That was my conclusion, but I figured to wait for a guru to comment. My understanding is there is a plugin for Thunderbird that checks DKIM and/or SPF. I no longer run Thunderbird, so I didn't pursue this. But it seems to me this is better handled at the client.
If someone comes up with a way to flag DKIM and SPF like SpamAssassin does, I'd sure like to try it. But it would have to be somewhat turnkey. Isn't DKIM and SPF part of your SpamAssassin score? Maybe such a flag cost be done if you could alter the SpamAssassin score formula. Original Message From: Bill Cole Sent: Sunday, June 26, 2016 2:53 PM To: postfix-users@postfix.org Reply To: postfix-users@postfix.org Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks On 26 Jun 2016, at 16:44, Chip wrote: > I'm wondering if Postfix can do the following easily. Nope, not *easily*. > It's a real dog to get this setup in Exim. Or Sendmail, or probably ANY MTA that isn't tightly integrated to robust local delivery, mailstore, and mail access subsystems OR which has a sophisticated flexible mechanism for arbitrary policy definition and enforcement. So I guess if you wrote cf-ese by hand it might be a cinch in Sendmail... But anyway: this is *out of scope* for a pure MTA. [details elided] > In other words, a database or text list of emails with corresponding > acceptable senders needs to be maintained and referenced for each > user, I believe, unless a guru here can tell me how to get the flow > properly. To do this with Postfix, you need some sort of external program. The traditional Postfix mechanism would be a policy daemon. In modern Postfix you could do it in a milter such as MIMEDefang which provides a framework for you to create and enforce any policy that you can express in Perl. (which is easier than cf-ese, really...) Within Postfix proper, I suppose you could hypothetically do this with restriction classes, but those don't scale well. If you had something checking and tagging messages for SPF & DKIM authentication in Postfix (e.g. any mechanism that hooks to SpamAssassin or specialized tools) you could then do delivery via LMTP to something like Dovecot with its Pigeonhole add-on and have all your per-user rules in Sieve rules. In short: there are many different ways to skin this cat, but they all include the unpleasantry of skinning a cat. Ick.
