On 5/22/22 18:25, Kevin A. McGrail wrote: > Alex, > > #1 you can use the welcomelist entries but NOT the welcomelist_auth entries > if DMARC is failing. > > #2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that > we are working through, sorry to say it's been rougher than I wanted too. > But we have it in production and we are working on edge cases from my end. > > #3 At my work at PCCC, we changed some concepts to install the KAM rules so > they are parsed after the stock rules for some of the default DMARC scores to > change too. We used a new option for sa-update that Henrik added to do this. > I'll ask for some info about it and test that pastebin to see if it fails on > our system too. I was also discussing more DMARC/DKIM regression tests are > needed. It's too fragile. > starting from r1900857, official ASF channels are loaded first, then all other channels in alphabetical order.
I would like to better check the original email if possible. Giovanni > Regards, > KAM > > -- > Kevin A. McGrail > Member, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail <https://www.linkedin.com/in/kmcgrail> - > 703.798.0171 > > > On Sun, May 22, 2022 at 11:25 AM Alex <mysqlstud...@gmail.com > <mailto:mysqlstud...@gmail.com>> wrote: > > Hi, I think this is another - this one also includes KAM_DMARC_REJECT > > https://pastebin.com/9g9VrgVK <https://pastebin.com/9g9VrgVK> > > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily > * valid > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from > author's > * domain > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message > * and the domain has a DMARC reject policy > * 1.8 DMARC_REJECT DMARC reject policy > > Can this info even be added to the welcomelist or will that also now fail? > > > > On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstud...@gmail.com > <mailto:mysqlstud...@gmail.com>> wrote: > > Hi, is it possible the DMARC_REJECT problem still exists? > > https://pastebin.com/DCu9cq4t <https://pastebin.com/DCu9cq4t> > > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not > necessarily > * valid > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from > author's > * domain > * 1.8 DMARC_REJECT DMARC reject policy > > Authentication-Results: xavier.example.com > <http://xavier.example.com> (amavisd-new); > dkim=pass (1024-bit key) header.d=hotwire.com > <http://hotwire.com> header.b="NEdhsCdV"; > dkim=pass (1024-bit key) header.d=amazonses.com > <http://amazonses.com> header.b="UglVB1nr" > > $ spamassassin --version > SpamAssassin version 4.0.0-r1900583 > running on Perl version 5.34.1 > > > On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstud...@gmail.com > <mailto:mysqlstud...@gmail.com>> wrote: > > Hi, > > On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail > <kmcgr...@apache.org <mailto:kmcgr...@apache.org>> wrote: > > I believe this is a bug and fixed in trunk. > > On 5/10/2022 1:55 PM, Bill Cole wrote: > > Looks like a bug. It should not be possible to hit > DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT > > > > This was from svn version 1900493. I've now checked out 1900794, > but that somehow appears different from the version SA reports? > > $ spamassassin --version > SpamAssassin version 4.0.0-r1900583 > running on Perl version 5.34.1 > > My firstdata email does appear to now pass DKIM properly, without > DMARC_REJECT or KAM_DMARC_REJECT. > > Any idea under what circumstances the DKIM check fails so I can > watch for it? Or can we consider it solved? > >
OpenPGP_signature
Description: OpenPGP digital signature