[opendmarc-dev] draft: patch to implement an override mechanism for MLMs
Juri Haberland
juri at sapienti-sat.org
Sun May 22 05:00:52 PDT 2016
Hello Andreas,
thanks for testing the patch and your comments! Please see my inline remarks:
On 22.05.2016 12:06, A. Schulze wrote:
> Some notes:
>
> - opendmarc crash if OverrideMLM is not set in opendmarc.conf
I can't reproduce that here. At least it starts without a problem. Do you
see the crash when a message arrives that would be rejected (or quarantined)?
> - Messages that don't pass dmarc but came from a host listed in OverrideMLM
> trigger sending an failure report. Shouldn't that don't happen anymore?
I thought about that, too:
In my opinion it is ok to send a failure report because the message does
fail the DMARC test - so send a failure report. But locally we decide to
accept it anyway.
> - I suggest some logging
> result = fail, overwritten by OverrideMLM: pass
Currently it logs something like:
>> opendmarc[123]: A5CB71847: overriding policy for mail from lists.ntp.org
because of MLM
>> opendmarc[123]: A5CB71847: example.com pass
Maybe we should use "none" instead of "pass".
I thought it would be clear that the result must be a fail, or else the
check for a MLM would not have been made.
> - maybe the implemented enhancement could be adopted for
> forwarded, sampled_out, trusted_forwarder, local_policy, other
>
> idea: implement a lookup table with key=remotehost and value=override_class
Yes, I had the same idea, but wanted to have something quickly. On the
other hand, there might be different requirements for different classes,
e.g. for the "forwarded" class, Google downgrades "reject" to "quarantine",
so we might need a flag to downgrade or just pass the message. And adding
an optional free text that would be used for the comment tag in the report
would be nice, too - at least for some classes (e.g. like Google: "looks
forwarded, downgrade to quarantine with phishing warning").
That brings me to another idea: We might want to add some other headers to
a mail for later processing...
And having a hint in the DMARC header that we overrode the policy and why
would also be nice...
Cheers,
Juri
More information about the opendmarc-dev
mailing list