Hi, On Sat, May 6, 2017 at 10:10 AM, David Jones <djo...@ena.com> wrote: > From: Thore Boedecker <m...@foxxx0.de> > >>Hello folks, > >>over the last couple of months I have received some nasty spam, >>delivered by the Yahoo mail servers. > >>After looking at the headers it became clear what the issue was: > > Please post the email in pastebin.com or something so we can > help. > >>It seems that Yahoo (at least yahoo.co.jp) is allowing emails from >>@gmail.com senders to be sent through their servers. >>The funny thing is, that there is a @gmail.com address in both the >>'From:' and 'Return-Path:' headers, but a @yahoo.com address in the >>'Reply-To:' and 'Sender:' headers. >>Somehow Yahoo sees no problem in that and is happy to DKIM sign those >>emails with a correct *Yahoo* signature. > >>Over on my side, the receiving end of these emails, there is my >>spamassassin. SA discovers the DKIM signature and is able to validate >>this signature against the Yahoo server which is totally undesirable >>in my opinion. > > DKIM is only meant to authenticate that the emails did come from > a Yahoo server. It has nothing to do with authorization which is what > you are looking for. SPF handles authorization so these emails should > have a SPF_FAIL rule hit that we can confirm once we see it in > pastebin.com. > >>Maybe strict DKIM alignment is not always the best choice, because >>sometimes the emails are signed by different servers without sharing >>one signing key for the entire domain. > >>So is there any way to make SA perform at least a relaxed DKIM >>alignment check on the headers so that the DKIM signature domain has >>to belong to the 'From:' address? > > This is done by DMARC. Currently you have to implement something > like OpenDMARC in your MTA and then add custom rules that use the > headers added specifically by your MTA (yourserverhere). > > header DMARC_PASS Authentication-Results =~ /yourserverhere; > dmarc=pass/ > describe DMARC_PASS DMARC check passed > score DMARC_PASS -0.01 > > header DMARC_FAIL Authentication-Results =~ /yourserverhere; > dmarc=fail/ > describe DMARC_FAIL DMARC check failed > score DMARC_FAIL 0.01 > > header DMARC_NONE Authentication-Results =~ /yourserverhere; > dmarc=none/ > describe DMARC_NONE DMARC check neutral > score DMARC_NONE 0.01
RW posted some rules around this time last year: https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html How is this different/better? We have openDMARC running on one of our systems, but that's for your own mail. How does it work with SA?