Re: DMARC fails for valid record?
On Sun, May 22, 2022 at 1:51 PM Matus UHLAR - fantomas wrote: > On 22.05.22 12:25, Kevin A. McGrail wrote: > >#1 you can use the welcomelist entries but NOT the welcomelist_auth > entries > >if DMARC is failing. > > isn't welcomelist_auth okay with DKIM_VALID_AU ? > It looks like welcomelist_auth works with SPF even when this DMARC_REJECT occurs, I believe. > >#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues > that > >we are working through, sorry to say it's been rougher than I wanted too. > >But we have it in production and we are working on edge cases from my end. > > Alex (OP), do you have Mail::DMARC installed? > May 22 15:12:59.482 [865542] dbg: plugin: loading Mail::SpamAssassin::Plugin::DMARC from @INC I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
Re: DMARC fails for valid record?
On 22.05.22 12:25, Kevin A. McGrail wrote: #1 you can use the welcomelist entries but NOT the welcomelist_auth entries if DMARC is failing. isn't welcomelist_auth okay with DKIM_VALID_AU ? #2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that we are working through, sorry to say it's been rougher than I wanted too. But we have it in production and we are working on edge cases from my end. Alex (OP), do you have Mail::DMARC installed? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have.
Re: DMARC fails for valid record?
Alex, #1 you can use the welcomelist entries but NOT the welcomelist_auth entries if DMARC is failing. #2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that we are working through, sorry to say it's been rougher than I wanted too. But we have it in production and we are working on edge cases from my end. #3 At my work at PCCC, we changed some concepts to install the KAM rules so they are parsed after the stock rules for some of the default DMARC scores to change too. We used a new option for sa-update that Henrik added to do this. I'll ask for some info about it and test that pastebin to see if it fails on our system too. I was also discussing more DMARC/DKIM regression tests are needed. It's too fragile. Regards, KAM -- Kevin A. McGrail Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Sun, May 22, 2022 at 11:25 AM Alex wrote: > Hi, I think this is another - this one also includes KAM_DMARC_REJECT > > https://pastebin.com/9g9VrgVK > > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily > * valid > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from > author's > * domain > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message > * and the domain has a DMARC reject policy > * 1.8 DMARC_REJECT DMARC reject policy > > Can this info even be added to the welcomelist or will that also now fail? > > > > On Sun, May 22, 2022 at 11:10 AM Alex wrote: > >> Hi, is it possible the DMARC_REJECT problem still exists? >> >> https://pastebin.com/DCu9cq4t >> >> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature >> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily >> * valid >> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from >> author's >> * domain >> * 1.8 DMARC_REJECT DMARC reject policy >> >> Authentication-Results: xavier.example.com (amavisd-new); >> dkim=pass (1024-bit key) header.d=hotwire.com >> header.b="NEdhsCdV"; >> dkim=pass (1024-bit key) header.d=amazonses.com >> header.b="UglVB1nr" >> >> $ spamassassin --version >> SpamAssassin version 4.0.0-r1900583 >> running on Perl version 5.34.1 >> >> >> On Wed, May 11, 2022 at 9:01 AM Alex wrote: >> >>> Hi, >>> >>> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail >>> wrote: >>> I believe this is a bug and fixed in trunk. On 5/10/2022 1:55 PM, Bill Cole wrote: > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT >>> >>> >>> This was from svn version 1900493. I've now checked out 1900794, but >>> that somehow appears different from the version SA reports? >>> >>> $ spamassassin --version >>> SpamAssassin version 4.0.0-r1900583 >>> running on Perl version 5.34.1 >>> >>> My firstdata email does appear to now pass DKIM properly, >>> without DMARC_REJECT or KAM_DMARC_REJECT. >>> >>> Any idea under what circumstances the DKIM check fails so I can watch >>> for it? Or can we consider it solved? >>> >>> >>>
Re: DMARC fails for valid record?
Hi, I think this is another - this one also includes KAM_DMARC_REJECT https://pastebin.com/9g9VrgVK * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message * and the domain has a DMARC reject policy * 1.8 DMARC_REJECT DMARC reject policy Can this info even be added to the welcomelist or will that also now fail? On Sun, May 22, 2022 at 11:10 AM Alex wrote: > Hi, is it possible the DMARC_REJECT problem still exists? > > https://pastebin.com/DCu9cq4t > > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily > * valid > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from > author's > * domain > * 1.8 DMARC_REJECT DMARC reject policy > > Authentication-Results: xavier.example.com (amavisd-new); > dkim=pass (1024-bit key) header.d=hotwire.com > header.b="NEdhsCdV"; > dkim=pass (1024-bit key) header.d=amazonses.com > header.b="UglVB1nr" > > $ spamassassin --version > SpamAssassin version 4.0.0-r1900583 > running on Perl version 5.34.1 > > > On Wed, May 11, 2022 at 9:01 AM Alex wrote: > >> Hi, >> >> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail >> wrote: >> >>> I believe this is a bug and fixed in trunk. >>> >>> On 5/10/2022 1:55 PM, Bill Cole wrote: >>> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and >>> also DMARC_REJECT and/or KAM_DMARC_REJECT >>> >> >> >> This was from svn version 1900493. I've now checked out 1900794, but that >> somehow appears different from the version SA reports? >> >> $ spamassassin --version >> SpamAssassin version 4.0.0-r1900583 >> running on Perl version 5.34.1 >> >> My firstdata email does appear to now pass DKIM properly, >> without DMARC_REJECT or KAM_DMARC_REJECT. >> >> Any idea under what circumstances the DKIM check fails so I can watch for >> it? Or can we consider it solved? >> >> >>
Re: DMARC fails for valid record?
Hi, is it possible the DMARC_REJECT problem still exists? https://pastebin.com/DCu9cq4t * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 1.8 DMARC_REJECT DMARC reject policy Authentication-Results: xavier.example.com (amavisd-new); dkim=pass (1024-bit key) header.d=hotwire.com header.b="NEdhsCdV"; dkim=pass (1024-bit key) header.d=amazonses.com header.b="UglVB1nr" $ spamassassin --version SpamAssassin version 4.0.0-r1900583 running on Perl version 5.34.1 On Wed, May 11, 2022 at 9:01 AM Alex wrote: > Hi, > > On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail > wrote: > >> I believe this is a bug and fixed in trunk. >> >> On 5/10/2022 1:55 PM, Bill Cole wrote: >> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and >> also DMARC_REJECT and/or KAM_DMARC_REJECT >> > > > This was from svn version 1900493. I've now checked out 1900794, but that > somehow appears different from the version SA reports? > > $ spamassassin --version > SpamAssassin version 4.0.0-r1900583 > running on Perl version 5.34.1 > > My firstdata email does appear to now pass DKIM properly, > without DMARC_REJECT or KAM_DMARC_REJECT. > > Any idea under what circumstances the DKIM check fails so I can watch for > it? Or can we consider it solved? > > >