On January 17, 2023 2:25:34 AM UTC, raf <post...@raf.org> wrote:
>On Mon, Jan 16, 2023 at 08:01:10PM +0100, Maurizio Caloro <mauri...@caloro.ch>
>wrote:
>
>> Hello
>>
>> Please one more thing about Opendmarc, if send any email to any where
>> i see in log SPF fail, domain.ch fail ?
>>
>> Jan 16 19:43:39 nmail opendkim[16490]: B6090404C3: DKIM-Signature field
>> added (s=nmail, d=caloro.ch)
>> Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: SPF(mailfrom): caloro.ch
>> fail
>> Jan 16 19:43:39 nmail opendmarc[16483]: B6090404C3: caloro.ch fail
>>
>> if recieve any mail from any where, any thing pass
>> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: mailc-bb.linkedin.com
>> [A.B.C.D] not internal
>> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: not authenticated
>> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: message has signatures
>> from linkedin.com, mailc.linkedin.com
>> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: signature=muv88Rcz
>> domain=linkedin.com selector=d2048-201806-01 result="no signature error";
>> signature=IKaXoyzS domain=mailc.linkedin.com selector=proddkim1024
>> result="no signature error"
>> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: DKIM verification
>> successful
>> Jan 16 19:37:10 nmail opendkim[13804]: 10003404C3: s=d2048-201806-01
>> d=linkedin.com SSL
>> Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3 ignoring
>> Authentication-Results at 2 from nmail.caloro.ch
>> Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: SPF(mailfrom):
>> bounce.linkedin.com pass
>> Jan 16 19:37:10 nmail opendmarc[15095]: 10003404C3: linkedin.com pass
>>
>> --
>> on the header from any mail that i send will appair following
>> Authentication-Results-Original: caloro.ch, calm-ness.ch; spf=fail
>>
>> # cat opendmarc.conf
>> AuthservID caloro.ch, calm-ness.ch
>> AuthservIDWithJobID false
>> AutoRestart false
>> AutoRestartRate 10/1h
>> Background true
>> DNSTimeout 5
>> HistoryFile /var/spool/postfix/opendmarc/opendmarc.dat
>> IgnoreAuthenticatedClients true
>> IgnoreHosts /etc/opendmarc/ignore.hosts
>> PidFile /var/run/opendmarc/opendmarc.pid
>> RejectFailures false
>> RequiredHeaders true
>> PublicSuffixList /etc/opendmarc/effective_tld_names.dat
>> Socket inet:8892@127.0.0.1
>> SoftwareHeader true
>> SPFSelfValidate true
>> SPFIgnoreResults false
>> Syslog true
>> SyslogFacility mail
>> # TrustedAuthservIDs nmail.caloro.ch, nmail.calm-ness.ch
>> TrustedAuthservIDs caloro.ch, calm-ness.ch
>> UMask 077
>> UserID opendmarc:opendmarc
>>
>> if checking online dmarc, dkim, spf from domain appair anything correct!
>> please why me email will fail?
>>
>> thanks for any hint
>> Mauri
>
>I could be wrong, but I suspect that the problem is
>that you haven't configured OpenDMARC to not check
>locally originating mail. According to the first
>Received: header, the mail is coming from 37.120.190.188
>(which is mentioned in multiple ways in the SPF record),
>but your mail server at that IP address shouldn't be
>performing this check on outgoing mail.
>
>Perhaps you need to add this to your /etc/opendmarc.conf:
>
> IgnoreAuthenticatedClients true
>
>Unfortunately, the code doing the SPF check doesn't
>explain why it failed. Some do. For example, the
package on debian would
>probably show the IP address that caused the failure.
>Maybe it's 127.0.0.1 (or the IP address of an
>authenticated submission client).
The internal SPF implementation in OpenDMARC is not a full implementation of
the protocol. In general, you are likely to be better off having something SPF
specific check SPF and then have OpenDMARC consume that result for it's DMARC
processing. If you are inclined towards Perl, then postfix-policyd-spf-perl is
a good choice. SPF Engine supports either a milter (pyspf-milter) or policy
server (postfix-policyd-spf-python) interface with Postfix, depending on which
you prefer, if you're up for a Python based solution.
Scott K
