> On Mar 11, 2021, at 1:00 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote: > > On 10/03/2021 19:00, Dan Mahoney (Gushi) wrote: >> All, >> >> I'm working with the OpenDMARC folks on doing bug triage, and someone has >> requested that if a domain's policy says p=quarantine, that it should be >> "accepted" by postfix, and left for something like SpamAssassin to deal >> with. (I don't see any specific handling in spamassassin that treats >> quaratine differently, but that's beside the point). >> >> Per for RFCs, "quarantine" really means "queue for mail admins to deal with >> manually". This is an old concept, going back in sendmail at least a >> decade, but it's been rarely used to this point. Opendmarc makes this >> relatively common, and will catch mail admins by surprise. >> >> So my question is (I've been reading the postfix milter docs for a half >> hour), is there any way to say (either globally or per-milter), "if the >> milter says hold, just deliver as normal?" >> >> This is a thing that can be fixed in the milter, or fixed in postfix, but in >> an ideal world, both would exist. >> >> (I mean, short of an every-minute cron job that just moves the things to the >> deliver queue). >> >> -Dan > > This works for me: > > # grep ^RejectFailures /etc/opendmarc.conf # (note: false is the default > anyway) > RejectFailures false
That’s orthogonal. RejectFailures only affects domains tagged p=reject. The feature I’m working with only affects p=quarantine. -Dan > > # postconf -n milter_header_checks > milter_header_checks = pcre:/etc/postfix/milter_header_checks.pcre > > # cat /etc/postfix/milter_header_checks.pcre > # opendmarc is set not to reject failed emails, nor to instruct they > # be held (RejectFailures false) - but it will still add a header > # showing dmarc=fail: so here we can redirect them to a local > # mailbox (because they sometimes prove to be genuine > # i.e. from sender with misconfigured email server(s)) > /^Authentication-Results: my_authserv_id.*dmarc=fail \(p=(reject|quarantine)/ > REDIRECT dmarcfail@localhost
