Thanks, Gary.
I'll have a look
On 6/3/2020 8:52 AM, Gary Bowling wrote:
Further to this subject. I am learning that there are more pieces that
can help us out. Spamassassin gives us a way to assign a spam score to
messages with various DKIM results. But it doesn't know what the
original sender wanted us to do with messages that have DKIM problems,
therefore we just default to giving scores with some predetermined
weighting.
There are two more tools, ADSP (Author Domain Signing Practices), and
DMARC (Domain based Message Authentication, Reporting and
Conformance). Which are both fancy ways of saying, "I want to tell
other servers that messages from MY server should have DKIM and what
to do if they don't"
For outbound mail, both ADSP and DMARC simply require you to set up
DNS TXT records telling remote servers how to handle messages received
from your server. If you want to use either of these, do a search for
them and you'll find info on how to set up the DNS records. Without
explanation of all the fields, here's what I put in my bind DNS.
_adsp._domainkey.mail IN TXT "dkim=all"
_demarc.mail IN TXT "v=DMARC1; p=quarantine;
rua=mailto:postmas...@example.com; ruf=mailto:postmas...@example.com;
fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine"
For inbound mail, we can set up spamassassin to query DNS records for
inbound mail and score them based on info that others might have
configured in DMARC. It requires a plugin called AskDNS, but that
looks to already be available in our spamassassin and also in the EPEL
version of spamassassin, so it should just require us to assign
scores. Here's what I have configured in my /etc/spamassassin/local.cf
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT
/^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
/^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
/^v=DMARC1;.*\bp=reject;/
meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif # Mail::SpamAssassin::Plugin::AskDNS
On 6/2/2020 5:12 PM, Gary Bowling wrote:
Yea, I had already looked in there, they aren't there. I eventually
found them in
/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm
Looks like the defaults are,
score DKIM_ADSP_ALL 2.5
score DKIM_ADSP_DISCARD 25
score DKIM_ADSP_NXDOMAIN 3
score DKIM_ADSP_CUSTOM_LOW 1
score DKIM_ADSP_CUSTOM_MED 3.5
score DKIM_ADSP_CUSTOM_HIGH 8
For right now, I'm going to adjust a few of these and also adjust
some of the SPF settings. Here's what I'm trying right now in my
/etc/spamassassin/local.cf
|#Adjust scores for SPF FAIL|
|score SPF_FAIL 4.0|
|score SPF_HELO_FAIL 4.0|
|score SPF_HELO_SOFTFAIL 3.0|
|score SPF_SOFTFAIL 3.0|
|#adjust DKIM scores|
|score DKIM_ADSP_ALL 3.0|
|score DKIM_ADSP_DISCARD 10.0|
|score DKIM_ADSP_NXDOMAIN 3.0|
|
|
|
|
|Thanks, Gary
|
On 6/2/2020 12:29 PM, Eric Broch wrote:
Gary,
The stock scores for spamassassin are in /usr/share/spamassassin/*.cf.
# grep DKIM /usr/share/spamassassin/*.cf
For your local configuration you can override the scores in
/etc/mail/spamassassin/local.cf on COS8 or
/etc/spamassassin/local.cf on COS7. I know THAT one can manipulate
scores to fit their needs with spamassassin, however, I have NEVER
done it. This is me sloughing it off. ;-) The reason I like
spamassassin DKIM verification is because it doesn't just reject bad
DKIM which as you mentioned can have bad effects but scores it with
other things for rejection.
If you find some configuration that suits you and your system I'd we
willing to post in on the QMT web as a stock 'QMT' setting.
Eric
On 6/2/2020 10:11 AM, Gary Bowling wrote:
Thanks Eric. What is the config setting in local.cf to change the
DKIM scoring? I don't find any setting in my /etc/spamassassin/
directories that sets that score. Is the scoring for the stock EPEL
local.cf different from what we have? I assume not since you said
you didn't tailor any of that in QMT.
I think that's a good move to use the stock spamassassin from EPEL.
As DKIM seems to be more pervasive these days, I might be tempted
to increase the score in spamassassin if I can find the local.cf
setting.
Thanks, Gary
On 6/2/2020 11:56 AM, Eric Broch wrote:
Hi Gary,
My intent, which I articulated in another email on the list and
instead of reinventing the wheel, was exactly as you deduced in
your email, that is, to allow spamassassin to score DKIM which it
does; however, I have not done anything as far as a tailoring
configuration for QMT and was content to allow users that scoring
decision. My goal is to drop the specially created QMT
spamassassin (and clamav) rpm, which I've done in CentOS 8, and
use the stock rpm from EPEL.
I think you can override default scoring for DKIM in
/etc/spamassassin/local.cf on COS7 and
/etc/mail/spamassassin/local.cf on COS8.
Eric
On 6/2/2020 8:09 AM, Gary Bowling wrote:
What is everyone doing these days for DKIM verification, i.e.
checking incoming mail for DKIM signatures?
Background
Many years ago, when DKIM was first introduced to the toaster
(maybe it was even in the Shupp's toaster days), I installed and
turned on incoming DKIM verification. Initially I set it to
"reject" unsigned email and of course that was a disaster as it
blocked most everything.
Back then, the choice was to have it verify emails, but not block
them, or remove verification. I made the decision that checking
without doing anything was a waste of resources, so I removed any
DKIM verification. I don't remember how I did all this, as it was
years ago.
Then at some point DKIM verification was added to spamassassin,
or maybe it was always there but we didn't implement the plugin.
At any rate, spamassassin DKIM verification was added to the toaster.
Which seems like a good thing as spamassassin can assign a score
to DKIM verification which plays into whether a msg is marked as
spam or not. The problem with it though, is the score for NOT
being verified is very low, something like .01, which essentially
does nothing. I can't find any "user" added parameter that would
increase that score and don't really know if that's a good thing
to try to do. If it were a good thing, I would think it would be
a commonly used setting, which doesn't appear to be the case.
What to do in 2020?
So the question is, what to do about DKIM verification in 2020?
From the way my server is configured it appears to be useless.
But maybe that's because I don't know how to best configure it.
Side Note
On a side note, I do use outbound DKIM and have DNS set up, etc.
I have no idea if this is useful or not, but I'll leave it,
hoping that somehow this reduces my probability of being rejected
by some server out there. But from what I can tell, it really
does nothing. Seems to me DKIM is nothing more than an exercise
in futility and extra work for postmasters :)
--
____________________
Gary Bowling
The Moderns on Spotify
<https://distrokid.com/hyperfollow/themoderns/bbrs>
____________________
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com