On 23-09-2024 00:11, Gerald Galster via Postfix-users wrote:
I'm sorry that I may have been a bit unclear of my issue.
I'm not confused about receiving the report, but the content of it.
And what to change in my config so that I do not see fail records regarding
mail coming from my own server.
I think I have got what I need from Wietse and are testing now.
In case it doesn't work as intended consider this:
>From the aggregate report:
<envelope_from><></envelope_from>
< and > are a way of encoding (XML)
- < / less than / <
- > / greater than / >
In other words this evaluates to "<>", the null sender.
For DMARC to succeed either DKIM verification or SPF
check must pass.
The aggregate report tells you SPF failed. As the
envelope sender is the null sender there is no domain
that could be checked. In this case the HELO name will
be used as a fallback but as I wrote in my previous
email there is no SPF information for mail.jungersen.dk:
$ host -t txt mail.jungersen.dk
mail.jungersen.dk has no TXT record
Seehttps://datatracker.ietf.org/doc/html/rfc7208#section-10.1.2
After Wietse's mail, I changed myorigin to jungersen.dk
Will that give me a HELO as jungersen.dk or is that still mail.jungersen.dk?
And if the answer here is jungersen.dk, will this break spf compliance(?)
DKIM verification also failed because the email might
have been unsigned. As Wietse mentioned you could set
internal_mail_filter_classes = bounce
to sign messages generated by postfix with the sender
mailer-dae...@mail.jungersen.dk.
This might work well with signing only (opendkim, ...),
but you are using rspamd which is an antispam solution.
Bounce messages often contain snippets of the emails
received and therefore might contain spam fragments that
rspamd recognizes. It will be a matter of time before it
learns and blocks your own and external bounce messages.
Not wanted ;-)
While there may certainly be ways around that problem
you should not carelessly ignore the advice given in
postconf (5):
internal_mail_filter_classes (default: empty)
...
NOTE: It's generally not safe to enable content
inspection of Postfix-generated email messages.
The user is warned.
Hmmm....
I will change it back then, thank you for pointing this out.
And if I'm not mistaken it's not clear this is about
bounces / MAILER-DAEMON messages. Other tools like
vacation or out-of-office responders do use the null
sender. These are not generated by postfix itself
and changing internal_mail_filter_classes would not
be necessary.
Summarized: you might reconsider just publishing a
SPF record for mail.jungersen.dk to pass DMARC checks.
Depending on you answer above regarding HELO I might consider this....
THX Danjel
Best regards,
Gerald
_______________________________________________
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org
--
Med venlig hilsen
Danjel Jungersen
Jungersen Grafisk ApS
www.jungersen.dk <https://www.jungersen.dk>
Holsbjergvej 39
2620 Albertslund
Tel: 43 64 10 00
Mobil: 20 42 20 11
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
