Simon Wilson via users skrev den 2024-07-03 14:56:
> Do I also need to disable the normal SA DKIM plugin evaluation, i.e.
> trusting my upstream authres_trusted_authserv only?
both works in paralel, so no need to disable, best results came from
both enabled
its up to you to add more authres_trusted_authserv or more
authres_ignored_authserv lines
possible we can now have a very long debate on dmarc plugin ? :)
my question is does spamassassin dmarc plugin use authres results ?
- SA's DKIM plugin has failed a message so USER_IN_DKIM_WHITELIST tag will not
get assigned, and a +0.1 is added for a DKIM fail
- with AuthRes plugin installed, my trusted Authentication-Results header ‘DKIM
pass’ = -0.5 is applied
- yes, the -0.5 overrides the +0.1 from the false DKIM fail, but this does not
overcome the reason I wanted the sender in whitelist_auth - to overcome the FP
of their emails triggering a KAM rule
Ideally what I want is for authres.cf to combine:
header AUTHRES_DKIM_PASS eval:check_authres_result('dkim', 'pass')
with
header USER_IN_DKIM_WHITELIST eval:check_for_dkim_whitelist_from()
and generate -100 that the DKIM plugin assigns to a DKIM
pass/USER_IN_DKIM_WHITELIST entry.
…but I don't know how to do that properly. I can combine into a meta rule, but
that will call the existing DKIM plugin's subroutine to evaulate
USER_IN_DKIM_WHITELIST, and I'm not sure if that will work.
OK, I have done the following and it seems to be working, but will take
guidance on if this is going to have unexpected consequences from my ignorance…
- removed the SA DKIM plugin from loading
- Authres plugin working and trusting my own mail server's auth tests
(including DKIM)
- created a meta rule:
## Whitelist Wasabi, subject to passing of auth
header __LR_FROM_WASABI From =~ /support\@wasabi\.com/i
meta LR_WASABI_AUTH (__LR_FROM_WASABI && AUTHRES_DKIM_PASS && AUTHRES_SPF_PASS)
score LR_WASABI_AUTH -100
This now scores the Wasabi emails OK. Please feel free to tell me if this was a
really bad plan :)
Simon
