[pfx] Re: Postfix, Amavis DKIM and DMARC

currect, but amavisd support rspamd with have dmarc what? Amavis has support for rspamd as a spam_scanner, i.e. for scoring, not for DMARC policy enforcement. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to

[pfx] Re: Postfix, Amavis DKIM and DMARC

>That's what Dino is trying to do. Make amavis-over-milter add an DKIM >AR-header, then make OpenDMARC evaluate DMARC using that header. It may be >true that SpamAssassin 4 has a DMARC test, but Amavis >does not use such test >hit for a policy enforcement. >Amavis has support for rspamd as a sp

[pfx] Re: Postfix, Amavis DKIM and DMARC

This question has stirred up a lot of answers but if I’m understanding correctly, it looks like I cannot use opendmarc with amavisd in postfix as a pre-queue filter for dkim. The only viable option is opendkim with opendmarc as pre-queue milters like I was originally doing. Conceptually you ca

[pfx] Re: Postfix, Amavis DKIM and DMARC

>Conceptually you can. I tested it yesterday and it worked. At first I >encountered said phenomenon that the >mails in my inbox had no DMARC AR >header, but that was because the content_filter Amavis removed them. >After >disabling DKIM verification on the content_filter, headers looked like thi

[pfx] Re: Postfix, Amavis DKIM and DMARC

So as per your previous post, setting a policy such as this one would do the trick? ... This would be necessary to keep DMARC AR headers after they passed the content_filter Amavis. It is not necessary for OpenDMARC to do its work. It was not clear what "skipping OpenDMARC" means exactly, but

[pfx] Re: Postfix, Amavis DKIM and DMARC

Dino Edwards via Postfix-users skrev den 2023-11-15 10:42: That's what Dino is trying to do. Make amavis-over-milter add an DKIM AR-header, then make OpenDMARC evaluate DMARC using that header. It may be true that SpamAssassin 4 has a DMARC test, but Amavis >does not use such test hit for a poli

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

Hellow Viktor, Viktor Dukhovni via Postfix-users writes: > The DANE/DNSSEC survey () has seen a > recent spike in the number of MX hosts whose "2 1 1" TLSA records no > longer match their certificate chain. The records in question all > shar the same digest value

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

LE announced a while back that they would not renew the cross cert. Their root was expiring and they chose not to pay for a cross for the replacement. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6 ___ Postfix-users mailing list -- postfix-u

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

On Wed, Nov 15, 2023 at 10:29:41 -0500, James Cloos via Postfix-users wrote: > LE announced a while back that they would not renew the cross cert. Yes, but dropping the cross-signed X1 root cert from the default chain last week was an accident: https://community.letsencrypt.org/t/shortening-the-l

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

On Wed, Nov 15, 2023 at 09:44:18PM +0900, Byung-Hee HWANG via Postfix-users wrote: > > Bottom line, if you're relying on that "2 1 1" record matching the ISRG > > root to match your Let's Encrypt chain, you're about to be disappointed, > > if you aren't already. See: > > > > http://dnssec-st

[pfx] Re: Recommendation for dkim signing

P.S.: Steffen Nurpmeso wrote in <20231103002256.iibfi%stef...@sdaoden.eu>: |Matus UHLAR - fantomas via Postfix-users wrote in | : ||>Jens Hoffrichter via Postfix-users wrote in ||> : ||>|On Mon, Oct 30, 2023 at 8:12 PM Steffen Nurpmeso via Postfix-users ||>| wrote: ||> ... ||>|> Btw i wou

[pfx] Re: Recommendation for dkim signing

Dnia 15.11.2023 o godz. 20:02:44 Steffen Nurpmeso via Postfix-users pisze: > Funnily i just now got while sending a mail to not more than about > i think two dozen gmail accounts: > > Nov 15 18:31:54 postfix/smtp[30872]: 32CC41605F: host > gmail-smtp-in.l.google.com[66.102.1.27] said: 421-4.7.2

[pfx] Re: Recommendation for dkim signing

Jaroslaw Rafa via Postfix-users wrote in <20231115204142.ga1...@rafa.eu.org>: |Dnia 15.11.2023 o godz. 20:02:44 Steffen Nurpmeso via Postfix-users pisze: |> Funnily i just now got while sending a mail to not more than about |> i think two dozen gmail accounts: |> |> Nov 15 18:31:54 postfix

[pfx] Postfix as an SMTP front end

I am running postfix on the same machine as my IMAP server, but this is a security risk because having two different services on the same machine increases the attack surface. My IMAP server doesn't need to be publicly visible, so I would like to move that service to a separate machine, and hav

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

On Wed, Nov 15, 2023 at 09:44:18PM +0900, Byung-Hee HWANG via Postfix-users wrote: > Thank you for notifying us. Also i'm using 211 TLSA record. > > Honestly, 311 it was not easy to set up to me. > > Sincerely, Byung-Hee As Viktor pointed out, you're not affected, but if you want to use "3 1

[pfx] TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Wed, Nov 15, 2023 at 04:53:17PM +0100, Geert Hendrickx via Postfix-users wrote: > On Wed, Nov 15, 2023 at 10:29:41 -0500, James Cloos via Postfix-users wrote: > > LE announced a while back that they would not renew the cross cert. > > Yes, but dropping the cross-signed X1 root cert from the d