Re: No From: address in policy delegation protocol?

[Zhang Huangbin]

> On Jun 28, 2016, at 1:46 PM, Zhang Huangbin  wrote:
> 
> I can reproduce this issue with a simple Python program:
> 
> *) construct mail message with forge sender address. e.g. 'From: 
> '
> *) send email as normal/legal user "auth_u...@my-domain.com" with smtp auth.
> *) while sending email, specify the sender address as 
> "auth_u...@my-domain.com".
> *) When user received the email, his MUA shows the address in 'From:' as 
> sender.

Here's the python code:
http://pastebin.com/Jj7sBxCp

No From: address in policy delegation protocol?

[Zhang Huangbin]

Dear all,

I have a simple Postfix policy server, and got a problem to reject sender login 
mismatch (sender != sasl_username) with Outlook 2016: user is able to specify a 
From: address, it would be any address you want, and the From: address is not 
passed to policy server.

I can reproduce this issue with a simple Python program:

*) construct mail message with forge sender address. e.g. 'From: 
'
*) send email as normal/legal user "auth_u...@my-domain.com" with smtp auth.
*) while sending email, specify the sender address as "auth_u...@my-domain.com".
*) When user received the email, his MUA shows the address in 'From:' as sender.

In this case:

- address 'fo...@forge.com' is not available in policy server
- attributes 'sender=' and 'sasl_username' are 'auth_u...@my-domain.com'

So the question is, does Postfix parse the submitted mail message to get 
'From:' address? How can i overcome this?

Thanks for helping. :)

Re: Newbie SASL Auth with Dovecot problem

[postfix]

There is no AUTH on port 25, take 587.

suomi

On 06/28/2016 05:15 AM, Michael Fox wrote:

I’ve been using Postfix for a while with no client submission.  I’m
trying to set up SASL for the first time, using Dovecot, to support
virtual users.

When I connect with EHLO, I do NOT see “AUTH” capabilities.



Of course, I’m following:  http://www.postfix.org/SASL_README.html



First of all, Dovecot is installed and authentication works

$ telnet localhost 110

Trying 127.0.0.1...

Connected to localhost.localdomain.

Escape character is '^]'.

+OK Dovecot ready.

user @

+OK

pass secret

+OK Logged in.

quit

+OK Logging out.

Connection closed by foreign host.

$



And mail is delivered to the virtual mailboxes just fine.  This tells me
that the Dovecot passdb and userdb are working.



Now, following the SASL_README:



$ postconf -a

cyrus

dovecot

$ postconf -A

cyrus



I followed the instructions in SASL_README for “Configuring Dovecot
SASL”, plus …

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes



The socket exists



~$ sudo ls -l /var/spool/postfix/private

total 0

…

srw-rw 1 postfix postfix 0 Jun 27 18:55 auth

…

$



After reload, the next step in the README is to try a connection.  But I
don’t get any AUTH options:



$ telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.localdomain.

Escape character is '^]'.

220 x ESMTP Postfix (Ubuntu)

EHLO client.example.com

250-x

250-PIPELINING

250-SIZE 102400

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

QUIT

221 2.0.0 Bye

Connection closed by foreign host.

$



I don’t know what to do next.  Thanks for any help.



Thanks,

Michael





$ postconf -n

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

anvil_rate_time_unit = 60s

append_at_myorigin = yes

append_dot_mydomain = yes

biff = no

bounce_queue_lifetime = 8h

bounce_template_file = /etc/postfix/bounce.cf

broken_sasl_auth_clients = yes

canonical_maps = pcre:/etc/postfix/canonical.pcre

config_directory = /etc/postfix

content_filter = amavisfeed:[127.0.0.1]:10024

delay_warning_time = 2h

fast_flush_domains = $relay_domains

header_checks = pcre:/etc/postfix/header_checks.pcre

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

mailbox_size_limit = 512

maximal_queue_lifetime = 8h

message_size_limit = 102400

mydestination = $myhostname localhost.$mydomain localhost.localdomain
localhost

mydomain = 

mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.8.0/24

myorigin = /etc/mailname

postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr

postscreen_blacklist_action = drop

postscreen_dnsbl_action = enforce

postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre

postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.spameatingmonkey.net*2
psbl.surriel.com*2 bl.spamcop.net
hostkarma.junkemailfilter.com=127.0.0.2 dnsbl.sorbs.net bl.mailspike.net
swl.spamhaus.org*-4 list.dnswl.org=127.0.[0..255].0*-1
list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].2*-3
list.dnswl.org=127.0.[0..255].3*-4

postscreen_dnsbl_threshold = 3

postscreen_dnsbl_ttl = 5m

postscreen_greet_action = enforce

proxy_interfaces = 

readme_directory = /usr/share/doc/postfix

recipient_delimiter = +

relay_domains = n6mef.ampr.org

relay_recipient_maps = pcre:/etc/postfix/relay_recipients.pcre

relay_restrictions = check_sender_access
pcre:/etc/postfix/relay_sender_access.pcre

remote_header_rewrite_domain = invalid.domain

smtp_host_lookup = native

smtp_sasl_auth_enable = yes

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_client_connection_count_limit = 10

smtpd_client_connection_rate_limit = 10

smtpd_client_restrictions = permit_mynetworks
reject_unknown_reverse_client_hostname check_client_access
pcre:/etc/postfix/client_access.pcre reject_rbl_client zen.spamhaus.org
permit

smtpd_data_restrictions = reject_unauth_pipelining
reject_multi_recipient_bounce permit

smtpd_delay_reject = yes

smtpd_error_sleep_time = 5s

smtpd_etrn_restrictions = permit_mynetworks reject

smtpd_hard_error_limit = 10

smtpd_helo_required = yes

smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname permit_mynetworks
reject_unknown_helo_hostname check_helo_access
pcre:/etc/postfix/helo_access.pcre permit

smtpd_junk_command_limit = 2

smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
reject_unauth_destination check_recipient_access
pcre:/etc/postfix/recipient_access.pcre check_recipient_access
pcre:/etc/postfix/relay_recipient_access.pcre permit

smtpd_reject_unlisted_recipient = yes

smtpd_restriction_classes = relay_restrictions

smtpd_sasl_path = private/auth

smtpd_sasl_type = dovecot

smtpd_sender_restrictions = reject_non_fqdn_sender

Newbie SASL Auth with Dovecot problem

[Michael Fox]

I've been using Postfix for a while with no client submission.  I'm trying
to set up SASL for the first time, using Dovecot, to support virtual users.


When I connect with EHLO, I do NOT see "AUTH" capabilities.

 

Of course, I'm following:  http://www.postfix.org/SASL_README.html

 

First of all, Dovecot is installed and authentication works

$ telnet localhost 110

Trying 127.0.0.1...

Connected to localhost.localdomain.

Escape character is '^]'.

+OK Dovecot ready.

user @

+OK

pass secret

+OK Logged in.

quit

+OK Logging out.

Connection closed by foreign host.

$

 

And mail is delivered to the virtual mailboxes just fine.  This tells me
that the Dovecot passdb and userdb are working.

 

Now, following the SASL_README:

 

$ postconf -a

cyrus

dovecot

$ postconf -A

cyrus

 

I followed the instructions in SASL_README for "Configuring Dovecot SASL",
plus .

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

 

The socket exists

 

~$ sudo ls -l /var/spool/postfix/private

total 0

.

srw-rw 1 postfix postfix 0 Jun 27 18:55 auth

.

$

 

After reload, the next step in the README is to try a connection.  But I
don't get any AUTH options:

 

$ telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.localdomain.

Escape character is '^]'.

220 x ESMTP Postfix (Ubuntu)

EHLO client.example.com

250-x

250-PIPELINING

250-SIZE 102400

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

QUIT

221 2.0.0 Bye

Connection closed by foreign host.

$

 

I don't know what to do next.  Thanks for any help.

 

Thanks,

Michael

 

 

$ postconf -n

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

anvil_rate_time_unit = 60s

append_at_myorigin = yes

append_dot_mydomain = yes

biff = no

bounce_queue_lifetime = 8h

bounce_template_file = /etc/postfix/bounce.cf

broken_sasl_auth_clients = yes

canonical_maps = pcre:/etc/postfix/canonical.pcre

config_directory = /etc/postfix

content_filter = amavisfeed:[127.0.0.1]:10024

delay_warning_time = 2h

fast_flush_domains = $relay_domains

header_checks = pcre:/etc/postfix/header_checks.pcre

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

mailbox_size_limit = 512

maximal_queue_lifetime = 8h

message_size_limit = 102400

mydestination = $myhostname localhost.$mydomain localhost.localdomain
localhost

mydomain = 

mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.8.0/24

myorigin = /etc/mailname

postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr

postscreen_blacklist_action = drop

postscreen_dnsbl_action = enforce

postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre

postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.spameatingmonkey.net*2
psbl.surriel.com*2 bl.spamcop.net hostkarma.junkemailfilter.com=127.0.0.2
dnsbl.sorbs.net bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2
list.dnswl.org=127.0.[0..255].2*-3 list.dnswl.org=127.0.[0..255].3*-4

postscreen_dnsbl_threshold = 3

postscreen_dnsbl_ttl = 5m

postscreen_greet_action = enforce

proxy_interfaces = 

readme_directory = /usr/share/doc/postfix

recipient_delimiter = +

relay_domains = n6mef.ampr.org

relay_recipient_maps = pcre:/etc/postfix/relay_recipients.pcre

relay_restrictions = check_sender_access
pcre:/etc/postfix/relay_sender_access.pcre

remote_header_rewrite_domain = invalid.domain

smtp_host_lookup = native

smtp_sasl_auth_enable = yes

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_client_connection_count_limit = 10

smtpd_client_connection_rate_limit = 10

smtpd_client_restrictions = permit_mynetworks
reject_unknown_reverse_client_hostname check_client_access
pcre:/etc/postfix/client_access.pcre reject_rbl_client zen.spamhaus.org
permit

smtpd_data_restrictions = reject_unauth_pipelining
reject_multi_recipient_bounce permit

smtpd_delay_reject = yes

smtpd_error_sleep_time = 5s

smtpd_etrn_restrictions = permit_mynetworks reject

smtpd_hard_error_limit = 10

smtpd_helo_required = yes

smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname permit_mynetworks reject_unknown_helo_hostname
check_helo_access pcre:/etc/postfix/helo_access.pcre permit

smtpd_junk_command_limit = 2

smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
check_recipient_access pcre:/etc/postfix/recipient_access.pcre
check_recipient_access pcre:/etc/postfix/relay_recipient_access.pcre permit

smtpd_reject_unlisted_recipient = yes

smtpd_restriction_classes = relay_restrictions

smtpd_sasl_path = private/auth

smtpd_sasl_type = dovecot

smtpd_sender_restrictions = reject_non_fqdn_sender
reject_unknown_sender_domain permit_mynetworks check_sender_access

OT DMARC question

[Paul R. Ganci]

I notice that postfix generates bounce messages that without going 
through some effort do not get DKIM signed. I have setup my incoming 
gateway server so that messages to my email subscribers are bounced 
using a local_recipient_map. However I received a report from 
linkedin.com because a Linked-In subscriber sent a message to an email 
address of a non-existent local user. Linked-In flagged the 
Mailer-Daemon bounce message. It seems to me even if the message was 
DKIM signed the fact that the Return-Path header is <> would still cause 
a mismatch that should not pass the DMARC requirements. I was wondering 
how others handle this problem or is it really just a misconfigured 
Linked-In server? It is ironic that a bounce message resulting from a 
message to a non-existent address sent from linkedin.com would generate 
a DMARC fail by linkedin.com.

--
Paul (ga...@nurdog.com)
cell: (303)257-5208

Re: Different SMTP AUTH options and credentials for different clients

[Viktor Dukhovni]

> On Jun 28, 2016, at 2:11 AM, Rob Maidment  wrote:
> 
> Filtering out the STARTTLS option can be achieved using
> smtpd_discard_ehlo_keyword_address_maps as described above.
> The smtpd_tls_security_level parameter must be set to "may" rather
> than "encrypt" if there are any profiles where TLS is not mandatory.
> The smtpd_tls_ask_ccert must be set to "yes" if there are any
> connection profiles that require certificate validation.
> The enforcement can be achieved using smtpd_helo_restrictions to call
> (after the EHLO command) a custom policy server that determines the
> matching connection profile as described above, and uses the
> encryption_protocol attribute to determine if TLS is in use and the
> ccert_subject attribute to see if a trusted client certificate was
> provided.  (Note: smtpd will validate the certificate if provided even
> when  smtpd_tls_security_level is "may".)
> 
> Note: the smtpd_delay_reject option must be set to "no" to prevent the
> client sending authentication credentials on a plain text connection
> where TLS was defined as mandatory (otherwise the policy server is
> called after the RCPT command not after the EHLO command).
> 
> Any reason why this won't work?

With STARTTLS, the client sends "EHLO" twice, once before STARTTLS and
again after.  The first call will naturally never have negotiated TLS.
So your policy server can't enforce TLS before "MAIL".  Enforcing TLS
at EHLO is not possible.

-- 
Viktor.

Re: Different SMTP AUTH options and credentials for different clients

[Rob Maidment]

I think I finally have a solution - thanks to Wietse and Viktor.  To
recap I am replacing Sendmail with Postfix in a legacy application and
I was struggling with these two requirements:

1. The server must authenticate clients differently depending on a
"client connection profile"; the profile can be defined in terms of
client IP address or host name; each connection profile defines
whether SMTP AUTH should be offered and the valid credentials; the
server must ensure clients can only authenticate using the credentials
from the appropriate profile.

Filtering out the SMTP AUTH option can be achieved using
smtpd_discard_ehlo_keyword_address_maps defined to call a custom
socketmap table that determines the matching connection profile and
returns "200 AUTH" if authentication is not required; it must lookup
the client's PTR record in DNS if any profiles are defined in terms of
host name.
The smtpd_sender_restrictions option can then be used to call out
(after the MAIL command) to a custom policy server that determines the
matching connection profile using the client_address and client_name
attributes (no need to use DNS here, presumably smtpd has already done
the lookup) and compares the sasl_username attribute against the
profile credentials.  If the client has not authenticated with the
correct username the policy server can reject the connection.

Note: The client will see an error in response to the MAIL command
instead of the AUTH command but I don't think that matters (the client
would see a similar effect if smtpd_sender_login_maps was used for
envelope sender address authorization).

2.  The server must offer and enforce TLS differently depending on a
"client connection profile"; the profile can be defined in terms of
client IP address or host name (as above); each profile defines
whether STARTTLS should be offered, whether TLS is mandatory, and
whether a valid client certificate is required.

Filtering out the STARTTLS option can be achieved using
smtpd_discard_ehlo_keyword_address_maps as described above.
The smtpd_tls_security_level parameter must be set to "may" rather
than "encrypt" if there are any profiles where TLS is not mandatory.
The smtpd_tls_ask_ccert must be set to "yes" if there are any
connection profiles that require certificate validation.
The enforcement can be achieved using smtpd_helo_restrictions to call
(after the EHLO command) a custom policy server that determines the
matching connection profile as described above, and uses the
encryption_protocol attribute to determine if TLS is in use and the
ccert_subject attribute to see if a trusted client certificate was
provided.  (Note: smtpd will validate the certificate if provided even
when  smtpd_tls_security_level is "may".)

Note: the smtpd_delay_reject option must be set to "no" to prevent the
client sending authentication credentials on a plain text connection
where TLS was defined as mandatory (otherwise the policy server is
called after the RCPT command not after the EHLO command).

Any reason why this won't work?

regards,
Rob

Re: header_checks bypassing discard rules

[Zalezny]

Wow, thanks for that perfect tip.



On June 27, 2016 5:15:52 PM GMT+02:00, Noel Jones  
wrote:
>On 6/27/2016 3:39 AM, Zalezny Niezalezny wrote:
>> Hi, 
>> 
>> using header_checks configuration we are dropping all outgoing
>> E-mails except some of them. 
>> 
>> 
>> # discard all mails not going to cortalconsors.(de|fr)
>> if /^to:/
>> !/^to:?$/ DISCARD discarded 
>> endif
>> 
>> Following rules dropping all outgoing e-mails with recipeint domains
>> different than
>> 
>> extern.domain.com 
>> domain.com 
>> 
>> When You sending an E-mail to:
>> 
>> To:>
>> 
>> Postfix dropping that E-mail.
>> 
>> 
>> 
>> But when You will send an e-mail to two recipients
>> 
>> To:> >,> >
>> 
>> system will deliver both. 
>> 
>> 
>> 
>> 
>> Why system not dropping E-mail addressed to
>> >
>> ? Its clear described in the rule, drop all except... 
>> 
>> 
>> I will appreciate for any help.
>> 
>> 
>> 
>> 
>> With kind regards
>> 
>> zalezny
>> 
>> 
>
>
>The failure you're seeing when there are two addresses in the header
>is because your expression only matches when there is a single
>address.  But header_checks is the wrong tool for this job; the To:
>header does not control where mail is delivered.
>
>A more robust solution is to limit where postfix can deliver mail.
>
># main.cf
>default_transport = error:remote delivery disabled
>transport_maps = hash:/etc/postfix/transport
>
># /etc/postfix/transport
>domain.com  smtp:
>extern.domain.com  smtp:
>
>
>
>http://www.postfix.org/transport.5.html
>
>
>
>  -- Noel Jones

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: header_checks bypassing discard rules

[Noel Jones]

On 6/27/2016 3:39 AM, Zalezny Niezalezny wrote:
> Hi, 
> 
> using header_checks configuration we are dropping all outgoing
> E-mails except some of them. 
> 
> 
> # discard all mails not going to cortalconsors.(de|fr)
> if /^to:/
> !/^to:?$/ DISCARD discarded 
> endif
> 
> Following rules dropping all outgoing e-mails with recipeint domains
> different than
> 
> extern.domain.com 
> domain.com 
> 
> When You sending an E-mail to:
> 
> To:>
> 
> Postfix dropping that E-mail.
> 
> 
> 
> But when You will send an e-mail to two recipients
> 
> To: >, >
> 
> system will deliver both. 
> 
> 
> 
> 
> Why system not dropping E-mail addressed to
> >
> ? Its clear described in the rule, drop all except... 
> 
> 
> I will appreciate for any help.
> 
> 
> 
> 
> With kind regards
> 
> zalezny
> 
> 


The failure you're seeing when there are two addresses in the header
is because your expression only matches when there is a single
address.  But header_checks is the wrong tool for this job; the To:
header does not control where mail is delivered.

A more robust solution is to limit where postfix can deliver mail.

# main.cf
default_transport = error:remote delivery disabled
transport_maps = hash:/etc/postfix/transport

# /etc/postfix/transport
domain.com  smtp:
extern.domain.com  smtp:



http://www.postfix.org/transport.5.html



  -- Noel Jones

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[Kris Deugau]

li...@lazygranch.com wrote:
> 
> Peter wrote:
> > As a relatively simple example, I use amavisd-new and Spamassassin to
> > flag mail with a spam header. Then Dovecot LMTP with sieve looks for
> > this header and if it is present it delivers to the user's "Spam" folder.
> 
> Well this is interesting. I have a similar setup for postfix. With my desktop 
> email client (Claws), the program "builds the tree" based on what I assume 
> resides on the email server. So what on the server creates this spam folder? 

The delivery agent.  Dovecot's delivery agent and procmail (can't recall
any other general-purpose MDAs - although there are several that are
tied to their own non-mbox/maildir mail folder system) both understand
how to create the appropriate files and directories as needed, so "all"
that's needed for this is to create the configuration for the delivery
agent to tell it where to file which messages.

If you're using a multi-folder-aware delivery agent that doesn't know
how to create new mail folders  you probably need to find a new
delivery agent.

> I still rather just let the client filter the message based on the header 
> rewrite. Less work. 

Only if you only ever access your mail from one device.  If I'm reading
mail on my laptop, I don't want to have to either:

a) rely on my main desktop being on to do the message sorting and
filtering, or

b) duplicate, and try to keep up to date, all the message sorting rules
across multiple systems - to say nothing of the headache I might be in
for if I decided to start reading mail on my phone, which can't run the
mail client I use on my laptop and desktop in the first place.

-kgd

header_checks bypassing discard rules

[Zalezny Niezalezny]

Hi,

using header_checks configuration we are dropping all outgoing E-mails
except some of them.


# discard all mails not going to cortalconsors.(de|fr)
if /^to:/
!/^to:?$/ DISCARD discarded
endif

Following rules dropping all outgoing e-mails with recipeint domains
different than

extern.domain.com
domain.com

When You sending an E-mail to:

To:

Postfix dropping that E-mail.



But when You will send an e-mail to two recipients

To:,

system will deliver both.




Why system not dropping E-mail addressed to 
? Its clear described in the rule, drop all except...


I will appreciate for any help.




With kind regards

zalezny

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[Peter]

On 27/06/16 18:41, li...@lazygranch.com wrote:
> "As a relatively simple example, I use amavisd-new and Spamassassin
> to flag mail with a spam header. Then Dovecot LMTP with sieve looks
> for this header and if it is present it delivers to the user's "Spam"
> folder."
> 
> Well this is interesting. I have a similar setup for postfix. With my
> desktop email client (Claws), the program "builds the tree" based on
> what I assume resides on the email server.

Right, sieve basically does the same thing that most client-side
filtering does, but it does it on the server.  This has advantages where
you aren't dependant on the end-user to do the filtering from their client.

> So what on the server creates this spam folder?

That would be created at the same time that you create the mailbox,
likely using the same process.  For example, you can specify that
postfixadmin create additional folders for you when a mailbox is
created.  Other admin front-ends would have similar functionality, and
you can easily script such an action if you roll your own.

> I still rather just let the client filter the message based on the
> header rewrite. Less work.

Depends on your needs, the OP specifically said that he needed a
server-side solution.  In the case of spam, it makes sense to do it
server-side as a global sieve rule rather than relying on several
hundred or thousands of users to do it client-side on various different
clients.


Peter

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

  But you need Dovecot or something similar and eventually an email client, so I don't quite follow you here. You have a client, they have filters, so just use that filter. Now if you want to set up a system where the end user never sees the failed email, then I would use Dovecot and Sieve. I'm imagining a corporate scenario where email that fails ID goes to some expert to check the email, perhaps contact the sender out of band, etc. In any event, if the hive (postfix list users) can come up with the means to do the subject line rewrite, we can divert on the next step of post processing. You can use Dovecot plus Sieve and  I will just use a rule in the email client. From: ChipSent: Sunday, June 26, 2016 7:58 PMTo: li...@lazygranch.comReply To: jeffsch...@gmail.comCc: postfix-users@postfix.orgSubject: Re: DKIM/SPF failure to folder, not return to sender and other tricks
  

  
  
Ok this is good.  But the project cannot use mail clients, only mail
servers because post processing calls other programs not related to
postfix or exim or any program similar.

Now the idea of rewriting subject is the best I've heard so far - is
there a facility in Postfix to do that based on DKIM and SPF failing
that you know of?




On 06/26/2016 10:43 PM,
  li...@lazygranch.com wrote:


  I
think that is in the Claws email client. 
  
  
  To
do this filtering in postfix, you would need a "parallel"
mailbox to place the suspect messages. Then your client would
just read both the good mailbox and the bad mailbox. You would
need to prevent mail going directly to the bad mailbox, though I
suppose that wouldn't be the end of the world. 
  
  
  To
be a bit redundant here, as far as I know, your only means to
flag the mail that doesn't meet both DKIM and SPF is to do a
rewrite on the subject line like SpamAssassin does. Now if you
could achieve that, then filtering in the email client is
trivial. That is, you write a very simple filter to look for a
keyword. I'd be shocked if there exists an email client that
couldn't do that. (Well maybe Pine.)
  
  
  The
more I think about it, doing the subject line rewrite to
indicate SPF/DKIM failure is the best approach. ‎You could even
run a rule on the very simple email clients found on phones, or
just use your eyeballs. 
  
  
  
  
  

  

  
From: Chip
Sent: Sunday, June 26, 2016 7:25 PM
To: li...@lazygranch.com
Reply To: jeffsch...@gmail.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to folder,
  not return to sender and other tricks
  

  

  
  
  

Very interesting and thanks for sending.

Now if you look at the command line, reproduced below, is that a
command line calling a file that contains the message(s) to be
examined, or is this something put in Postfix somewhere?  Pardon
my ignorance.

 To add SPF filtering, add a filter with condition

test "!(sylpheed-spf.pl -c < %F)"



On 06/26/2016 10:13 PM, li...@lazygranch.com
  wrote:


  ‎I'd say you are onto something. 
  http://www.willamowius.de/claws-spf.html
  
  
  ‎Unfortunately SPF has a very high failure rate
due to remailers. But it's a start.
  

  

  

  
From: Chip
Sent: Sunday, June 26, 2016 6:28 PM
To: li...@lazygranch.com
Reply To: jeffsch...@gmail.com
Cc: postfix-users@postfix.org
Subject: Re: DKIM/SPF failure to
  folder, not return to sender and other tricks
  

  

  
  
  

There is dkimverify and spfquery, two command 

Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

"As a relatively simple example, I use amavisd-new and Spamassassin to
flag mail with a spam header. Then Dovecot LMTP with sieve looks for
this header and if it is present it delivers to the user's "Spam" folder."

Well this is interesting. I have a similar setup for postfix. With my desktop 
email client (Claws), the program "builds the tree" based on what I assume 
resides on the email server. So what on the server creates this spam folder? 

I still rather just let the client filter the message based on the header 
rewrite. Less work.