https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/
"...
you can use DMARC with only SPF – and absolutely should, at least as far as
enabling reporting –
..."
On Mon, Apr 27, 2020, 3:55 PM Ralph Seichter wrote:
> * pe...@pajamian.dhs.org:
>
> > DKIM is not required for DMAR
I'm locking down a postfix smarthost.
Goal is to only accept submissions to the smarthost from clients that
match known TLS fingerprints.
smarthost' service config is
[172.30.6.19]:587 inet n - n - - smtpd
-o syslog_name=postfix/smarthost
-o smtp_helo_name=smarthost.${myho
Noel
> Have you tried with the default setting of smtpd_tls_ccert_verifydepth?
No.
At
http://www.postfix.org/postconf.5.html#smtpd_tls_ccert_verifydepth
smtpd_tls_ccert_verifydepth (default: 9)
Changed
--o smtpd_tls_ccert_verifydepth=2
+-o smtpd_tls_ccert_verifydepth=9
O
Viktor
That's consistent with, and explains, what I've been seeing -- that,
with smtpd_tls_req_ccert = yes
, ccert restriction works with a commercial crt's fingerprint
specified, but not with my self-signed cert.
I was digging in the self-signed cert itself, and having trouble
figuring out what
Already read, with an apparent bad assumption on my part.
In this case, since the check's against the ccert's fingerprint, I'd
assumed 'trusted' to mean "trusted if the fprint matches". Having
added the ccert's fingerprint to a lookup table on the server seemed
appropriate, similar to trust in o
fyi, if you prefer a dedicated user approach, just need to make sure you're
consistent,
groupdel opendkim
groupadd opendkim
useradd opendkim -g opendkim -G "" -s /bin/false -d /var/run/opendkim -M
usermod -a -G opendkim postfix
id opendkim
uid=5117(opendkim) gid=5117(opendkim) groups=5117(op
fwiw, from Arch wiki
https://wiki.archlinux.org/index.php/OpenDKIM
"The OpenDKIM daemon does not need to run as root at all (the configuration
suggested earlier will have OpenDKIM drop root privileges by itself, but
systemd can do this too and much earlier)."
cat /etc/systemd/system/opendkim.serv
It ain't pretty, or recommended for the long term, but something like this
should slow it down
/etc/postfix/main.cf
header_checks = pcre:/etc/postfix/header_checks.pcre
/etc/postfix/header_checks.pcre
IF /^(To|From|Cc|Reply-To|Sender|Return-Path): /
/@qq\.com/i R
I missed the "message id" ...
You should be able to match/block any valid header name.
Add it to, or replace, what's in the match -- up to you. Personally, I've
never received a valid email from 'anything' @qq.com. YMMV.
If you're shutting down a flood, more extreme, blunt instrument measures
Fwiw I keep a pre-queue instance of milter-regex
https://www.benzedrine.ch/milter-regex.html
in place, for just such 'emergencies', as well as longer-term header
match/action.
Although it's a bit long in the tooth, and not actively supported, it still
works well enough.
It's a clean, easy c
10 matches
Mail list logo
