On 11.09.24 15:49, natan via Postfix-users wrote:
My own user have domain example.com and send email from us...@example.com
example.com have signed e-mail DKIM and SPF and _dmarc.example.com with politic "p-reject"

my server (my MX) check via milter opendkim and opendmarc like:
....
#opendkim+opendmarc
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
non_smtpd_milters = inet:localhost:54321,inet:127.0.0.1:8891
milter_default_action = accept
milter_protocol = 6

all good so far.

My other user have domain examle1.com.
All works fine with connect from examle1.com to examle.com

Again: example1.com, examle.com and examle1.com are not reserved names,
example.net or example.org are.

If my user one of them use filter sieve with modyfy subject first e-mail from external us...@example.com to my us...@examle1.com works perfectly. But if my user will repllay TO: message cannot be delivery and i get return "Message not delivered"

1.
the mesage is verified by postfix, headers are modified by sieve and stored to incoming mailbox.
Thus, message in mailbox is not DKIM-valid because headers were modified.

2.
will "replay" how?

if you use feature known as "bounce" in mutt or "mail redirect" in mozilla, (I think it's called "redirect" in Outlook rules) then yes, this way MUA is resending the mail as-is, thus with invalid DKIM signature. I can recommend using mail forward, either as attachment or inline, this way
it's clear that mail comes from your us...@example.com

3.
You have stated above than example.com is your domain, and now you call it external.
Please be careful when providing redacted domain names.



Sep  2 14:16:01 thebe-tmp opendkim[475568]: 4Wy75F6BFnz1DDm8: s=mail d=example.com a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Sep  2 14:16:01 thebe-tmp opendkim[475568]: 4Wy75F6BFnz1DDm8: bad signature data Sep  2 14:16:01 thebe-tmp opendmarc[469429]: 4Wy75F6BFnz1DDm8: SPF(mailfrom): example.com fail Sep  2 14:16:01 thebe-tmp opendmarc[469429]: 4Wy75F6BFnz1DDm8: example.com fail

I would like to remind you that I have separate environments for outgoing and incoming mail.

This looks like your outgoing mailserver is validating and rejecting mail sent by your user. This is problem described in point 2. above.

Of course, if I add addresses to trusted ones regarding ignoring dmarc and dkim, it works correctly I assume that when sending such e-mails with someone from the outside, i.e. an external domain, the effect will be the same, but I have no way to check when two domains have dmarc with p=reject
Yes, I know it seems complicated but it isn't.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to