Re: DKIM Score
On 2016-08-16 13:57, RW wrote: On Tue, 16 Aug 2016 08:18:55 + Chris Lee wrote: Hi Merijn, Still digest your solution, look like it rather complex to me. Besides, it is possible to just whitelist or blacklist some email address for DKIM checking? You could do it like this: whitelist_from_dkim *@example.com *@example.net blacklist_from *@example.com *@example.net The two rules score -100 and 100 respectively, so they cancel out if dkim passes. fail perldoc Mail::SpamAssassin::Plugin::DKIM whitlist_from_dkim must be on seperate line pr domain thanks to ATPS dkim signing :(
Re: DKIM Score
Am 16.08.2016 um 22:04 schrieb Benny Pedersen: On 2016-08-16 21:52, li...@rhsoft.net wrote: Am 16.08.2016 um 21:31 schrieb Benny Pedersen: On 2016-08-16 13:57, RW wrote: whitelist_from_dkim *@example.com *@example.net should be sepearted line why? read perldoc read spamassassin docs WHITELIST AND BLACKLIST OPTIONS Whitelist and blacklist addresses are now file-glob-style patterns, so fri...@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, * and ? are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons. Multiple addresses per line, separated by spaces, is OK. Multiple whitelist_from lines is also OK. blacklist_from *@example.com *@example.net cant remember if that can be one line as all whitelist_ and blacklist_ *it can* so what is your point? read perldoc read spamassassin docs unwhitelist_from_rcvd a...@ress.com Used to override a default whitelist_from_rcvd entry, so for example a distribution whitelist_from_rcvd can be overridden in a local.cf file, or an individual user can override a whitelist_from_rcvd entry in their own user_prefs file. The specified email address has to match exactly the address previously used in a whitelist_from_rcvd line. e.g. unwhitelist_from_rcvd j...@example.com f...@example.com unwhitelist_from_rcvd *@axkit.org
Re: DKIM Score
On 2016-08-16 21:52, li...@rhsoft.net wrote: Am 16.08.2016 um 21:31 schrieb Benny Pedersen: On 2016-08-16 13:57, RW wrote: whitelist_from_dkim *@example.com *@example.net should be sepearted line why? read perldoc blacklist_from *@example.com *@example.net cant remember if that can be one line as all whitelist_ and blacklist_ *it can* so what is your point? read perldoc
Re: DKIM Score
Am 16.08.2016 um 21:31 schrieb Benny Pedersen: On 2016-08-16 13:57, RW wrote: whitelist_from_dkim *@example.com *@example.net should be sepearted line why? blacklist_from *@example.com *@example.net cant remember if that can be one line as all whitelist_ and blacklist_ *it can* so what is your point?
Re: DKIM Score
On 2016-08-16 13:57, RW wrote: whitelist_from_dkim *@example.com *@example.net should be sepearted line, the above checks when From: header is diffrent then -d tag in dkim blacklist_from *@example.com *@example.net cant remember if that can be one line The two rules score -100 and 100 respectively, so they cancel out if dkim passes. yeps
Re: DKIM Score
On Tue, 16 Aug 2016 08:18:55 + Chris Lee wrote: Still digest your solution, look like it rather complex to me. Besides, it is possible to just whitelist or blacklist some email address for DKIM checking? On 16.08.16 12:57, RW wrote: You could do it like this: whitelist_from_dkim *@example.com *@example.net blacklist_from *@example.com *@example.net The two rules score -100 and 100 respectively, so they cancel out if dkim passes. this is not what the OP wanted. The OP wanted to exempt some users from DKIM checks, which is not configurable in SA (and a bad idea generally) the OP's request can only be fullfilled by special rules, since it involves breaking whole reason why DKIM exists. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. -- Daffy Duck & Porky Pig
Re: DKIM Score
On Tue, 16 Aug 2016 08:18:55 + Chris Lee wrote: > Hi Merijn, > > Still digest your solution, look like it rather complex to me. > > Besides, it is possible to just whitelist or blacklist some email > address for DKIM checking? You could do it like this: whitelist_from_dkim *@example.com *@example.net blacklist_from *@example.com *@example.net The two rules score -100 and 100 respectively, so they cancel out if dkim passes.
Re: DKIM Score
On Tue, 16 Aug 2016 10:00:12 +0200 Merijn van den Kroonenberg wrote: > Alternatively you could also set up a dns based list of sender > domains. In fact I have been wondering if someone is maintaining a > list like that. Because I guess a lot of people must be doing similar > things on their own. Eg. we require dkim of spf to be present for > some local bank domains. Especially banks and the like have already a > policy, often specified on their site, for which of their domains > require dkim or spf. > > Would there be a point in a central, maybe self maintained dns based > domain list where organisations can register domains as 'requiring' > dkim/spf? Sort of an explicit opt-in for organisations who really know > they have everything correctly set-up. That's what DMARC is for.
Re: DKIM Score
On 16.08.16 08:47, Chris Lee wrote: Suppose there is a user someb...@example.com is on vacation and using 3rd party SMTP server (w/o DKIM) for sending email. I want temporary whitelist it to bypass DKIM checking. For blacklist, suppose I only want 1 VIP user (v...@example.org ) require DKIM checking instead of whole domain. the whole point of DKIM is to prevent users from using foreign SMTP servers since those can't vefiry the sender. If the domain DKIM settings require mail to contain DKIM, you are in fact defeating the whole meaning of it. However, you can whitelist the sender by using whitelist_from_rcvd the "blacklist" you want is just what DKIM is for, there's no need to implement it specifically. -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, August 16, 2016 4:27 PM To: users@spamassassin.apache.org Subject: Re: DKIM Score On 16.08.16 08:18, Chris Lee wrote: Besides, it is possible to just whitelist or blacklist some email address for DKIM checking? do you mean to exempt a domain from DKIM checking? I don't see the point still... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: DKIM Score
Am 16.08.2016 um 10:47 schrieb Chris Lee: Suppose there is a user someb...@example.com is on vacation and using 3rd party SMTP server (w/o DKIM) for sending email. I want temporary whitelist it to bypass DKIM checking. he MUST NOT do that and so there is no justification handle whatever random server different because it sends technical forged mail of a foreign domain - i would say BLACKLIST that server because he allows a random and foreign envelope-sender would be the way to go instead whitelist it
RE: DKIM Score
Hi Matus, Suppose there is a user someb...@example.com is on vacation and using 3rd party SMTP server (w/o DKIM) for sending email. I want temporary whitelist it to bypass DKIM checking. For blacklist, suppose I only want 1 VIP user (v...@example.org ) require DKIM checking instead of whole domain. Regards, Lee -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, August 16, 2016 4:27 PM To: users@spamassassin.apache.org Subject: Re: DKIM Score On 16.08.16 08:18, Chris Lee wrote: >Besides, it is possible to just whitelist or blacklist some email address for >DKIM checking? do you mean to exempt a domain from DKIM checking? I don't see the point still... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
Re: DKIM Score
Am 16.08.2016 um 10:30 schrieb Kevin Golding: Probably even more of a performance nightmare, but possibly easier to maintain could be something like: header __FROM_EXAMPLECOM From:addr =~ /\@(example\.com)$/i header __FROM_EXAMPLEORG From:addr =~ /\@( example\.org)$/i header __FROM_EXAMPLENL From:addr =~ /\@( example\.nl)$/i meta __DKIM_REQUIRED ( __FROM_EXAMPLECOM || __FROM_EXAMPLEORG || __FROM_EXAMPLENL ) horrible to maintain - normally you generate that with a script and so you can in php (as example) simply implode('|', $list) to fill the regex (make sure anything is proper escaped before) /\@(example\.com|example.org|example.net)$/i
Re: DKIM Score
On Tue, 16 Aug 2016 09:00:12 +0100, Merijn van den Kroonenberg wrote: Besides, can I change the lines as following? header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i . . As I have lots of domain to handle. You could script the generation of a single line like Bill Cole suggested (and you can use include files in the config to make this easier). However I am curious about the performance of a rule like that with a lot of domains in it. Probably even more of a performance nightmare, but possibly easier to maintain could be something like: header __FROM_EXAMPLECOM From:addr =~ /\@(example\.com)$/i header __FROM_EXAMPLEORG From:addr =~ /\@( example\.org)$/i header __FROM_EXAMPLENL From:addr =~ /\@( example\.nl)$/i meta __DKIM_REQUIRED ( __FROM_EXAMPLECOM || __FROM_EXAMPLEORG || __FROM_EXAMPLENL ) Horses for courses really. Alternatively you could also set up a dns based list of sender domains. In fact I have been wondering if someone is maintaining a list like that. Because I guess a lot of people must be doing similar things on their own. Eg. we require dkim of spf to be present for some local bank domains. Especially banks and the like have already a policy, often specified on their site, for which of their domains require dkim or spf. Would there be a point in a central, maybe self maintained dns based domain list where organisations can register domains as 'requiring' dkim/spf? Sort of an explicit opt-in for organisations who really know they have everything correctly set-up. Whilst not really what you're talking about you could take a look at http://dkimwl.org/ - it certainly shows that a DNS check for DKIM signed domains is a plausible endeavour. To use your bank example a result of 127.0.10.5 from DKIMWL would show a bank that is highly trusted, if that fails DKIM then you end up with roughly what you're trying to do. Of course you may not like their listing policy, which is where these things can come undone, but the granular nature of their results might be enough to give you a start and see how happy you are with it in practice. The big issue for most people in respect of any DNS method is it's unlikely to reference the domains they manage so there would still be a need for additional rules for local domains. Perhaps throw in metas like the ones above.
Re: DKIM Score
On 16.08.16 08:18, Chris Lee wrote: Besides, it is possible to just whitelist or blacklist some email address for DKIM checking? do you mean to exempt a domain from DKIM checking? I don't see the point still... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
RE: DKIM Score
Hi Merijn, Still digest your solution, look like it rather complex to me. Besides, it is possible to just whitelist or blacklist some email address for DKIM checking? Regards, Chris Lee -Original Message- From: Merijn van den Kroonenberg [mailto:mer...@web2all.nl] Sent: Tuesday, August 16, 2016 4:00 PM To: users@spamassassin.apache.org Subject: RE: DKIM Score > Besides, can I change the lines as following? > > header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i > header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i > header __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i > . > . > > > As I have lots of domain to handle. You could script the generation of a single line like Bill Cole suggested (and you can use include files in the config to make this easier). However I am curious about the performance of a rule like that with a lot of domains in it. Alternatively you could also set up a dns based list of sender domains. In fact I have been wondering if someone is maintaining a list like that. Because I guess a lot of people must be doing similar things on their own. Eg. we require dkim of spf to be present for some local bank domains. Especially banks and the like have already a policy, often specified on their site, for which of their domains require dkim or spf. Would there be a point in a central, maybe self maintained dns based domain list where organisations can register domains as 'requiring' dkim/spf? Sort of an explicit opt-in for organisations who really know they have everything correctly set-up. A dns list configuration would look like this (and might be easier maintainable for some people): # Check envelope from against domain-based list at dkiml.example.com header __DKIM_REQUIRED_DNSeval:check_rbl_from_domain('dkiml', 'dkiml.example.com.') describe__DKIM_REQUIRED_DNSEnvelope sender listed in dkiml.example.com (Example domain listing) tflags __DKIM_REQUIRED_DNSnet reuse __DKIM_REQUIRED_DNS describeDKIM_REQUIRED_FAIL Sender requires a valid DKIM signature but it was not present metaDKIM_REQUIRED_FAIL (__DKIM_REQUIRED_DNS && !DKIM_VALID_AU) score DKIM_REQUIRED_FAIL 10.0 What would be the performance pros and cons between a hardcoded regex with a lot of domains or a dns list (lookup)? I think it probably doesn't matter that much unless the regex is really huge. So its just a matter of personal preference for maintainebility? This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
RE: DKIM Score
> Besides, can I change the lines as following? > > header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i > header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i > header __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i > . > . > > > As I have lots of domain to handle. You could script the generation of a single line like Bill Cole suggested (and you can use include files in the config to make this easier). However I am curious about the performance of a rule like that with a lot of domains in it. Alternatively you could also set up a dns based list of sender domains. In fact I have been wondering if someone is maintaining a list like that. Because I guess a lot of people must be doing similar things on their own. Eg. we require dkim of spf to be present for some local bank domains. Especially banks and the like have already a policy, often specified on their site, for which of their domains require dkim or spf. Would there be a point in a central, maybe self maintained dns based domain list where organisations can register domains as 'requiring' dkim/spf? Sort of an explicit opt-in for organisations who really know they have everything correctly set-up. A dns list configuration would look like this (and might be easier maintainable for some people): # Check envelope from against domain-based list at dkiml.example.com header __DKIM_REQUIRED_DNSeval:check_rbl_from_domain('dkiml', 'dkiml.example.com.') describe__DKIM_REQUIRED_DNSEnvelope sender listed in dkiml.example.com (Example domain listing) tflags __DKIM_REQUIRED_DNSnet reuse __DKIM_REQUIRED_DNS describeDKIM_REQUIRED_FAIL Sender requires a valid DKIM signature but it was not present metaDKIM_REQUIRED_FAIL (__DKIM_REQUIRED_DNS && !DKIM_VALID_AU) score DKIM_REQUIRED_FAIL 10.0 What would be the performance pros and cons between a hardcoded regex with a lot of domains or a dns list (lookup)? I think it probably doesn't matter that much unless the regex is really huge. So its just a matter of personal preference for maintainebility?
Re: DKIM Score
On 15 Aug 2016, at 21:28, Chris Lee wrote: Besides, can I change the lines as following? header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i Nope. Each rule can have one operational definition. If you redefine it, you replace the prior definition. However, that's fine because the above (assuming the spaces are typos) could instead be: header __DKIM_REQUIRED From:addr =~ /\@(example\.(com|org|nl))$/i
RE: DKIM Score
Dear Merjin, Excellent! It's work prefect! Besides, can I change the lines as following? header __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i header __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i . . As I have lots of domain to handle. Regards, Lee -Original Message- From: Merijn van den Kroonenberg [mailto:mer...@web2all.nl] Sent: Monday, August 15, 2016 7:19 PM To: users@spamassassin.apache.org Subject: Re: DKIM Score > Hi, > > How to setup to give high score for specific domain cannot pass DKIM test? > > For example: My own email domain is example.com > > Any incoming email from: example.com does not pass DKIM test score > 10.0 > describe__DKIM_REQUIRED Require a valid DKIM signature for these domains header __DKIM_REQUIRED From:addr =~ /\@(example\.com|example\.org)$/i describeDKIM_REQUIRED_FAIL Sender requires a valid DKIM signature but it was not present metaDKIM_REQUIRED_FAIL (__DKIM_REQUIRED && !DKIM_VALID_AU) score DKIM_REQUIRED_FAIL 10.0 This tests the from address for a *@example.com (and org) address. If it matches then it requires a valid DKIM signature for the domain of the sender (in this case example.com or example.org). This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
Re: DKIM Score
https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ On 15-8-2016 10:44, Chris Lee wrote: Hi, How to setup to give high score for specific domain cannot pass DKIM test? For example: My own email domain is example.com Any incoming email from: example.com does not pass DKIM test score 10.0 Spamassassin Version: 3.4.1 Release: 6.fc23 OS: Fedora FC 23 Many thanks in advance. Cheers, Lee This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.
Re: DKIM Score
> Hi, > > How to setup to give high score for specific domain cannot pass DKIM test? > > For example: My own email domain is example.com > > Any incoming email from: example.com does not pass DKIM test score 10.0 > describe__DKIM_REQUIRED Require a valid DKIM signature for these domains header __DKIM_REQUIRED From:addr =~ /\@(example\.com|example\.org)$/i describeDKIM_REQUIRED_FAIL Sender requires a valid DKIM signature but it was not present metaDKIM_REQUIRED_FAIL (__DKIM_REQUIRED && !DKIM_VALID_AU) score DKIM_REQUIRED_FAIL 10.0 This tests the from address for a *@example.com (and org) address. If it matches then it requires a valid DKIM signature for the domain of the sender (in this case example.com or example.org).
Re: DKIM Score
On 2016-08-15 10:44, Chris Lee wrote: How to setup to give high score for specific domain cannot pass DKIM test? generic meta DKIM_NOT_PASS (!DKIM_PASS) score on DKIM_NOT_PASS now for specific domains, its needs more work This message and its attachment (if any) are strictly confidential and ... note this is a public maillist, so please dont add crap to it