Re: KAM_DMARC_REJECT on internal emails

Mon, 19 Apr 2021 03:10:07 -0700 

I'd say that a proper solution would be to DKIM-sign mail before it's
spam-scanned.


On 19.04.21 19:39, Simon Wilson wrote:

Good point. If DKIM is signed it should pass DMARC, even if SPF fails.


Amavisd handles both pieces, including DKIM signing... from looking  
at the headers it looks like Amavisd is spam scanning it first  
*then* DKIM signing it. I will post to the amavisd mailing list on  
that question...


DKIM-signing locally submitted mail prior to spam scanning would help us
here (and amavis is supposed to know local domains, unlike SA)




How does that work though... DKIM is supposed to sign LAST, not before  
a bunch of other headers are added...



It's not applicable for non-DKIM domains, which still can SPF pass and
therefore DMARC pass.



Surely SPF will never pass an internal only email, as you cannot have  
an internal IP address in your SPF record...

E.g. my SPF record is:
v=spf1 ip4:119.18.34.29 a:spf.email-hosting.net.au -all
Any internal assessment will fail when it sees 192.168.x.x as the sending IP.




but, the rule could apparently avoid locally-originated mail
(would help for non-DKIM domains).


meta     KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&  
__KAM_DMARC_POLICY_REJECT


maybe __LAST_EXTERNAL_RELAY_NO_AUTH ?



Am I reading the rule correctly that EITHER a fail DKIM or SPF will  
cause this to trip?



meta     KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&  
__KAM_DMARC_POLICY_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the  
message and the domain has a DMARC reject policy

score    KAM_DMARC_REJECT 3.0


...in which case, SPF will *always* fail on an internal email and  
this rule will always fail. DMARC can still pass with e.g. an SPF  
failure if DKIM passes - why is this an "OR"?


negated or: if either SPF or DKIM passes, the KAM_DMARC_REJECT won't
hit, because it means DMARC pass.


Thank you. I hate logical booleans lol.



I am not sure how exactly does SPF match:

header   SPF_PASS     eval:check_for_spf_pass()

I'm not sure SPF should hit for locally submitted e-mail.


See above - it can't.



however, putting exemption of local mail to KAM_DMARC_REJECT could help us
to accept locally submitted mail.



Surely this has to be the fix... if an email has ONLY internal IPs,  
then DMARC assessment is irrelevant.



----- End message from Matus UHLAR - fantomas <uh...@fantomas.sk> -----



--
Simon Wilson
M: 0400 12 11 16























					Reply via email to