[opendmarc-users] How to deal with blocked DMARC reports

Matt Anton matt at lv223.org
Thu Jan 3 08:25:58 PST 2019


On 3 Jan 2019, at 16:26, Benny Pedersen wrote:

>> The a case could be handled by opendmarc to check in smtp command VRFY
>> if the address in the dmarc record is valid (though VRFY might be
>> disabled on some MTA).
>
> we could tempfail on base of VRFY disabled, eq if no VRFY do not dmarc report
>
> or we can wait for ietf on solutions :(

Waiting for IETF is better as VRFY i often disabled by postmasters.

>> Right now I’m handling such cases at MTA level in an automated
>> fashion that parse mail logs to update a file that drop reports before
>> queueing which prevents bounces.
>
> so you have scripts working ?

Yes triggered by a daily cronjob that scan past mail log for bounced reports, grab repuri from opendmarc’s SQL table, compare which addresses bounce and add those to an header_checks pcre file for postfix (as header_checks is called by cleanup(8), filtering them is done before they’re queued by qmgr(8)).

> opendmarc can set domains in locked state, with imho means no report are sent, if its possible to parse bounce logs to commit data back to dmarc, then i would like to see it here on maillist

After some further reading of opendmarc’s docs and specifically the one for opendmarc-params(8)[1], the locked state in the requests table means « don’t update the record regardless any specific address is found in the DNS for the named domain ».

So a more simple solution of the one I have implemented above would be to scan mail logs for bounced addresses then feed opendmarc-params(8) to lock and set a specific address for bouncing domain (setting it to bit-bucket or /dev/null for that matter).

[1] <http://www.trusteddomain.org/opendmarc/opendmarc-params.8.html>

-- 
matt [at] lv223.org
GPG key ID: 7D91A8CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 216 bytes
Desc: OpenPGP digital signature
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20190103/a193d6f0/attachment.pgp>


More information about the opendmarc-users mailing list