[opendmarc-users] avoid dmarc checks for authenticated connections

Benny Pedersen me at junc.eu
Wed Oct 16 09:56:29 PDT 2024


Marco Moock skrev den 2024-10-16 17:10:
> Hello!
> 
> IIRC the sendmail milter interface can tell a milter when a connection
> is authenticated (e.g. for mail submission from MUA). Can opendmarc use
> this info and avoid checking DMARC?

Yes

X-Spam-Status	Yes, score=5.256 tagged_above=-999 required=5 
tests=[AUTHRES_ATPS_NEUTRAL=0.5, AUTHRES_DKIM_FAIL=0.5, 
AUTHRES_SENDER_ID_PASS=-1.1, AUTHRES_SPF_FAIL=1.5, DKIM_INVALID=0.1, 
DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, 
KAM_DMARC_STATUS=0.008, MAILING_LIST_MULTI=-0.1, 
RELAYCOUNTRY_BAD_DE=0.5, RELAYCOUNTRY_GREY=0.1, SPF_HELO_NONE=3, 
SPF_PASS=-0.1] autolearn=no autolearn_force=no
Authentication-Results	mx.junc.eu (amavisd-new); dkim=fail (2048-bit 
key) reason="fail (message has been altered)" header.d=dorfdsl.de
Authentication-Results	medusa.blackops.org; dkim=fail reason="signature 
verification failed" (2048-bit key; unprotected) header.d=dorfdsl.de 
header.i=@dorfdsl.de header.b=0qyCC8br; dkim-atps=neutral
Authentication-Results	medusa.blackops.org; sender-id=fail 
(NotPermitted) header.sender=opendmarc-users-bounces at trusteddomain.org; 
spf=fail (NotPermitted) 
smtp.mfrom=opendmarc-users-bounces at trusteddomain.org
Authentication-Results	medusa.blackops.org; sender-id=pass 
header.from=mm at dorfdsl.de; spf=none smtp.mfrom=mm at dorfdsl.de
Authentication-Results	srv1.dorfdsl.de; dmarc=fail (p=none dis=none) 
header.from=dorfdsl.de
Authentication-Results	srv1; none (SPF check N/A for local connections - 
client-ip=2a01:170:118f:2:41f1:9a73:d13d:a0f; 
helo=[IPv6:2a01:170:118f:2:41f1:9a73:d13d:a0f]; 
envelope-from=mm at dorfdsl.de; receiver=<UNKNOWN>)


to be fair why is spf failing when you mail to blackops ?

why is blackops missing spf helo pass ? :)

or is this really blackops at failing misserable ?

https://mailing.postfix.users.narkive.com/1jti9G9Y/permit-sasl-authenticated-users-to-bypass-dmarc

in opendmarc.conf set MTA=ORIGINATING

in postfix master.cf set -o milter_macro_daemon_name=ORIGINATING for 
port 465 and 587, dont set it for port 25

or simple dont add opendmarc at all to port 465 and 587, but opendkim 
need to be there :)








More information about the opendmarc-users mailing list