On Fri, Feb 8, 2013 at 5:50 PM, Todd Lyons <[email protected]> wrote: > I have finished coding up my first draft of DMARC support into Exim > using libopendmarc. It also logs the results to a (text) file such > that the OpenDMARC support tools can import the logged statistics and > send DMARC reports to senders (who have a DMARC record that requests > it). It is merged with current HEAD on master. > > http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/odk_build > > I have it running on a test system in order to test PRDR. But I am > going to also put this on one of my live servers (without PRDR) to see > if the DMARC works ok, logs ok, etc.
So far no problems. I'm getting close to merging this into master. It's protected by EXPERIMENTAL_DMARC so nothing behavior-wise should change in the resulting binary unless the builder explicitly configures it. > It does not send DMARC forensic reports. It is planned as a future addition. I am nearing completion of this feature. I do have two behavioral questions, please provide feedback: 1. In the opendmarc milter, by default it does not log results to a "statistics" file (which would be used to import into a database for sending aggregate reports). I currently have it set to log these results iff the global setting dmarc_history_file is defined in the config. If exim is being built with DMARC and configures nothing, the basic result is that nothing will get done. If exim is built with DMARC and at least one "dmarc = pass|quarantine|reject|none" is in the ACL, a DMARC entry will get logged in the logfiles, but it won't do anything beyond that. If the dmarc_history_file is defined, exim logs aggregate data and the sysadmin is expected to run the opendmarc support tools to import and manage the data, and truncate the statistics file. There is a "control = dmarc_disable_verify" that will skip dmarc checking completely, which will also skip the statistics logging. Question: Should statistics logging be enabled by default to a default statistics file? Downside is that a busy system can end up with a large growing file in the exim spool directory and the novice sysadmin may not know about it. If it grows large enough it could theoretically fill a file system and impact mail delivery (would have to be ignored for a long time though). 2. In the opendmarc milter, by default it does not send forensic (failure) reports when an incoming email fails dmarc alignment and the domain's dmarc record specifies an email address to send these forensic reports. If exim is being built with DMARC and configured for DMARC checking, and an incoming email fails alignment, exim will send a forensic report. Exim will not send forensic reports if "control = dmarc_disable_verify" or "control = dmarc_disable_forensic" is set. Question: Is it better to enable sending only if there is a control setting explicitly enabling it? Meaning I would need to invert the control setting such as "control = dmarc_enable_forensic"? Any other comments or suggestions are welcome. > Documentation of the settings is non-existent. I will try to get that > done tonight or tomorrow. There is some documentation, but not covering everything I've added. I will ruminate and add more before the final merge. I still have to do a lot of testing of builds and behavior with and without various features enabled: EXPERIMENTAL_SPF DISABLE_DKIM EXPERIMENTAL_DMARC ...Todd -- The total budget at all receivers for solving senders' problems is $0. If you want them to accept your mail and manage it the way you want, send it the way the spec says to. --John Levine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
