Re: Should we use DKIM and SPF?
there isnt a single one, but you have to do it somthing similar to what gilles did for dkim dkim. so you chose somthing like in my case I use amavisd since I never got spampd to work reliably listening on port 2000 listen on lo port 2001 tag clean accept tagged clean for deliver to mbox accept for domain contoso.tld relay via "smtp://127.0.0.1:2000" Im doing that part from memory but that is the essence of it, the first run of the message it kicks out to amavisd, which runs it through spamassassin then back into smtpd which tags it as clean which gets picked up by the rule that takes tagged messages and delivers them. On Sat, Apr 26, 2014 at 9:10 AM, Stéphane Guedon wrote: > Le samedi 26 avril 2014 07:51:42, vous avez écrit : > > you want to use SPF at the very least, but then back it > > with spampd or amavisd and run it though spamassassin > > that is pretty much a standard stack right there, > > I tried to set it up yesterday. > Complete failed ! > > I would really like to have spamassassin cause it has a lot of > features that may be useful : > > check FROM address in an address book > check gpg sig > > obviously, I looked if spamd can look in a mail adress list. It can't > ! > > Do you know some doc explaining how I can integrate spamassassin in > opensmtpd ? > > > > > On Sat, Apr 26, 2014 at 7:26 AM, Stéphane Guedon > wrote: > > > Le samedi 26 avril 2014 07:20:19, vous avez écrit : > > > > Hi John, > > > > > > > > At 06:04 26-04-2014, John Cox wrote: > > > > >Unfortunately the whole point of SPF (unlike Sender-ID which > > > > >works > > > > >much better and on much the same principles) is that you can > > > > >reject > > > > >the message before receiving it so you wouldn't have the DKIM > > > > >stuff > > > > >(which I think requires you to have the entire message?). > > > > > > > > SPF allows processing using envelope information. DKIM > > > > processing > > > > can only occur after the entire message has been received. > > > > > > > > Regards, > > > > -sm > > > > > > I am myself in need for a good antispam solution with opensmtpd. > > > > > > if dkim (which I don't use yet) and spf are not really working, > > > what's the good way (I am already using spamd, not enough !) > -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans
Re: Should we use DKIM and SPF?
Le samedi 26 avril 2014 07:51:42, vous avez écrit : > you want to use SPF at the very least, but then back it > with spampd or amavisd and run it though spamassassin > that is pretty much a standard stack right there, I tried to set it up yesterday. Complete failed ! I would really like to have spamassassin cause it has a lot of features that may be useful : check FROM address in an address book check gpg sig obviously, I looked if spamd can look in a mail adress list. It can't ! Do you know some doc explaining how I can integrate spamassassin in opensmtpd ? > > On Sat, Apr 26, 2014 at 7:26 AM, Stéphane Guedon wrote: > > Le samedi 26 avril 2014 07:20:19, vous avez écrit : > > > Hi John, > > > > > > At 06:04 26-04-2014, John Cox wrote: > > > >Unfortunately the whole point of SPF (unlike Sender-ID which > > > >works > > > >much better and on much the same principles) is that you can > > > >reject > > > >the message before receiving it so you wouldn't have the DKIM > > > >stuff > > > >(which I think requires you to have the entire message?). > > > > > > SPF allows processing using envelope information. DKIM > > > processing > > > can only occur after the entire message has been received. > > > > > > Regards, > > > -sm > > > > I am myself in need for a good antispam solution with opensmtpd. > > > > if dkim (which I don't use yet) and spf are not really working, > > what's the good way (I am already using spamd, not enough !) signature.asc Description: This is a digitally signed message part.
Re: Should we use DKIM and SPF?
Hi Stéphane, At 07:26 26-04-2014, Stéphane Guedon wrote: I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) I assume that you are looking for software which is free. I'll suggest SpamAssassin. You can use DKIM verification and SPF tests as additional input for SpamAssassin to evaluate whether a message can be considered as spam. There may be some free code available to interface opensmtpd and SpamAssassin. Regards, -sm -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
you want to use SPF at the very least, but then back it with spampd or amavisd and run it though spamassassin that is pretty much a standard stack right there, On Sat, Apr 26, 2014 at 7:26 AM, Stéphane Guedon wrote: > Le samedi 26 avril 2014 07:20:19, vous avez écrit : > > Hi John, > > > > At 06:04 26-04-2014, John Cox wrote: > > >Unfortunately the whole point of SPF (unlike Sender-ID which works > > >much better and on much the same principles) is that you can reject > > >the message before receiving it so you wouldn't have the DKIM stuff > > >(which I think requires you to have the entire message?). > > > > SPF allows processing using envelope information. DKIM processing > > can only occur after the entire message has been received. > > > > Regards, > > -sm > > I am myself in need for a good antispam solution with opensmtpd. > > if dkim (which I don't use yet) and spf are not really working, what's > the good way (I am already using spamd, not enough !) -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans
Re: Should we use DKIM and SPF?
Le samedi 26 avril 2014 07:20:19, vous avez écrit : > Hi John, > > At 06:04 26-04-2014, John Cox wrote: > >Unfortunately the whole point of SPF (unlike Sender-ID which works > >much better and on much the same principles) is that you can reject > >the message before receiving it so you wouldn't have the DKIM stuff > >(which I think requires you to have the entire message?). > > SPF allows processing using envelope information. DKIM processing > can only occur after the entire message has been received. > > Regards, > -sm I am myself in need for a good antispam solution with opensmtpd. if dkim (which I don't use yet) and spf are not really working, what's the good way (I am already using spamd, not enough !) signature.asc Description: This is a digitally signed message part.
Re: Should we use DKIM and SPF?
Hi John, At 06:04 26-04-2014, John Cox wrote: Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). SPF allows processing using envelope information. DKIM processing can only occur after the entire message has been received. Regards, -sm -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
> > Unfortunately the whole point of SPF (unlike Sender-ID which works > much better and on much the same principles) is that you can reject > the message before receiving it so you wouldn't have the DKIM stuff > (which I think requires you to have the entire message? How about I try this again aimed at the mailing list, Sender-ID really doesn't work any better than SPF for the same reasons SPF tends to be broken lots of mail masters abuse it and set the values wrong. Like my big pet peeve is people who finally know they have sender-id/SPF working so they are past the transition stage and don't swap to -all. By spec I cant reject messages from mail exchangers claiming to be from their domain since the spec says with ~all this is only an approximation of what may be sending from their domain. But the idea is to reject or round file illegitimate mail before it gets to the user. With DKIM you really just need the DKIM part of the header to tell if you can bin the message, but at that point you just may as well have the message but you could in theory round file it if it fails before it got to the more system intensive scanners like virus or spam scans. At least thats my preferred way to handle SPF+DKIM. -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans
Re: Should we use DKIM and SPF?
On 2014-04-26 Sat 14:04 PM |, John Cox wrote: > > Unfortunately the whole point of SPF (unlike Sender-ID which works > much better and on much the same principles) is that you can reject > the message before receiving it > That's the idea, but it is often abused by dumb hostmasters (e.g: google) publishing their entire address space. Infected PCs in the sales office, employee WiFi zones, tape silos, routers, web servers, etc... are not valid mail exchangers, so SPF records of 'valid sending IP address' can't be trusted. SPF might be slightly helpful, but it is not reliable. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
On Fri, 25 Apr 2014 06:55:48 -0700, you wrote: >On Thu, Apr 24, 2014 at 11:13 AM, Ashish SHUKLA wrote: > >> On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun >> said: >> > Hi >> >> > I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I >> > have previously run with those, but I am in doubt. >> >> > I am thinking about the "worth" of those technologies? >> >> > I used to think SPF was a good idea, but SPF fails if someone forwards >> > email to another server. Then the forwarding server is not listed in >> > the SPF entry and the destination mail server will reject the email. >> >> SRS[1][2]. >> >> References: >> [1] http://www.openspf.org/SRS >> [2] http://www.libsrs2.org/ >> >> SPF itself is a decent idea this was just bound to happen since it makes >the assumption that all valid mail from a domain >only comes from servers that the domain knows about which may not >necessarily be the case (see mailing lists) but this is >one of the reasons to use both DKIM and SPF. generally if one passes it >scores high enough to cancel out that the other failed. >DKIM is supposed to prove that messages are authentic, not SPF. SPF is >setup to prove that a sending server has the right >to send on behalf of a domain. They really are meant to work hand in hand >and solve different problems. So if you were using DKIM and SPF >SRS would not be an issue since the DKIM info in the header proves the >message came from a valid source. Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org