for INBOUND email:
- pypolicyd-spf called as a check_policy_service in
smtpd_recipient_restrictions runs SPF checks, inserting an
Authentication-Results header with SPF evaluation
- smtpd_milter_maps calls opendkim and opendmarc (in that order)
- I have smtpd_milter_maps set so the milters do not run on internal
addresses:
# Skip milters if mail is from internal addresses or localhost
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
- opendmarc.conf is also configured to ignore
IgnoreAuthenticatedClients; and IgnoreHosts contains my local network
(although I think this last is duplication given the smtpd_milter_maps
setting)
- All SMTP inbound mail other than from localhost or local network
therefore gets SPF, DKIM and DMARC evaluated
- Postfix then calls amavis as a content_filter
- Amavis evaluates, calls spamassassin (which applies rules on SPF,
DKIM, DMARC), etc., and then passes back to postfix.
- postfix has no content_filter or milters on the re-injected mail, so
it comes back in for delivery
Like you I use amavis to DKIM sign outbound email, not opendkim. I
just prefer the way it handles it.
I know it's a different setup to yours, but may provide an alternate route.
Simon.
--
Simon Wilson
M: 0400 12 11 16
