Hi
I would be happy to privately send sample emails with someone between
domains that have a DMARC reject policy.
W dniu 11.09.2024 o 15:49, natan via Postfix-users pisze:
W dniu 11.09.2024 o 15:14, Matus UHLAR - fantomas via Postfix-users
pisze:
On 11.09.24 09:11, natan via Postfix-users wrote:
The problem is with DKIM signing when I try to reply to a message
and the external recipient has DMARC verification
If I have a p=none policy in DMARC it works correctly but if
p=reject it is known - the message is rejected due to an error
for
DKIM Because DKIM also signs the subject and it is changed by
sieve
what error exactly happens here? Does the remote server refuse your
e-mail from your smtp server?
1)case
My own user have domain example.com and send email from us...@example.com
example.com have signed e-mail DKIM and SPF and _dmarc.example.com
with politic "p-reject"
my server (my MX) check via milter opendkim and opendmarc like:
....
#opendkim+opendmarc
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
non_smtpd_milters = inet:localhost:54321,inet:127.0.0.1:8891
milter_default_action = accept
milter_protocol = 6
.....
My other user have domain examle1.com.
All works fine with connect from examle1.com to examle.com
but
If my user one of them use filter sieve with modyfy subject first
e-mail from external us...@example.com to my us...@examle1.com works
perfectly. But if my user will repllay TO: message cannot be delivery
and i get return "Message not delivered"
Sep 2 14:16:01 thebe-tmp opendkim[475568]: 4Wy75F6BFnz1DDm8: s=mail
d=example.com a=rsa-sha256 SSL error:04091068:rsa
routines:int_rsa_verify:bad signature
Sep 2 14:16:01 thebe-tmp opendkim[475568]: 4Wy75F6BFnz1DDm8: bad
signature data
Sep 2 14:16:01 thebe-tmp opendmarc[469429]: 4Wy75F6BFnz1DDm8:
SPF(mailfrom): example.com fail
Sep 2 14:16:01 thebe-tmp opendmarc[469429]: 4Wy75F6BFnz1DDm8:
example.com fail
I would like to remind you that I have separate environments for
outgoing and incoming mail.
Of course, if I add addresses to trusted ones regarding ignoring dmarc
and dkim, it works correctly
I assume that when sending such e-mails with someone from the outside,
i.e. an external domain, the effect will be the same, but I have no
way to check when two domains have dmarc with p=reject
Yes, I know it seems complicated but it isn't.
W dniu 11.09.2024 o 11:34, Matus UHLAR - fantomas via Postfix-users
pisze:
how and when do you DKIM-SIGN yourt outgoing mail? This looks like
you first sign outgoing mail and then modify it so DKIM signature
gets invalidated.
On 11.09.24 15:01, natan via Postfix-users wrote:
user send e-mail via server "only for send" smtp.domain.ltd
smtp.domain.ltd have postfix:
FYI you should use example.com, example.net or other reserved domain
name instead of randomly selected example.com
Ok thenx
...
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
this milter should DKIM-sign messages your users send.
....
e-mail go to my phisical separate machine (MX) like mx.domain.ltd
...
virtual_transport = lmtp:inet:10.12.12.1:24
...
and via lmt go to klaster dovecotdirector (i have 20 dovecot nodes)
any dovecot via nfs connect to storage
and any user have own sieve and sieve add headders
The sieve filter has individual exceptions and a set of dependencies
set
Of course, this is an additional safeguard that can help
--
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
