Am 02.12.2014 um 11:39 schrieb Christian Rößner: > So I thought why not using mechanisms from incoming mail for outgoing mail > that does not influence law. And therefor I thought about using DMARC as > well, which would protect outgoing mail from spoofed headers for domains that > already have defined DMARC policies. So if Yahoo, Microsoft, AOL and all the > others have defined DMARC, why should I even allow users to send mails with > spoofed From:- (the envelope-sender is caught by the > reject_sender_login_mismatch), if I could do a quick check for DMARC? > > Is this wrong thinking? I thought about your words: Fight problems at the > source.
as far i remember your problem is/was the some faked "from:" header injected by webservers scripts, so you need a "mech" which compares this to your "allowed" maildomains, this might be usefull config at the webserver postfix itself , but i speculate it will not work fine in real world on typical submission use. Clamav-milter with sane security works fine here at submission, but spamass-milter was to slow, i guess if you doing SPF/DKIM/DMARC verify with real mail clients it will massive slow down...., so in the submission case it might be best accept the mail and filter it before go outbound, amavis may classify and handle the mail like whats your policy... so i guess you have to split problems for different transport channels/servers and handle in a different way...you might not find a uni simple solution Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
