On 11.09.24 15:49, natan via Postfix-users wrote:
My own user have domain example.com and send email from us...@example.com
example.com have signed e-mail DKIM and SPF and _dmarc.example.com
with politic "p-reject"
my server (my MX) check via milter opendkim and opendmarc like:
....
#opendkim+opendmarc
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:54321
non_smtpd_milters = inet:localhost:54321,inet:127.0.0.1:8891
milter_default_action = accept
milter_protocol = 6
all good so far.
My other user have domain examle1.com.
All works fine with connect from examle1.com to examle.com
Again: example1.com, examle.com and examle1.com are not reserved names,
example.net or example.org are.
If my user one of them use filter sieve with modyfy subject first
e-mail from external us...@example.com to my us...@examle1.com works
perfectly. But if my user will repllay TO: message cannot be delivery
and i get return "Message not delivered"
1.
the mesage is verified by postfix, headers are modified by sieve and
stored to incoming mailbox.
Thus, message in mailbox is not DKIM-valid because headers were modified.
2.
will "replay" how?
if you use feature known as "bounce" in mutt or "mail redirect" in mozilla,
(I think it's called "redirect" in Outlook rules) then yes, this way MUA is
resending the mail as-is, thus with invalid DKIM signature.
I can recommend using mail forward, either as attachment or inline, this way
it's clear that mail comes from your us...@example.com
3.
You have stated above than example.com is your domain, and now you call it
external.
Please be careful when providing redacted domain names.
Sep 2 14:16:01 thebe-tmp opendkim[475568]: 4Wy75F6BFnz1DDm8: s=mail
d=example.com a=rsa-sha256 SSL error:04091068:rsa
routines:int_rsa_verify:bad signature
Sep 2 14:16:01 thebe-tmp opendkim[475568]: 4Wy75F6BFnz1DDm8: bad
signature data
Sep 2 14:16:01 thebe-tmp opendmarc[469429]: 4Wy75F6BFnz1DDm8:
SPF(mailfrom): example.com fail
Sep 2 14:16:01 thebe-tmp opendmarc[469429]: 4Wy75F6BFnz1DDm8:
example.com fail
I would like to remind you that I have separate environments for
outgoing and incoming mail.
This looks like your outgoing mailserver is validating and rejecting mail
sent by your user. This is problem described in point 2. above.
Of course, if I add addresses to trusted ones regarding ignoring dmarc
and dkim, it works correctly
I assume that when sending such e-mails with someone from the outside,
i.e. an external domain, the effect will be the same, but I have no
way to check when two domains have dmarc with p=reject
Yes, I know it seems complicated but it isn't.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
