Alors finalement j’ai encore changé un peu la config. J’ai remis postfix-policyd-spf-python puisqu’il permet des configurations plus poussées et qu’il ajoute de meilleurs information dans les logs et le headers.
En gros j’ai appliqué cette diff :
diff --git a/opendmarc.conf b/opendmarc.conf
index 89cec36d..7bd54540 100644
@@ -10,7 +10,7 @@
## provided, the name of the host running the filter (as returned by the
## gethostname(3) function) will be used.
#
-AuthservID dmarc.club1.fr
+AuthservID mail.club1.fr
## FailureReports { true | false }
## default "false"
@@ -81,17 +81,6 @@ Syslog true
#
# SyslogFacility mail
-## TrustedAuthservIDs string
-## default HOSTNAME
-##
-## Specifies one or more "authserv-id" values to trust as relaying true
-## upstream DKIM and SPF results. The default is to use the name of
-## the MTA processing the message. To specify a list, separate each entry
-## with a comma. The key word "HOSTNAME" will be replaced by the name of
-## the host running the filter as reported by the gethostname(3) function.
-#
-TrustedAuthservIDs mail.club1.fr
-
## UMask mask
## default (none)
##
@@ -130,25 +119,3 @@ RequiredHeaders true
## emails over port 587.
#
IgnoreAuthenticatedClients true
-#
-## SPFIgnoreResults { true | false }
-## default "false"
-##
-## Causes the filter to ignore any SPF results in the header of the
-## message. This is useful if you want the filter to perform SPF checks
-## itself, or because you don't trust the arriving header.
-#
-SPFIgnoreResults true
-
-## SPFSelfValidate { true | false }
-## default false
-##
-## Enable internal spf checking with --with-spf
-## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path
-##
-## Causes the filter to perform a fallback SPF check itself when
-## it can find no SPF results in the message header. If SPFIgnoreResults
-## is also set, it never looks for SPF results in headers and
-## always performs the SPF check itself when this is set.
-#
-SPFSelfValidate true
diff --git a/postfix-policyd-spf-python/policyd-spf.conf b/postfix-policyd-spf-python/policyd-spf.conf
index 2d8fbe23..3f5d5d50 100644
@@ -2,7 +2,10 @@
debugLevel = 1
-# TestOnly = 1 means this option is disabled, and that mail is rejected on failure
+# If set to 0, no messages are rejected by SPF. This allows you to see the
+# potential impact of SPF checking in your mail logs without rejecting mail.
+# In our case, we want to reject all emails that fail SPF, but in other cases
+# (pass/none/tempfail/softfail) we want OpenDMARC to take the final decision.
TestOnly = 1
HELO_reject = Fail
@@ -12,3 +15,18 @@ PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
+
+# Type of header to insert to document SPF result. Can be Received-SPF (SPF)
+# or Authentication Results (AR). It cannot be both.
+# Examples: (default is Received-SPF):
+# We use the Authentication-Results field as it is more in line with OpenDKIM
+# and we are sure that OpenDMARC will support it.
+Header_Type = AR
+
+# Every Authentication-Results header field has an authentication identifier
+# field ('Authserv_Id'). This is similar in syntax to a fully-qualified domain
+# name. See policyd-spf.conf.5 and RFC 7001 paragraph 2.4 for details.
+# Default is HOSTNAME (as provided by socket.gethostname). Authserv-Id must
+# be provided if Header_Type 'AR' is used.
+# Authserv_Id = mx.example.com
+Authserv_Id = mail.club1.fr
(MAJ de la doc correspondante)