Marko Cupać via Postfix-users skrev den 2025-07-17 13:08:
Hi,
I have postfix setup with opendmarc and opendkim:
milter_default_action = accept
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
This works as intended (rejecting mails which violate dmarc policies).
There are some "valid" senders which seem to violate their own policies
(below is log excerpt for denied password reset email from sony:
Jul 17 11:14:36 fbsd1 postfix/cleanup[68100]: 5FFB746F22B:
message-id=<5ebed326-56e5-4bb5-85fe-09f02e822...@iad4s12mta429.xt.local>
Jul 17 11:14:36 fbsd1 opendkim[91485]: 5FFB746F22B:
mta3.txn-email03.playstation.com [13.110.224.213] not internal
Jul 17 11:14:36 fbsd1 opendkim[91485]: 5FFB746F22B: not authenticated
Jul 17 11:14:36 fbsd1 opendkim[91485]: 5FFB746F22B: message has
signatures from email03.account.sony.com, s12.y.mc.salesforce.com
Jul 17 11:14:36 fbsd1 opendkim[91485]: 5FFB746F22B: s=12dkim1
d=email03.account.sony.com SSL
Jul 17 11:14:36 fbsd1 opendmarc[89790]: 5FFB746F22B: SPF(mailfrom):
bounce.txn-email03.playstation.com pass
Jul 17 11:14:36 fbsd1 opendmarc[89790]: 5FFB746F22B:
email03.account.sony.com fail
Jul 17 11:14:36 fbsd1 postfix/cleanup[68100]: 5FFB746F22B:
milter-reject: END-OF-MESSAGE from
mta3.txn-email03.playstation.com[13.110.224.213]: 5.7.1 rejected by
DMARC policy for email03.account.sony.com;
from=<bounce-6_html-348233145-1287-534001850-1423...@bounce.txn-email03.playstation.com>
to=<u...@example.org> proto=ESMTP
helo=<mta3.txn-email03.playstation.com>
Jul 17 11:14:36 fbsd1 postfix/cleanup[68100]: 5FFB746F22B: removed
(canceled)
Jul 17 11:14:36 fbsd1 postfix/smtpd[67964]: disconnect from
mta3.txn-email03.playstation.com[13.110.224.213] ehlo=2 starttls=1
mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
What is the most appropriate way to selectively accept those emails?
nothing, opendmarc use poilicy from domain owner to reject it, so
opendmarc did this :)
to solve it localy simple du add spf ips for this domain of pass to
smtpd_milter_maps cidr:/etc/postfix/skip_milteres.cidr
in skip_milters.cidr:
127.0.0.1 DISABLE
::1 DISABLE
add more ips as needed
its a sadly waste to do in opendkim/opendmarc
I am aware this does not have to be just postfix related as it
includes third party software such as opendkim and opendmarc, but I
know many skilled postmasters read this list, perhaps someone will
point me in the right direction.
Thank you in advance,
opendkim have in some cases lua supported, make a lua there that gives
dmarc none policy, or just change fail to pass in lua, this should in
dmarc testing accept the problem , your setup should not reject based on
dkim only, so the fo=1; in dmarc policy is not correct
all that sayed, try configure opendkim to not reject anything, and same
in opendmarc
i dont use opendkim opendmarc anymore, to buggy software imho
heads up for AuthRes, DMARC plugins in spamassassin
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
