On 8/03/25 04:04, Petko Manolov wrote:
Thanks for the detailed explanation, a few details are new to me.
I should make a couple of clarifications that became apparent to me
after I had sent the response. The headers you posted would have been
from the bounce message, you never received the original message because
it was rejected. This explains why the SPF result mentions the HELO
domain but not the envelope sender domain (because the latter was the
null sender and thus did not have a domain).
I was hoping that i've configured the milters in a way that failing spf or dkim
test (especially both) will tell postfix to drop this message.
You configured it to *reject* messages that failed SPF as was apparent
by the rejection of the first message in your logs. "Reject" is
distinctly different from "drop" and you should be doing the former but
not the latter (so it's a good thing that it rejected as opposed to drop).
As I previously mentioned Neither SPF or DKIM failed in the second
(bounce) message because there was no SPF or DKIM records to check.
I am aware that
neither of the two is mandatory and i may end up ignoring legitimate messages,
but this is what i would like opendmarc+postfix to be doing for the time being.
I would not recommend dropping messages that are missing SPF or DKIM,
you will end up dropping a lot fo legitimate mail if you do this. If
you want a better idea might be to have it affect the SPAM score in a
system such as rspamd so that a missing record does not in and of itself
cause a message to be rejected but combined with other factors it can
cause that message to be flagged as SPAM.
Here's the place to ask - how? Are my spf and opendmarc configurations not
strict enough or is it something else?
As stated above your SPF milter is configured to reject messages that
fail the SPF check, but a missing SPF record is not considered a "fail".
I cannot speak for your opendmarc configuration but I would hazard a
guess that it is configured the same. It is likely possible to
configure them to also reject messages that are missing the SPF or DKIM
records all together but how to do that is off-topic for the postfix list.
Yes, thanks. The fog is slowly lifting up, but there are still some blind
spots. Do you think postscreen would have helped here?
Postscreen can help insofar as it is configured to do so, just blindly
enabling postscreen is not likely to help and could result in legitimate
mail being significantly delayed or worse. If you're interested in
using postscreen please read the following first:
http://www.postfix.org/POSTSCREEN_README.html
http://www.postfix.org/postscreen.8.html
Also all of the postscreen-related settings in postconf(5):
http://www.postfix.org/postconf.5.html#postscreen_access_list
After that if you have any questions please feel free to ask them here.
I suggest starting a new thread for that, though.
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
