On 30/12/2020 2:38 am, ludic...@gmail.com wrote:
@Nick
A check for a valid FQDN in From is in smtpd_sender_restrictions.
At the point where it got to bounce message, SPF was skipped. Would
OpenDMARC then still work?
The smtpd_sender_restrictions that you specify are applied to the
/envelope/ sender address (a.k.a. RFC5321.MailFrom). IIUC the mail you
are talking about has the null sender address, <>, which is probably
handled as a special case and /not/ rejected by reject_non_fqdn_sender
(and other smtpd_sender_restrictions)?
FYI I'd also suspect that SPF treats the null address as a special case too?
In order to accept or reject the mail based on the From header in the
mail (a.k.a. RFC5322.From) you'd need to use some sort of content filter...
The simplest option is to use the Postfix built-in content inspection
available with the header_checks option, to reject mail containing a
From header matching a particular regular expression. Check out
http://www.postfix.org/BUILTIN_FILTER_README.html for more information.
However this won't work if the header is absent (i.e. no From header in
the message).
Other options are a before-queue content filter
(http://www.postfix.org/SMTPD_PROXY_README.html) or before-queue milter
(http://www.postfix.org/MILTER_README.html). OpenDMARC is an example of
the latter.
The one caveat with using OpenDMARC is that I'm pretty sure you'd need
to use OpenDKIM and OpenDMARC together to implement DMARC policy
checking and then you get that option I mentioned previously as bonus
functionality. But if you had no desire to implement DMARC policy
checking then this is a bit like using a sledgehammer to crack a nut.
Nick.
