Just an FYI re: an alternative:
https://github.com/fastmail/authentication_milter
It's freely available AND used in commercial production by the Fastmail crew.
I switched to it a while ago, from a similar setup.
I use it in its smtpd mode -- and does a good/reliable job of providing an
integrated, well-behave header.
Very configurable, and the devs are very helpful/responsive.
On 3/18/22 8:46 AM, Jesper Dybdal wrote:
On 2022-03-18 13:07, Matus UHLAR - fantomas wrote:
On 18.03.22 12:35, Jesper Dybdal wrote:
I run postfix 3.4.14 (Debian Buster) with Amavisd-new as a pre-queue filter.
I would now like to add DMARC validation, done by the opendmarc milter in the
after-Amavis smtpd instance.
This basically works: opendmarc inserts an "Authentication-Results" header.
I would now like to do something (e.g., reject) depending on that header.
opendmarc can reject itself, if you configure it to.
Thanks for your response.
If the version of opendmarc that is included in Debian Buster is configured to reject,
then it also puts "quarantine" mails in postfix' hold queue, which is not
practical. So I would prefer to just get the header, and then control what happens after
that with postfix header checks.
However, opendmarc milter requires those Authentication-Results headers for SPF
and DKIM to be already present. so you need spf/dkim milter(s) before
opendmarc.
I use Amavis to generate and verify DKIM signatures, and policyd-spf-python to
perform SPF checks. That works, but means that the opendmarc milter must be
run by the after-Amavis smtpd.
