[opendmarc-users] avoid dmarc checks for authenticated connections
Benny Pedersen
me at junc.eu
Wed Oct 16 18:54:36 PDT 2024
Marco Moock skrev den 2024-10-16 19:35:
> Am 16.10.2024 um 18:56:29 Uhr schrieb Benny Pedersen:
>> to be fair why is spf failing when you mail to blackops ?
> I dunno, other servers give spf=pass, so I assume a problem at
> blackops.
good then, i just hope blackops read this maillist aswell as there users
do
>> why is blackops missing spf helo pass ? :)
> medusa.blackops.org doesn't have a TXT record.
i see many maillist that forget to make it perfect
>> or is this really blackops at failing misserable ?
>> https://mailing.postfix.users.narkive.com/1jti9G9Y/permit-sasl-authenticated-users-to-bypass-dmarc
>> in opendmarc.conf set MTA=ORIGINATING
> What does this exactly do?
it signals to milters this is a originating email, not a incomming,
opendkim can then use this info on deside if we are allowed to dkim sign
or not. and for opendmarc it should only do things on port 25
MTA=INCOMMING :)
>> in postfix master.cf set -o milter_macro_daemon_name=ORIGINATING for
>> port 465 and 587, dont set it for port 25
for completeness one could add -o milter_macro_daemon_name=INCOMMING on
port 25 in master.cf
so milters can see if its incomming or outgoing
ips should still be known to all milters what is local ips or not local,
basicly harden it all to not be possible to allow dkim signing on port
25 incomming when mail from is your own domain forged
there was a time when evenlope sender and envelope recipient was equal,
this is nearly rearly happen anymore since if envelope sender is local
domain its safe to reject it, its forged, so local domains must always
be sasl auth senders, no exeptions, not even for loopback interfaces :)
> This would need me to run multiple sendmail daemons, which I would like
> to avoid due to simplicity.
no just one single opendkim, one single opendmarc, one single openspf if
one like to make a c library so all exists as c code, yes i know there
is perl aswell as python code for spf
one last thing MTA=something should not be known at all to outside
spammers, it should not be disclosed since it only need to be known on
own mta setups, not externals mta
More information about the opendmarc-users
mailing list