On 10/03/2021 19:00, Dan Mahoney (Gushi) wrote:
All,
I'm working with the OpenDMARC folks on doing bug triage, and someone
has requested that if a domain's policy says p=quarantine, that it
should be "accepted" by postfix, and left for something like
SpamAssassin to deal with. (I don't see any specific handling in
spamassassin that treats quaratine differently, but that's beside the
point).
Per for RFCs, "quarantine" really means "queue for mail admins to deal
with manually". This is an old concept, going back in sendmail at
least a decade, but it's been rarely used to this point. Opendmarc
makes this relatively common, and will catch mail admins by surprise.
So my question is (I've been reading the postfix milter docs for a
half hour), is there any way to say (either globally or per-milter),
"if the milter says hold, just deliver as normal?"
This is a thing that can be fixed in the milter, or fixed in postfix,
but in an ideal world, both would exist.
(I mean, short of an every-minute cron job that just moves the things
to the deliver queue).
-Dan
This works for me:
# grep ^RejectFailures /etc/opendmarc.conf # (note: false is the default
anyway)
RejectFailures false
# postconf -n milter_header_checks
milter_header_checks = pcre:/etc/postfix/milter_header_checks.pcre
# cat /etc/postfix/milter_header_checks.pcre
# opendmarc is set not to reject failed emails, nor to instruct they
# be held (RejectFailures false) - but it will still add a header
# showing dmarc=fail: so here we can redirect them to a local
# mailbox (because they sometimes prove to be genuine
# i.e. from sender with misconfigured email server(s))
/^Authentication-Results: my_authserv_id.*dmarc=fail
\(p=(reject|quarantine)/ REDIRECT dmarcfail@localhost
