[pfx] Re: [ext] Re: DKIM and DMARC
Tom Reed via Postfix-users skrev den 2023-05-17 09:31: On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote: dmarc does not imho use ARC results yet :/ You must configure trusted ARC signers. You can't blindly trust ARC just like you can't blindly trust SPF May I ask what policyd or milter you use for SPF checks? sadly none exists imho, only sid-milter does, if it could turn of spfv2/pra it would be ok, https://www.freshports.org/mail/py-spf-engine/ best option, hopefully it can run on python 3.11 soon ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: DKIM and DMARC
Matus UHLAR - fantomas via Postfix-users skrev den 2023-05-17 09:28: On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote: dmarc does not imho use ARC results yet :/ You must configure trusted ARC signers. You can't blindly trust ARC just like you can't blindly trust SPF i recheck my opendmarc.conf ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: DKIM and DMARC
On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote: dmarc does not imho use ARC results yet :/ You must configure trusted ARC signers. You can't blindly trust ARC just like you can't blindly trust SPF On 17.05.23 15:31, Tom Reed via Postfix-users wrote: May I ask what policyd or milter you use for SPF checks? I use pyspf-milter, the same source spf-engine provides policyd package. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: DKIM and DMARC
> On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote: >>dmarc does not imho use ARC results yet :/ > > You must configure trusted ARC signers. > You can't blindly trust ARC just like you can't blindly trust SPF > May I ask what policyd or milter you use for SPF checks? -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: DKIM and DMARC
On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote: dmarc does not imho use ARC results yet :/ You must configure trusted ARC signers. You can't blindly trust ARC just like you can't blindly trust SPF -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: DKIM and DMARC
Ralf Hildebrandt via Postfix-users skrev den 2023-05-16 15:20: * Scott Kitterman via Postfix-users : DKIM has no policy mechanism associated with it, so there's no basis in any standardized mechanism to determine if a DKIM failure should be cause for rejection. I don't think it makes logical sense to treat a message with a DKIM signature that failed to verify any more harshly than you would unsigned mail. DMARC does have such a policy component. Rejecting mail which fails DMARC for domains that have a policy of p=reject is common. DMARC does have a high error rate for some types of email, so I would recommend a careful evaluation of what you would be rejecting before you do so. I always thought DMARC was the policy component for DKIM. dmarc does not imho use ARC results yet :/ we all are useing unstable unfinished software, take it over to rspamd, make sure rspamd ARC-seal ARC-sign before mailman see maillist postimgs. then it works as designed, last thing dont dkim sign if not originating mails, how many rejects are there on digest maillist ? :=) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: DKIM and DMARC
* Scott Kitterman via Postfix-users : > DKIM has no policy mechanism associated with it, so there's no basis in any > standardized mechanism to determine if a DKIM failure should be cause for > rejection. I don't think it makes logical sense to treat a message with a > DKIM signature that failed to verify any more harshly than you would unsigned > mail. > > DMARC does have such a policy component. Rejecting mail which fails DMARC > for domains that have a policy of p=reject is common. DMARC does have a high > error rate for some types of email, so I would recommend a careful evaluation > of what you would be rejecting before you do so. I always thought DMARC was the policy component for DKIM. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org