Re: DKIM/SPF failure to folder, not return to sender and other tricks

[lists]

I think that is in the Claws email client.  To do this filtering in postfix, you would need a "parallel" mailbox to place the suspect messages. Then your client would just read both the good mailbox and the bad mailbox. You would need to prevent mail going directly to the bad mailbox, though I suppose that wouldn't be the end of the world.  To be a bit redundant here, as far as I know, your only means to flag the mail that doesn't meet both DKIM and SPF is to do a rewrite on the subject line like SpamAssassin does. Now if you could achieve that, then filtering in the email client is trivial. That is, you write a very simple filter to look for a keyword. I'd be shocked if there exists an email client that couldn't do that. (Well maybe Pine.) The more I think about it, doing the subject line rewrite to indicate SPF/DKIM failure is the best approach. ‎You could even run a rule on the very simple email clients found on phones, or just use your eyeballs.  From: Chip Sent: Sunday, June 26, 2016 7:25 PM To: li...@lazygranch.com Reply To: jeffsch...@gmail.com Cc: postfix-users@postfix.org Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks Very interesting and thanks for sending. Now if you look at the command line, reproduced below, is that a command line calling a file that contains the message(s) to be examined, or is this something put in Postfix somewhere?  Pardon my ignorance.  To add SPF filtering, add a filter with condition test "!(sylpheed-spf.pl -c < %F)" On 06/26/2016 10:13 PM, li...@lazygranch.com wrote: ‎I'd say you are onto something.  http://www.willamowius.de/claws-spf.html ‎Unfortunately SPF has a very high failure rate due to remailers. But it's a start. From: Chip Sent: Sunday, June 26, 2016 6:28 PM To: li...@lazygranch.com Reply To: jeffsch...@gmail.com Cc: postfix-users@postfix.org Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks There is dkimverify and spfquery, two command line tools that you can run against a message in the first case and a domain with ip in the second case. Trivial to put in a script and run against messages for sorting. No? On 06/26/2016 09:14 PM, li...@lazygranch.com wrote: ‎It does look like SpamAssassin has a SPF hook.  https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#scoring_options From: Jeffs Chips Sent: Sunday, June 26, 2016 5:20 PM To: li...@lazygranch.com Cc: postfix-users@postfix.org Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks This projects is not for normal email delivery but an esoteric use not usually associated with email - can't really divulge more but I'm starting to see no easy solution. There are spf scripts that can run against files separately from the stuff built into spam assassin and postfix/exim etc. On Jun 26, 2016 7:57 PM, <li...@lazygranch.com> wrote: ‎Well maybe. If your client supports extra folders per each mailbox and you can access those folders, then yes. Most clients do have such folders, but the are designed to be used with "filters" built in the client. The filters probably aren't sophisticated enough to check DKIM or SPF, which is why plugins are used.  While readers of this list think filtering out email that fails ID is a great idea, the general public just wants the email to be delivered.  I don't use Gmail, but I understand Google has implemented or is working on implementing a notification for email that fails DKIM and SPF. I would be interesting to get some stats on email passing both DKIM, each individually, or none at all.  ‎When I suggested a plugin for CLAWS email client to check DKIM and SPF, the silence was deafening.   Original Message   From: Chip Sent: Sunday, June 26, 2016 4:41 PM To: postfix-users@postfix.org Reply To: jeffsch...@gmail.com Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks Thanks, So it just may be easier to deliver all messages to a folder then have a cron job run some spf/dkim checking script against the emails. On 06/26/2016 05:53 PM, Bill Cole wrote: > On 26 Jun 2016, at 16:44, Chip wrote: > >> I'm wondering if Postfix can do the following easily. > > Nope, not *easily*. > >> It's a real dog to get this setup in Exim. > > Or Sendmail, or probably ANY MTA that isn't tightly integrated to > robust local delivery, mailstore, and mail access subsystems OR which > has a sophisticated flexible mechanism for arbitrary policy definition > and enforcement. So I guess if you wrote cf-ese by hand it might be a > cinch in Sendmail... But anyway: this is *out of scope* for a pure MTA. > > [details elided] > >> In other words, a database or text list of emails with corresponding >> acceptable senders needs to be maintained and referenced for each >> user, I believe, unless a guru here can tell me how to get the flow >> properly. > > To do this with Postfix, you need some sort of external program. The > traditional Postfix mechanism would be a policy daemon. In modern > Postfix you could do it in a milter such as MIMEDefang which provides > a framework for you to create and enforce any policy that you can > express in Perl. (which is easier than cf-ese, really...) > > Within Postfix proper, I suppose you could hypothetically do this with > restriction classes, but those don't scale well. If you had something > checking and tagging messages for SPF & DKIM authentication in Postfix > (e.g. any mechanism that hooks to SpamAssassin or specialized tools) > you could then do delivery via LMTP to something like Dovecot with its > Pigeonhole add-on and have all your per-user rules in Sieve rules. > > In short: there are many different ways to skin this cat, but they all > include the unpleasantry of skinning a cat. Ick. >