On 2021-04-14 06:27, Simon Wilson wrote:
Looks like opendmarc is seeing the injected amavis mail as localhost,
which I assume it is... by default opendmarc will ignore that.
Yes, that is what I also suspect. I don't quite understand why the
client IP address should concert a DMARC check. And if it does, then it
seems to me that it would be a good idea for postfix to use XFORWARD
information when sending the client address to a milter. But perhaps
there is some reason for not doing that.
For what it is worth, this is my config for INBOUND email:
- pypolicyd-spf called as a check_policy_service in
smtpd_recipient_restrictions runs SPF checks, inserting an
Authentication-Results header with SPF evaluation
- smtpd_milter_maps calls opendkim and opendmarc (in that order)
- I have smtpd_milter_maps set so the milters do not run on internal
addresses:
# Skip milters if mail is from internal addresses or localhost
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
- opendmarc.conf is also configured to ignore
IgnoreAuthenticatedClients; and IgnoreHosts contains my local network
(although I think this last is duplication given the smtpd_milter_maps
setting)
- All SMTP inbound mail other than from localhost or local network
therefore gets SPF, DKIM and DMARC evaluated
- Postfix then calls amavis as a content_filter
- Amavis evaluates, calls spamassassin (which applies rules on SPF,
DKIM, DMARC), etc., and then passes back to postfix.
- postfix has no content_filter or milters on the re-injected mail, so
it comes back in for delivery
Thanks for sharing your setup. I do, however, really like having Amavis
as before-queue filter, so I hope I can get that working.
Like you I use amavis to DKIM sign outbound email, not opendkim. I
just prefer the way it handles it.
Yes, I also like the Amavis DKIM-setup, and would prefer to keep it.
--
Jesper Dybdal
https://www.dybdal.dk
