Re: filter-dnsbl: feature request and bug report
On Sat, 01 Jun 2024 17:50:53 +0100, Kirill A. Korinsky wrote: > > Here the quote from updated man page which summirizes changes: > And quoted text had one missed feature. This filter supports -e argument for each list to specified expected IP which means match. That allows, for example, use hostkarma.junkemailfilter.com like this: -e 127.0.0.2 hostkarma.junkemailfilter.com \ -w -e 127.0.0.1 hostkarma.junkemailfilter.com \ So, here response 127.0.0.2 means bad, and 127.0.0.1 good. -- wbr, Kirill
Re: filter-dnsbl: feature request and bug report
Greetings, It was a while in this thread, but I don't forget. I put all my ideas to filter-dnsbl as a fork which is available on GitHub: https://github.com/catap/opensmtpd-filter-dnsbl Here the quote from updated man page which summirizes changes: filter-dnsbl looks up the IP address of the sender in the blacklist (a domain name) and, by default drops the connection if it is found. If the -m flag is specified, it will allow the message to continue, but such a message will be marked with X-Spam header with value Yes, and X-Spam-DNSBL header containing a list, and any existing headers starting with X-Spam will be stripped. If the -w flag is specified before blacklist, this list is treated as white list and X-Spam header isn't added, but X-Spam-DNSWL header is added instead X-Spam-DNSBL. Additionally, if the -d flag is specified before blacklist, it will use reverse DNS hostname instead of IP address for loopkup. For more verbose logging, the -v flag can be used. When DNS error happened it drops the connection, or adds X-Spam header with value Unknown and X-Spam-DNS with a list with cause an error if the -m flag is specified. I've attached to this email port file for OpenBSD to to use it. Additionally, you may grab build version for 7.5 from https://mx0.catap.net/pub/ where I also keep filter-sign and filter-auth. Any feedback and testing welcome. Martijn, do you think this changes can be backported back? -- wbr, Kirill filter.tgz Description: Binary data
Re: New filters auth and sign
On Sat, 01 Jun 2024 08:45:00 +0100, "Corey Hickman" wrote: > > does it have policy server included? for instance, when DKIM fails, the > policy can be set up to deny the message. > Right now it ignores DMARC as if it doesn't exist. Doing a DMARC lookup for domain and inserting it's results into the header is possible and not a big deal, but it has some issues. The first is parsing the From header. It is durable, but different MUA may follow different logic and parser for this can be quite complicated. And complicated means bugs. The second is more ideological. DMARC needs something that aggregates the results and sends out reports. It shouldn't be a filter for smtpd. But a filter can write it's decision to log, and something should harvest it to process and create reports that need to be sent. Anyway, forensic reports, which should be close to real-time and include a lot of things from the original email, is a much more complicated story. All this brings up the question of personal data / GDPR and DMARC. I know of a very good analysis of DMARC and GDPR in the case of German law [1], which can be summarized as a quote: The reports are fundamentally permitted and justified under data protection law. However, the principle of proportionality is to be complied with at all times. Based on this analysis, I assume that only aggregated reports can be used without legal headaches in the EU. But implementing only a part of DMARC seems as much worse than not implementing it at all, and implementing it in its entirety requires a lot of pieces in place, much more than just a filter. Thus, DMARC was discussed on the OpenBSD mailing lists a few months ago [2]. As a conclusion, I personally use the p=none policy, because I assume that my mail should be delivered, and To is not the final destination, it's a kind of starting direction of the mail's way to the recipient. Footnotes: [1] https://certified-senders.org/wp-content/uploads/2018/08/Report_DMARC_and_GDPR.pdf [2] https://marc.info/?l=openbsd-misc&m=171015367409290&w=2 -- wbr, Kirill