On 5/22/22 18:25, Kevin A. McGrail wrote:
> Alex,
> 
> #1 you can use the welcomelist entries but NOT the welcomelist_auth entries 
> if DMARC is failing.
> 
> #2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that 
> we are working through, sorry to say it's been rougher than I wanted too.  
> But we have it in production and we are working on edge cases from my end.
> 
> #3 At my work at PCCC, we changed some concepts to install the KAM rules so 
> they are parsed after the stock rules for some of the default DMARC scores to 
> change too.  We used a new option for sa-update that Henrik added to do this. 
>  I'll ask for some info about it and test that pastebin to see if it fails on 
> our system too.  I was also discussing more DMARC/DKIM regression tests are 
> needed.  It's too fragile.
> 
starting from r1900857, official ASF channels are loaded first, then all other 
channels in alphabetical order.

I would like to better check the original email if possible.

 Giovanni


> Regards,
> KAM
> 
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail <https://www.linkedin.com/in/kmcgrail> - 
> 703.798.0171
> 
> 
> On Sun, May 22, 2022 at 11:25 AM Alex <mysqlstud...@gmail.com 
> <mailto:mysqlstud...@gmail.com>> wrote:
> 
>     Hi, I think this is another - this one also includes KAM_DMARC_REJECT
> 
>     https://pastebin.com/9g9VrgVK <https://pastebin.com/9g9VrgVK>
> 
>      *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>      *      valid
>      * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
> author's
>      *       domain
>      * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>      *  6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
>      *      and the domain has a DMARC reject policy
>      *  1.8 DMARC_REJECT DMARC reject policy
> 
>     Can this info even be added to the welcomelist or will that also now fail?
> 
> 
> 
>     On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstud...@gmail.com 
> <mailto:mysqlstud...@gmail.com>> wrote:
> 
>         Hi, is it possible the DMARC_REJECT problem still exists?
> 
>         https://pastebin.com/DCu9cq4t <https://pastebin.com/DCu9cq4t>
> 
>          * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>          *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not 
> necessarily
>          *      valid
>          * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
> author's
>          *       domain
>          *  1.8 DMARC_REJECT DMARC reject policy
> 
>         Authentication-Results: xavier.example.com 
> <http://xavier.example.com> (amavisd-new);
>                     dkim=pass (1024-bit key) header.d=hotwire.com 
> <http://hotwire.com> header.b="NEdhsCdV";
>                     dkim=pass (1024-bit key) header.d=amazonses.com 
> <http://amazonses.com> header.b="UglVB1nr"
> 
>         $ spamassassin --version
>         SpamAssassin version 4.0.0-r1900583
>           running on Perl version 5.34.1
> 
> 
>         On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstud...@gmail.com 
> <mailto:mysqlstud...@gmail.com>> wrote:
> 
>             Hi,
> 
>             On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail 
> <kmcgr...@apache.org <mailto:kmcgr...@apache.org>> wrote:
> 
>                 I believe this is a bug and fixed in trunk.
> 
>                 On 5/10/2022 1:55 PM, Bill Cole wrote:
>                 > Looks like a bug. It should not be possible to hit 
> DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT
> 
> 
> 
>             This was from svn version 1900493. I've now checked out 1900794, 
> but that somehow appears different from the version SA reports?
> 
>             $ spamassassin --version
>             SpamAssassin version 4.0.0-r1900583
>               running on Perl version 5.34.1
> 
>             My firstdata email does appear to now pass DKIM properly, without 
> DMARC_REJECT or KAM_DMARC_REJECT.
> 
>             Any idea under what circumstances the DKIM check fails so I can 
> watch for it? Or can we consider it solved?
> 
> 

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to