On Tue, 30 Jan 2018 10:50:18 +0000 Dominic Raferd <domi...@timedicer.co.uk> wrote:
> On 30 January 2018 at 10:11, li...@lazygranch.com > <li...@lazygranch.com> wrote: > > I've installed the opendmarc milter. I'm not rejecting mail from it > > at the moment. I've noticed that if I send myself a message, the > > policyd-spf milter isn't run. That in turn causes mail I send > > myself to fail in opendmarc. Any ideas? > > > > The various email verifiers do show that my email passes spf. > > > > It is easy enough just to whitelist your own domains from opendmarc, > > but that would allow spoofed email to get through. > > Which version of opendmarc? (opendmarc -V) If you have 1.3.2+ you can > use opendmarc's own spf instead (SPFSelfValidate True) - not reliable > for earlier versions though. > > Anyway, in general: > > /etc/opendmarc.conf: > ... > IgnoreAuthenticatedClients true > IgnoreHosts /etc/postfix/opendmarc-ignorehosts.txt > ... > > /etc/opendkim.conf: > ... > InternalHosts /etc/postfix/opendmarc-ignorehosts.txt > ... > > /etc/postfix/opendmarc-ignorehosts.txt > # emails from localhost are not authenticated but should be signed by > opendkim and not tested by opendmarc > 127.0.0.1 > # similarly any ips from which we accept unauthenticated originating > emails (e.g. lan, or none) opendmarc: OpenDMARC Filter v1.3.2 SMFI_VERSION 0x1000001 libmilter version 1.0.1 Active code options: WITH_SPF WITH_SPF2 I suppose it is dumb to check spf if authenticated, but then again dkim is checked. I will work on the bypasses as suggested. I kind of like the python-policyd-spf since...well...it is working. (Something that works is something I don't like to change.) Still I wonder what part of the email food chain determines that spf wasn't needed. I commented out the local reference in pythod-policyd-spf, but that didn't change anything. Lots of spam gets marked as fail in opendmarc. I can't wait to start "trusting" it.