Mailing List Archive

pypolicyd-spf not prepending the Received-SPF header?
I've been playing around with implementing SPF on my personal server using
pypolicyd-spf. The actual SPF checking is working fine, however it's not
prepending the Received-SPF header to any the messages and I'm at a loss to
work out why - I've spent hours playing with various configuration options
:(

Can anyone help? Some examples are below. Host is Fedora 12 running postfix
version 2.6.5.

Thanks,
Luke

-----
policyd-spf.conf:
-----

debugLevel = 4
#defaultSeedOnly = 1
defaultSeedOnly = 0

HELO_reject = SPF_Not_Pass
Mail_From_reject = Fail

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128

-----
Example logs:
-----

Nov 26 20:28:00 medusa postfix/smtpd[15353]: connect from
ironport1-mx.cbr1.mail-filtering.com.au[203.88.115.241]
Nov 26 20:28:00 medusa postgrey[13302]: action=pass, reason=triplet found,
client_name=ironport1-mx.cbr1.mail-filtering.com.au,
client_address=203.88.115.241, sender=admin [ at ] testerdomain.com,
recipient=luke [ at ] mydomain.com Nov 26 20:28:00 medusa
policyd-spf[15361]: Starting Nov 26 20:28:00 medusa policyd-spf[15361]: Read
line: "request=smtpd_access_policy"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "protocol_state=RCPT"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "protocol_name=ESMTP"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line:
"client_address=203.88.115.241"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line:
"client_name=ironport1-mx.cbr1.mail-filtering.com.au"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line:
"reverse_client_name=ironport1-mx.cbr1.mail-filtering.com.au"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line:
"helo_name=ironport1-mx.cbr1.mail-filtering.com.au"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "sender=admin [ at ]
testerdomain.com"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "recipient=luke [ at ]
mydomain.com"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "recipient_count=0"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "queue_id="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line:
"instance=3bf9.4cef8bb0.5fe44.0"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "size=2861"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "etrn_domain="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "stress="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "sasl_method="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "sasl_username="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "sasl_sender="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "ccert_subject="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "ccert_issuer="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "ccert_fingerprint="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "encryption_protocol="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "encryption_cipher="
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: "encryption_keysize=0"
Nov 26 20:28:00 medusa policyd-spf[15361]: Read line: ""
Nov 26 20:28:00 medusa policyd-spf[15361]: Found the end of entry Nov 26
20:28:00 medusa policyd-spf[15361]: Config: {'Mail_From_reject': 'Fail',
'PermError_reject': 'False', 'HELO_reject': 'SPF_Not_Pass',
'defaultSeedOnly': 0, 'debugLevel': 4, 'skip_addresses':
'127.0.0.0/8,::ffff:127.0.0.0//104,::1//128', 'TempError_Defer': 'False'}
Nov 26 20:28:00 medusa policyd-spf[15361]: Cached data for this instance: []
Nov 26 20:28:00 medusa policyd-spf[15361]: spfcheck: pyspf result: "['None',
'', 'helo']"
Nov 26 20:28:00 medusa policyd-spf[15361]: None; identity=helo;
client-ip=203.88.115.241; helo=ironport1-mx.cbr1.mail-filtering.com.au;
envelope-from=admin [ at ] testerdomain.com; receiver=luke [ at ]
mydomain.com Nov 26 20:28:00 medusa policyd-spf[15361]: spfcheck: pyspf
result: "['None', '', 'mailfrom']"
Nov 26 20:28:00 medusa policyd-spf[15361]: None; identity=mailfrom;
client-ip=203.88.115.241; helo=ironport1-mx.cbr1.mail-filtering.com.au;
envelope-from=admin [ at ] testerdomain.com; receiver=luke [ at ]
mydomain.com Nov 26 20:28:00 medusa postfix/smtpd[15353]: E59228080:
client=ironport1-mx.cbr1.mail-filtering.com.au[203.88.115.241]
Nov 26 20:28:01 medusa postfix/cleanup[15364]: E59228080:
message-id=<003001cb8d54$9256c340$b70449c0$ [ at ] net.au> Nov 26 20:28:01
medusa postfix/qmgr[15295]: E59228080: from=<admin [ at ] testerdomain.com>,
size=3296, nrcpt=1 (queue active) Nov 26 20:28:01 medusa dovecot:
deliver(luke [ at ] mydomain.com): msgid=<003001cb8d54$9256c340$b70449c0$ [
at ] net.au>: saved mail to INBOX Nov 26 20:28:01 medusa
postfix/pipe[15366]: E59228080: to=<luke [ at ] mydomain.com>,
relay=dovecot, delay=0.89, delays=0.88/0.01/0/0.01, dsn=2.0.0, status=sent
(delivered via dovecot service) Nov 26 20:28:01 medusa postfix/qmgr[15295]:
E59228080: removed Nov 26 20:28:06 medusa postfix/smtpd[15353]: disconnect
from ironport1-mx.cbr1.mail-filtering.com.au[203.88.115.241]

-----
Actual headers from the message above:
-----

Return-Path: <admin [ at ] testerdomain.com>
Delivered-To: luke [ at ] mydomain.com
Received: from ironport1-mx.cbr1.mail-filtering.com.au
(ironport1-mx.cbr1.mail-filtering.com.au [203.88.115.241])
by medusa.mydomain.com (Postfix) with ESMTP id E59228080
for <luke [ at ] mydomain.com>; Fri, 26 Nov 2010 20:28:00 +1000
(EST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArAHAPca70xxFAXB/2dsb2JhbACCA5MGhguHIVdxwBCFRwQ
X-IronPort-AV: E=Sophos;i="4.59,260,1288530000";
d="scan'208,217";a="286471753"
Received: from ju001lcs06.cbr.the-server.com.au ([113.20.5.193])
by ironport1-mta.cbr1.mail-filtering.com.au with ESMTP; 26 Nov 2010
21:27:49 +1100
Received: from 124-148-61-23.dyn.iinet.net.au ([124.148.61.23]
helo=starbuck)
by ju001lcs06.cbr.the-server.com.au with esmtpa (Exim 4.69)
(envelope-from <admin [ at ] testerdomain.com>)
id 1PLvWv-0001Uz-6j
for luke [ at ] mydomain.com; Fri, 26 Nov 2010 21:27:49 +1100
From: "Luke Harris" <admin [ at ] testerdomain.com>
To: <luke [ at ] mydomain.com>
Subject: test
Date: Fri, 26 Nov 2010 20:27:45 +1000
Message-ID: <003001cb8d54$9256c340$b70449c0$ [ at ] net.au>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0031_01CB8DA8.6402D340"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcuNVJDojla/nLLyTquo0jtrO9b0SQ==
Content-Language: en-au




-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101126094145:4A2BA22E-F96B-11DF-89F6-4674F559ED1D
Powered by Listbox: http://www.listbox.com
Re: pypolicyd-spf not prepending the Received-SPF header? [ In reply to ]
"Luke Harris" <luke@epitah.net> wrote:

>I've been playing around with implementing SPF on my personal server
>using
>pypolicyd-spf. The actual SPF checking is working fine, however it's
>not
>prepending the Received-SPF header to any the messages and I'm at a
>loss to
>work out why - I've spent hours playing with various configuration
>options
>:(
>
>Can anyone help? Some examples are below. Host is Fedora 12 running
>postfix
>version 2.6.5.
>
What version of pypolicyd-spf?

Scott K



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101126100916:2170B23A-F96F-11DF-8800-F427C6F4DBAC
Powered by Listbox: http://www.listbox.com
RE: pypolicyd-spf not prepending the Received-SPF header? [ In reply to ]
It's version 0.8.0.

- Luke

-----Original Message-----
From: Scott Kitterman [mailto:scott@kitterman.com]
Sent: Saturday, 27 November 2010 1:09 AM
To: spf-help@listbox.com
Subject: Re: [spf-help] pypolicyd-spf not prepending the Received-SPF header?



"Luke Harris" <luke@epitah.net> wrote:

>I've been playing around with implementing SPF on my personal server
>using
>pypolicyd-spf. The actual SPF checking is working fine, however it's
>not
>prepending the Received-SPF header to any the messages and I'm at a
>loss to
>work out why - I've spent hours playing with various configuration
>options
>:(
>
>Can anyone help? Some examples are below. Host is Fedora 12 running
>postfix
>version 2.6.5.
>
What version of pypolicyd-spf?

Scott K



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/20210728-8cb57ef0
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20101126100916:2170B23A-F96F-11DF-8800-F427C6F4DBAC
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101126171318:614B94B6-F9AA-11DF-8BF8-8E23055F25E9
Powered by Listbox: http://www.listbox.com
Re: pypolicyd-spf not prepending the Received-SPF header? [ In reply to ]
On Friday, November 26, 2010 09:41:24 am Luke Harris wrote:
> I've been playing around with implementing SPF on my personal server using
> pypolicyd-spf. The actual SPF checking is working fine, however it's not
> prepending the Received-SPF header to any the messages and I'm at a loss to
> work out why - I've spent hours playing with various configuration options
>
> :(
>
> Can anyone help? Some examples are below. Host is Fedora 12 running postfix
> version 2.6.5.
>
> Thanks,
> Luke
>
> -----
> policyd-spf.conf:
> -----
>
> debugLevel = 4
> #defaultSeedOnly = 1
> defaultSeedOnly = 0

Here you've changed the default configuration so that it won't take any action
on the message. It should still prepend the header (according to the
documentation (which I wrote)), but doesn't, so that's a bug that I'll fix. If
you change it back to defaultSeedOnly = 1 it will properly prepend the header.

I ran the policy server by hand with your example (snipped from the reply for
brevity) and got:

action=prepend Received-SPF: None (no SPF record) identity=mailfrom; client-
ip=203.88.115.241; helo=ironport1-mx.cbr1.mail-filtering.com.au; envelope-
from=admin@testerdomain.com; receiver=luke@mydomain.com

In the meantime, you check results in the mail log to see what it's determing.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101127215653:270ADB26-FA9B-11DF-B6CE-097AF559ED1D
Powered by Listbox: http://www.listbox.com
Re: pypolicyd-spf not prepending the Received-SPF header? [ In reply to ]
On Saturday, November 27, 2010 09:56:31 pm Scott Kitterman wrote:
> On Friday, November 26, 2010 09:41:24 am Luke Harris wrote:
> > I've been playing around with implementing SPF on my personal server
> > using pypolicyd-spf. The actual SPF checking is working fine, however
> > it's not prepending the Received-SPF header to any the messages and I'm
> > at a loss to work out why - I've spent hours playing with various
> > configuration options
> >
> > :(
> >
> > Can anyone help? Some examples are below. Host is Fedora 12 running
> > postfix version 2.6.5.
> >
> > Thanks,
> > Luke
> >
> > -----
> > policyd-spf.conf:
> > -----
> >
> > debugLevel = 4
> > #defaultSeedOnly = 1
> > defaultSeedOnly = 0
>
> Here you've changed the default configuration so that it won't take any
> action on the message. It should still prepend the header (according to
> the documentation (which I wrote)), but doesn't, so that's a bug that I'll
> fix. If you change it back to defaultSeedOnly = 1 it will properly
> prepend the header.
>
> I ran the policy server by hand with your example (snipped from the reply
> for brevity) and got:
>
> action=prepend Received-SPF: None (no SPF record) identity=mailfrom;
> client- ip=203.88.115.241; helo=ironport1-mx.cbr1.mail-filtering.com.au;
> envelope- from=admin@testerdomain.com; receiver=luke@mydomain.com
>
> In the meantime, you check results in the mail log to see what it's
> determing.
>
Here is a patch. I'll release 0.8.1 shortly with this fix.

Scott K





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101127225628:79178E48-FAA3-11DF-B94E-0930C6F4DBAC
Powered by Listbox: http://www.listbox.com
RE: pypolicyd-spf not prepending the Received-SPF header? [ In reply to ]
Well there you go. I'd enabled that since I was testing and didn't want to
lose any mail :)

Thanks for the patch - it works great. Much appreciated.

- Luke

-----Original Message-----
From: Scott Kitterman [mailto:scott@kitterman.com]
Sent: Sunday, 28 November 2010 1:56 PM
To: spf-help@listbox.com
Subject: Re: [spf-help] pypolicyd-spf not prepending the Received-SPF
header?

On Saturday, November 27, 2010 09:56:31 pm Scott Kitterman wrote:
> On Friday, November 26, 2010 09:41:24 am Luke Harris wrote:
> > I've been playing around with implementing SPF on my personal server
> > using pypolicyd-spf. The actual SPF checking is working fine,
> > however it's not prepending the Received-SPF header to any the
> > messages and I'm at a loss to work out why - I've spent hours
> > playing with various configuration options
> >
> > :(
> >
> > Can anyone help? Some examples are below. Host is Fedora 12 running
> > postfix version 2.6.5.
> >
> > Thanks,
> > Luke
> >
> > -----
> > policyd-spf.conf:
> > -----
> >
> > debugLevel = 4
> > #defaultSeedOnly = 1
> > defaultSeedOnly = 0
>
> Here you've changed the default configuration so that it won't take
> any action on the message. It should still prepend the header
> (according to the documentation (which I wrote)), but doesn't, so
> that's a bug that I'll fix. If you change it back to defaultSeedOnly
> = 1 it will properly prepend the header.
>
> I ran the policy server by hand with your example (snipped from the
> reply for brevity) and got:
>
> action=prepend Received-SPF: None (no SPF record) identity=mailfrom;
> client- ip=203.88.115.241;
> helo=ironport1-mx.cbr1.mail-filtering.com.au;
> envelope- from=admin@testerdomain.com; receiver=luke@mydomain.com
>
> In the meantime, you check results in the mail log to see what it's
> determing.
>
Here is a patch. I'll release 0.8.1 shortly with this fix.

Scott K





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/20210728-8cb57ef0
Modify Your Subscription:
https://www.listbox.com/member/?&
b4
Unsubscribe Now:
https://www.listbox.com/unsubscribe/?&
e2f99e6&post_id=20101127225628:79178E48-FAA3-11DF-B94E-0930C6F4DBAC
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101128024242:0D371E80-FAC3-11DF-BFF3-C15CD0D0D6C6
Powered by Listbox: http://www.listbox.com
Re: pypolicyd-spf not prepending the Received-SPF header? [ In reply to ]
On 26/Nov/10 15:41, Luke Harris wrote:
> The actual SPF checking is working fine, however it's not
> prepending the Received-SPF header to any the messages and I'm at a
> loss to work out why

Out of curiosity, may I ask what software uses those Received-SPF?

I just translate them to, say,

Authentication-Results: my.server.fqdn;
spf=pass smtp.mailfrom=whatever.it.was

but then I'm not aware of what software may be using the latter either.

--



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101129084726:31A6345C-FBBF-11DF-8B22-5FD2C5F4DBAC
Powered by Listbox: http://www.listbox.com
Re: pypolicyd-spf not prepending the Received-SPF header? [ In reply to ]
"Alessandro Vesely" <vesely@tanax.it> wrote:

>On 26/Nov/10 15:41, Luke Harris wrote:
>> The actual SPF checking is working fine, however it's not
>> prepending the Received-SPF header to any the messages and I'm at a
>> loss to work out why
>
>Out of curiosity, may I ask what software uses those Received-SPF?
>
>I just translate them to, say,
>
> Authentication-Results: my.server.fqdn;
> spf=pass smtp.mailfrom=whatever.it.was
>
>but then I'm not aware of what software may be using the latter either.
>
Spamassassin will use them if provided by a trusted relay rather than do it's own SPF check. I'd imagine there are others too.

The SPF received header field predates authentication results by several years. I do have implementation of authentication results on my TODO for pypolicyd-spf.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/1311530-08394398
Modify Your Subscription: https://www.listbox.com/member/?member_id=1311530&id_secret=1311530-644bccd5
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=1311530&id_secret=1311530-512c0f9e&post_id=20101129085402:171AF9E6-FBC0-11DF-85EE-CCD3248C19DE
Powered by Listbox: http://www.listbox.com