On Mon, 19 Apr 2021 20:40:58 -0400
Bill Cole wrote:
I suggested exempting messages hitting ALL_TRUSTED from
KAM_DMARC_REJECT.
Matus noted correctly that doing so with external machines in
trusted_networks could result in "problems" i.e. allowing unsigned
(i.e. fake) messages to bypass KAM_DMARC_REJECT because they are
originating on a machine which is trusted not to write bogus Received
headers. Note that a machine in trusted_networks is NOT necessarily
presumed to not originate spam.
I proposed (and have committed to my sandbox) an ALL_INTERNAL rule
which could be used to exempt mail which has originated on internal
networks
On 21.04.21 00:11, RW wrote:
Anything that enters through through the remote trusted network and hits
ALL_TRUSTED will almost certainly pass whatever authentication
mechanism are set-up for the domain.
The difference between ALL_TRUSTED and ALL_INTERNAL will likely be
small. There are minor advantages either way.
the diference would be, ALL_TRUSTED covers mail from trusted, but not
internal hosts, that are trusted not to fake headers, but still may
send spam.
Such mail should imho still be checked for DMARC.
The ALL_INTERNAL, or better the NO_RELAYS as Benny pointed out should only
hit on mail generated in internal network.
The !__LAST_EXTERNAL_RELAY_NO_AUTH I proposed should hit on mail entered
internal network authenticated, which imho means it's an outgoing e-mail.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
