> On 6. 3. 2025., at 09:28, Petko Manolov via Postfix-users
> <postfix-users@postfix.org> wrote:
>
> The goal was to have my dmarc config as tight as possible. Namely:
>
> SPFSelfValidate true
> SPFIgnoreResults true
> RejectFailures true
>
> Quoting dmarc documentation re the latter: " If set, messages will be
> rejected if
> they fail the DMARC evaluation, or temp-failed if evaluation could not be
> completed." This obviously didn't happen.
RejectFailures requires the following conditions (RFC7489 guidelines):
1. Domain's DMARC policy published must specify p=reject, e.g. "v=DMARC1;
p=reject".
2. DMARC policy evaluation failed (Unauthenticated RFC5322.From domain).
It is not difficult to override policy published and unconditionally reject
DMARC failures. This does not follow RFC7489 guidelines:
/etc/postfix/milter_header_checks:
/^Authentication-Results:.+dmarc=fail/ REJECT
milter_header_checks (default: empty)
Optional lookup tables for content inspection of message headers that are
produced by Milter applications. See the header_checks(5) manual page available
actions. Currently, PREPEND is not implemented.
The following example sends all mail that is marked as SPAM to a spam handling
machine. Note that matches are case-insensitive by default.
/etc/postfix/main.cf:
milter_header_checks = pcre:/etc/postfix/milter_header_checks
/etc/postfix/milter_header_checks:
/^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
The milter_header_checks mechanism could also be used for allowlisting. For
example it could be used to skip heavy content inspection for DKIM-signed mail
from known friendly domains.
This feature is available in Postfix 2.7, and as an optional patch for Postfix
2.6.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
