| But you need Dovecot or something similar and eventually an email client, so I don't quite follow you here. You have a client, they have filters, so just use that filter.
Now if you want to set up a system where the end user never sees the failed email, then I would use Dovecot and Sieve. I'm imagining a corporate scenario where email that fails ID goes to some expert to check the email, perhaps contact the sender out of band, etc.
In any event, if the hive (postfix list users) can come up with the means to do the subject line rewrite, we can divert on the next step of post processing. You can use Dovecot plus Sieve and I will just use a rule in the email client.
From: Chip Sent: Sunday, June 26, 2016 7:58 PM To: li...@lazygranch.com Reply To: jeffsch...@gmail.com Cc: postfix-users@postfix.org Subject: Re: DKIM/SPF failure to folder, not return to sender and other tricks |
Ok this is good. But the project cannot use mail clients, only mail
servers because post processing calls other programs not related to
postfix or exim or any program similar.
Now the idea of rewriting subject is the best I've heard so far - is
there a facility in Postfix to do that based on DKIM and SPF failing
that you know of?
I
think that is in the Claws email client.
To
do this filtering in postfix, you would need a "parallel"
mailbox to place the suspect messages. Then your client would
just read both the good mailbox and the bad mailbox. You would
need to prevent mail going directly to the bad mailbox, though I
suppose that wouldn't be the end of the world.
To
be a bit redundant here, as far as I know, your only means to
flag the mail that doesn't meet both DKIM and SPF is to do a
rewrite on the subject line like SpamAssassin does. Now if you
could achieve that, then filtering in the email client is
trivial. That is, you write a very simple filter to look for a
keyword. I'd be shocked if there exists an email client that
couldn't do that. (Well maybe Pine.)
The
more I think about it, doing the subject line rewrite to
indicate SPF/DKIM failure is the best approach. You could even
run a rule on the very simple email clients found on phones, or
just use your eyeballs.
From: Chip
Sent: Sunday, June 26, 2016 7:25 PM
Subject: Re: DKIM/SPF failure to folder,
not return to sender and other tricks
|
Very interesting and thanks for sending.
Now if you look at the command line, reproduced below, is that a
command line calling a file that contains the message(s) to be
examined, or is this something put in Postfix somewhere? Pardon
my ignorance.
To add SPF filtering, add a filter with condition
test "!(sylpheed-spf.pl -c < %F)"
I'd say you are onto something.
Unfortunately SPF has a very high failure rate
due to remailers. But it's a start.
From: Chip
Sent: Sunday, June 26, 2016 6:28 PM
Subject: Re: DKIM/SPF failure to
folder, not return to sender and other tricks
|
There is dkimverify and spfquery, two command line tools
that you can run against a message in the first case and a
domain with ip in the second case.
Trivial to put in a script and run against messages for
sorting.
No?
It does look like SpamAssassin has
a SPF hook.
From: Jeffs Chips
Sent: Sunday, June 26, 2016 5:20 PM
Subject: Re: DKIM/SPF failure to
folder, not return to sender and other tricks
|
This projects is not for normal email
delivery but an esoteric use not usually associated
with email - can't really divulge more but I'm
starting to see no easy solution. There are spf
scripts that can run against files separately from the
stuff built into spam assassin and postfix/exim etc.
On Jun 26, 2016 7:57 PM, < li...@lazygranch.com>
wrote:
Well
maybe. If your client supports extra folders per
each mailbox and you can access those folders, then
yes. Most clients do have such folders, but the are
designed to be used with "filters" built in the
client. The filters probably aren't sophisticated
enough to check DKIM or SPF, which is why plugins
are used.
While readers of this list think filtering out email
that fails ID is a great idea, the general public
just wants the email to be delivered.
I don't use Gmail, but I understand Google has
implemented or is working on implementing a
notification for email that fails DKIM and SPF. I
would be interesting to get some stats on email
passing both DKIM, each individually, or none at
all.
When I suggested a plugin for CLAWS email client to
check DKIM and SPF, the silence was deafening.
Original Message
From: Chip
Sent: Sunday, June 26, 2016 4:41 PM
To: postfix-users@postfix.org
Reply To: jeffsch...@gmail.com
Subject: Re: DKIM/SPF failure to folder, not return
to sender and other tricks
Thanks,
So it just may be easier to deliver all messages to
a folder then have a
cron job run some spf/dkim checking script against
the emails.
On 06/26/2016 05:53 PM, Bill Cole wrote:
> On 26 Jun 2016, at 16:44, Chip wrote:
>
>> I'm wondering if Postfix can do the
following easily.
>
> Nope, not *easily*.
>
>> It's a real dog to get this setup in Exim.
>
> Or Sendmail, or probably ANY MTA that isn't
tightly integrated to
> robust local delivery, mailstore, and mail
access subsystems OR which
> has a sophisticated flexible mechanism for
arbitrary policy definition
> and enforcement. So I guess if you wrote cf-ese
by hand it might be a
> cinch in Sendmail... But anyway: this is *out
of scope* for a pure MTA.
>
> [details elided]
>
>> In other words, a database or text list of
emails with corresponding
>> acceptable senders needs to be maintained
and referenced for each
>> user, I believe, unless a guru here can
tell me how to get the flow
>> properly.
>
> To do this with Postfix, you need some sort of
external program. The
> traditional Postfix mechanism would be a policy
daemon. In modern
> Postfix you could do it in a milter such as
MIMEDefang which provides
> a framework for you to create and enforce any
policy that you can
> express in Perl. (which is easier than cf-ese,
really...)
>
> Within Postfix proper, I suppose you could
hypothetically do this with
> restriction classes, but those don't scale
well. If you had something
> checking and tagging messages for SPF &
DKIM authentication in Postfix
> (e.g. any mechanism that hooks to SpamAssassin
or specialized tools)
> you could then do delivery via LMTP to
something like Dovecot with its
> Pigeonhole add-on and have all your per-user
rules in Sieve rules.
>
> In short: there are many different ways to skin
this cat, but they all
> include the unpleasantry of skinning a cat.
Ick.
>
|
