On 19 Apr 2021, at 18:25, RW wrote:
On Mon, 19 Apr 2021 15:54:00 -0400
Bill Cole wrote:
It's clear to me that excluding the original message (given as an
example by the OP in a side-branch of this thread) from DMARC
verification could be done with a ALL_INTERNAL
I've been a bit distracted today and I've already misunderstood you
twice, but I still don't see what problem using ALL_INTERNAL instead
ALL_TRUSTED actually solves.
Discriminating between machines you trust to write honest Received
headers (trusted) and those which you accept unsigned mail from
(internal.)
There was some talk about mail from third-party external trusted
networks, but I was unclear about the problem. What using ALL_INTERNAL
gives you in that case is the possibility of getting KAM_DMARC_REJECT
even when you have ALL_TRUSTED.
Precisely.
The original problem was messages originating internally which were not
yet signed being caught by KAM_DMARC_REJECT because the local domain
publishes p=reject.
I suggested exempting messages hitting ALL_TRUSTED from
KAM_DMARC_REJECT.
Matus noted correctly that doing so with external machines in
trusted_networks could result in "problems" i.e. allowing unsigned (i.e.
fake) messages to bypass KAM_DMARC_REJECT because they are originating
on a machine which is trusted not to write bogus Received headers. Note
that a machine in trusted_networks is NOT necessarily presumed to not
originate spam.
I proposed (and have committed to my sandbox) an ALL_INTERNAL rule which
could be used to exempt mail which has originated on internal networks
from hitting KAM_DMARC_REJECT even with n o signature and a p=reject
policy for the author's domain.
Is that any more clear?
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
