[opendmarc-users] avoid dmarc checks for authenticated connections

Benny Pedersen me at junc.eu
Wed Oct 16 18:54:36 PDT 2024


Marco Moock skrev den 2024-10-16 19:35:
> Am 16.10.2024 um 18:56:29 Uhr schrieb Benny Pedersen:
>> to be fair why is spf failing when you mail to blackops ?
> I dunno, other servers give spf=pass, so I assume a problem at 
> blackops.

good then, i just hope blackops read this maillist aswell as there users 
do

>> why is blackops missing spf helo pass ? :)
> medusa.blackops.org doesn't have a TXT record.

i see many maillist that forget to make it perfect

>> or is this really blackops at failing misserable ?
>> https://mailing.postfix.users.narkive.com/1jti9G9Y/permit-sasl-authenticated-users-to-bypass-dmarc
>> in opendmarc.conf set MTA=ORIGINATING
> What does this exactly do?

it signals to milters this is a originating email, not a incomming, 
opendkim can then use this info on deside if we are allowed to dkim sign 
or not. and for opendmarc it should only do things on port 25 
MTA=INCOMMING :)

>> in postfix master.cf set -o milter_macro_daemon_name=ORIGINATING for
>> port 465 and 587, dont set it for port 25

for completeness one could add -o milter_macro_daemon_name=INCOMMING on 
port 25 in master.cf

so milters can see if its incomming or outgoing

ips should still be known to all milters what is local ips or not local, 
basicly harden it all to not be possible to allow dkim signing on port 
25 incomming when mail from is your own domain forged

there was a time when evenlope sender and envelope recipient was equal, 
this is nearly rearly happen anymore since if envelope sender is local 
domain its safe to reject it, its forged, so local domains must always 
be sasl auth senders, no exeptions, not even for loopback interfaces :)

> This would need me to run multiple sendmail daemons, which I would like
> to avoid due to simplicity.

no just one single opendkim, one single opendmarc, one single openspf if 
one like to make a c library so all exists as c code, yes i know there  
is perl aswell as python code for spf

one last thing MTA=something should not be known at all to outside 
spammers, it should not be disclosed since it only need to be known on 
own mta setups, not externals mta


More information about the opendmarc-users mailing list