On 25 févr. 2019, at 19:55, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Mon, Feb 25, 2019 at 07:43:49PM +0100, Patrick Proniewski wrote: > >> Then, I'm currently trying another approach. In my current setup, I've an >> amavisd sandwich: outer-smtp->amavisd->inner-smtp. I can't put opendmarc >> or any milter on the outer-smtp, so I've put opendmarc on the inner-smtp. >> It's working OK so far, but I'll need extensive testing to check all >> possible case. Only downside: I can't reject mails on dmarc failure, but >> I should be able to quarantine/tag those messages later on the road. >> >> Any though about that? > > You're free to reject message content after "." on the south side > of a pre-queue proxy filter. You can use milters to do that if you > like. What you can't do is reject individual recipients.
Thanks for the precision. > Keep in mind that if the proxy filter makes any changes to the > message (modifies the content rather than rejects it), that may > invalidate the DKIM signature, and you could end up with DMARC > false-positives. So make sure to understand what changes you've > configure in amavis. Avoid subject tags, ... You can probably > inject most "X-" headers without invalidating DKIM signatures. I totally overlooked that… I'm occasionally tagging the subject with "***SPAM***", and it'll of course ruin the DKIM signature. BUT. I'm verifying the DKIM signature inside amavisd, before any modification, and opendmarc is setup to trust headers set by previous filter on the same host. I should be fine, but i'll need proper testing. Thanks for the heads-up on that matter. patrick
