Hi Robert :-) > Am 02.12.2014 um 11:28 schrieb Robert Schetterer <[email protected]>: > > Am 02.12.2014 um 10:41 schrieb Christian Rößner: >> Hi, >> >> simple question: >> >> at which point adds Postfix the Return-Path header? Which component is doing >> that? >> >> Is it also possible to see this header in a milter? In my tests on a >> submission connector, I do not get this header. >> >> Background to my question: If I really want to do SPF/DKIM/DMARC checks at >> submission time, I could shoot myself in the feet, if I am not only checking >> for DMARC, but also having an own domain under DMARC policy. In that case, >> SPF would always fail. If I read the RFC for SPF correctly, SPF must use the >> Return-Path. > > I dont think it makes no sense to check spf at submission ( unless > exotic reasons ), dkim could be "sign only" with submission , ok as > DMARC depends on results of SPF and DKIM milter before it gets more > difficult, but might configured with milters options, like ignore.. etc, > the most clean way might be having second instances of the milters and > other configs depending to smtpd and/or submission. > But what are you try to goal exactly, please describe a real world > sceanrio..
Okay. I see several directions, a mail system is processing mail. We have mail coming from the outside and we have coming mail from (local) users. In a very simplified way. Now, some people fight against spam coming from the outside, but not doing very much to not send spammy mail from inside to outside. What mechanisms do we have? blacklists, spam scanners, DMARC, … for incoming mail ??? what for mails from ourself to the world? Maybe reject_sender_login_mismatch. German law does not allow to scan for Spam. So I thought why not using mechanisms from incoming mail for outgoing mail that does not influence law. And therefor I thought about using DMARC as well, which would protect outgoing mail from spoofed headers for domains that already have defined DMARC policies. So if Yahoo, Microsoft, AOL and all the others have defined DMARC, why should I even allow users to send mails with spoofed From:- (the envelope-sender is caught by the reject_sender_login_mismatch), if I could do a quick check for DMARC? Is this wrong thinking? I thought about your words: Fight problems at the source. Kind regards Christian -- Bachelor of Science Informatik Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
