[opendmarc-users] How to deal with blocked DMARC reports
Matt Anton
matt at lv223.org
Thu Jan 3 08:25:58 PST 2019
On 3 Jan 2019, at 16:26, Benny Pedersen wrote:
>> The a case could be handled by opendmarc to check in smtp command VRFY
>> if the address in the dmarc record is valid (though VRFY might be
>> disabled on some MTA).
>
> we could tempfail on base of VRFY disabled, eq if no VRFY do not dmarc report
>
> or we can wait for ietf on solutions :(
Waiting for IETF is better as VRFY i often disabled by postmasters.
>> Right now I’m handling such cases at MTA level in an automated
>> fashion that parse mail logs to update a file that drop reports before
>> queueing which prevents bounces.
>
> so you have scripts working ?
Yes triggered by a daily cronjob that scan past mail log for bounced reports, grab repuri from opendmarc’s SQL table, compare which addresses bounce and add those to an header_checks pcre file for postfix (as header_checks is called by cleanup(8), filtering them is done before they’re queued by qmgr(8)).
> opendmarc can set domains in locked state, with imho means no report are sent, if its possible to parse bounce logs to commit data back to dmarc, then i would like to see it here on maillist
After some further reading of opendmarc’s docs and specifically the one for opendmarc-params(8)[1], the locked state in the requests table means « don’t update the record regardless any specific address is found in the DNS for the named domain ».
So a more simple solution of the one I have implemented above would be to scan mail logs for bounced addresses then feed opendmarc-params(8) to lock and set a specific address for bouncing domain (setting it to bit-bucket or /dev/null for that matter).
[1] <http://www.trusteddomain.org/opendmarc/opendmarc-params.8.html>
--
matt [at] lv223.org
GPG key ID: 7D91A8CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 216 bytes
Desc: OpenPGP digital signature
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20190103/a193d6f0/attachment.pgp>
More information about the opendmarc-users
mailing list