Alrik,
> I have DKIM up and running with amavisd and spamassassin. Validation
> works fine for my own domain (e.g. mydomain.com) and other domains
> like gmail.com. In order to minimize the "UNSOLICITED BULK EMAIL,
> apparently from you" messages, I would like to reject message that are
> sent with a from address of mydomain.com with no or no valid DKIM
> result.
>
> I followed the documentation and added to local.cf:
>
> header __AUTH_MYDOMAINCOM From:addr =~ m...@mydomain\.com$}mi
> describe __AUTH_MYDOMAINCOM Author claims to be from mydomain.com
>
> meta NOTVALID_MYDOMAINCOM (!DKIM_VERIFIED || !DKIM_SIGNED) &&
> __AUTH_MYDOMAINCOM
> priority NOTVALID_MYDOMAINCOM 500
> describe NOTVALID_MYDOMAINCOM Claims to be from mydomain.com but is not
>
> score NOTVALID_MYDOMAINCOM 6.0
>
> Is this the way to go? A problem I foresee is that emails sent from
> [email protected] to [email protected] doesn't get DKIM signed. So
> in the above method, these emails will be marked as spam. Which I
> obviously don't want.
As Thomas said, using the new DKIM plugin (SA 3.3.0) can save you the
trouble of writing rules like above by introducing support for ADSP
and a SA configuration command 'adsp_override'.
But as you noticed, this approach is probably not the best to fight
incoming mail claiming to be from your own domain:
- on originating mail (submitted from inside) which is to be signed
by amavisd, the invoked SpamAssassin does not yet see the coming
signature, so it would see a message as unsigned. A way around this
is to add a rule to test for locally submitted mail, and exclude
such from your meta rule:
header __L_MYNETS X-Amavis-PolicyBank =~ m{(\A|/)(MYNETS|ORIGINATING)(/|$)}m
- the other problem is that mail sent from your users to most mailing
lists comes back modified (advertising, disclaimers, ...) thus breaking
a DKIM signature, yet still contains the original From address, which
will trigger your rule.
Here as the rules used at our site, which work fairly well:
header __ML1 Precedence =~ m{\b(list|bulk)\b}i
header __ML2 exists:List-Id
header __ML3 exists:List-Post
header __ML4 exists:Mailing-List
header __ML5 Return-Path:addr =~
m{^([...@]+-(request|bounces|admin|owner)|owner-...@]+)(\@|\z)}mi
meta __VIA_ML __ML1 || __ML2 || __ML3 || __ML4 || __ML5
describe __VIA_ML Mail from a mailing list
# adjust for your domain(s):
header __L_FROM_MY_ENV Return-Path:addr =~ /\a...@.]example\.com$/mi
header __L_FROM_MY_AUTHOR From:addr =~ /\@([...@]*\.)?example\.com$/mi
meta L_FOREIGN_MY_ENV !(DKIM_VALID || __L_MYNETS) && __L_FROM_MY_ENV
score L_FOREIGN_MY_ENV 2.5
meta L_FOREIGN_MY_AUTHOR !(DKIM_VALID || __L_MYNETS || __VIA_ML) &&
__L_FROM_MY_AUTHOR
score L_FOREIGN_MY_AUTHOR 2.0
Btw, the __ML[1-5] and __VIA_ML are already in the file 20_head_tests.cf
as distributed with SA 3.3.0 (alpha2) ruleset.
Mark
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
