Folks, DMARC (the protocol) has the ability to sigil p=quarantine in a message when there's an authentication failure, which currently by default in OpenDMARC (the software) just gets flagged as an Authentication-results header. However...
(for the below, I refer to https://www.postfix.org/MILTER_README.html) The wording of the milter_default_action documentation makes mention of what to do with "application errors", and uses the word "quarantine" to put messages into the Hold queue. This is only in cases where the milter times out or errors or dies on the floor without properly returning, as far as I understand. Not where the milter explicitly flags that a message should be quarantined. This is also the only mention of the Hold queue or the word Quarantine on the milter docs page. The intro paragraph says only that milters can "modify or reject" a message: i.e. "Postfix passes it to the first configured Milter which may modify or reject that content or may modify the stored envelope". The hold queue is neither of these actions. OpenDMARC has this option (off by default): === HoldQuarantinedMessages (Boolean) If set, the milter will signal to the mta that messages with p=quarantine, which fail dmarc authentication, should be held in the MTA's "Hold" or "Quarantine" queue. The name varies by MTA. If false, messages will be accepted and passed along with the regular mail flow, and the quarantine will be left up to downstream MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers, including the Authentication-Results header added by this filter. The default is "false". (We hand off SMFIR_QUARANTINE over the milter wire and then return SMFIS_ACCEPT when this option is in play) [addition mine, here, for this discussion]. === Now, the Hold queue is invisible to most downstream users. I'd *rather* just let downstream filters process this, and things like SpamAssassin don't magically equate dmarc=fail; p=quarantine with "must accept message but mark as spam, move to Junk", it's simply a score adjustment, which can be overridden by other things like bayes, user preferences, welcomelists, etc (vs an override in OpenDMARC.conf), so it's also imperfect. The domain owner has indicated that we are to do something specific with the message, we should do it, even if we're interpretive about what "quarantining" means. But I digress. At any rate, my postfix question is: Is the milter interface wired up to the milter sockets in Postfix to allow a move to the quarantine queue by default? Or must one do something more in postfix beyond simply configuring the milter socket to turn this on? (If so, it's worth mentioning it in the OpenDMARC docs). If postfix isn't capable of interpreting the "hold" signal from a milter (by default, or at all), that's probably worth a mention in both our docs. -Dan _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
