On Tue, 30 Jan 2018 10:50:18 +0000
Dominic Raferd <domi...@timedicer.co.uk> wrote:
> On 30 January 2018 at 10:11, li...@lazygranch.com
> <li...@lazygranch.com> wrote:
> > I've installed the opendmarc milter. I'm not rejecting mail from it
> > at the moment. I've noticed that if I send myself a message, the
> > policyd-spf milter isn't run. That in turn causes mail I send
> > myself to fail in opendmarc. Any ideas?
> >
> > The various email verifiers do show that my email passes spf.
> >
> > It is easy enough just to whitelist your own domains from opendmarc,
> > but that would allow spoofed email to get through.
>
> Which version of opendmarc? (opendmarc -V) If you have 1.3.2+ you can
> use opendmarc's own spf instead (SPFSelfValidate True) - not reliable
> for earlier versions though.
>
> Anyway, in general:
>
> /etc/opendmarc.conf:
> ...
> IgnoreAuthenticatedClients true
> IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt
> ...
>
> /etc/opendkim.conf:
> ...
> InternalHosts /etc/postfix/opendmarc-ignorehosts.txt
> ...
>
> /etc/postfix/opendmarc-ignorehosts.txt
> # emails from localhost are not authenticated but should be signed by
> opendkim and not tested by opendmarc
> 127.0.0.1
> # similarly any ips from which we accept unauthenticated originating
> emails (e.g. lan, or none)
opendmarc: OpenDMARC Filter v1.3.2
SMFI_VERSION 0x1000001
libmilter version 1.0.1
Active code options:
WITH_SPF
WITH_SPF2
I suppose it is dumb to check spf if authenticated, but then again dkim
is checked.
I will work on the bypasses as suggested. I kind of like the
python-policyd-spf since...well...it is working. (Something that works
is something I don't like to change.)
Still I wonder what part of the email food chain determines that spf
wasn't needed. I commented out the local reference in
pythod-policyd-spf, but that didn't change anything.
Lots of spam gets marked as fail in opendmarc. I can't wait to start
"trusting" it.
