Re: dmarc=fail: sendmail, spf, dkim and opendmarc

Liste des GroupesRevenir à cm sendmail 
Sujet : Re: dmarc=fail: sendmail, spf, dkim and opendmarc
De : wagnes (at) *nospam* example.com (Wolfgang Agnes)
Groupes : comp.mail.sendmail
Date : 13. Nov 2024, 01:58:15
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <87h68clzko.fsf@example.com>
References : 1 2
Marco Moock <mm+usenet-es@dorfdsl.de> writes:

On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:
>
This is long because I had LogLevel=15.  You'll see below that
opendmarc adds the authentication-results header with a failure, but
the spf and dkim headers appear to be correct.  I show these two
relevant log lines first and then I show the entire set of log lines
in case it's useful.
>
If you send outgoing mail, neither SPF nor DMARC must be checked
because they fail by design in this situation.

Can you elaborate?  I thought I could have authenticated users trying to
spoof mail.  For instance, my domain may be antartida.xyz, but some
authenticated user could try to use, say, presidency.antartida.xyz or
something like that.

You need to configure the dmarc milter not to check if the mail is
being submitted from your clients (e.g. because they use auth or come
from your own IP ranges).
Sadly, I cannot tell you how to configure it to do that, I had the same
problem and I am currently not using any SPF nor dmarc milters.

Thanks!  We've got IgnoreAuthenticatedClients, which eliminates ``the
problem''.  With this option enabled, OpenDMARC now only says it
acccepts the message---no questions asked.

--8<-------------------------------------------------------->8---
Nov 12 21:49:02 antartida sm-mta[81837]: 4AD0n2v0081837: milter=opendmarc, action=mail, accepted
--8<-------------------------------------------------------->8---

##  IgnoreAuthenticatedClients { true | false }
##      default "false"
##
##  If set, causes mail from authenticated clients (i.e., those that used
##  SMTP AUTH) to be ignored by the filter.
#
IgnoreAuthenticatedClients true

(*) Other options

In the same spirit, there's also IgnoreHosts and IgnoreMailFrom.

##  IgnoreHosts path
##      default (internal)
##
##  Specifies the path to a file that contains a list of hostnames, IP
##  addresses, and/or CIDR expressions identifying hosts whose SMTP
##  connections are to be ignored by the filter.  If not specified, defaults
##  to "127.0.0.1" only.
#
# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts

##  IgnoreMailFrom domain[,...]
##      default (none)
##
##  Gives a list of domain names whose mail (based on the From: domain) is to
##  be ignored by the filter.  The list should be comma-separated.  Matching
##  against this list is case-insensitive.  The default is an empty list,
##  meaning no mail is ignored.
#
# IgnoreMailFrom example.com

Date Sujet#  Auteur
12 Nov 24 * dmarc=fail: sendmail, spf, dkim and opendmarc4Wolfgang Agnes
12 Nov 24 `* Re: dmarc=fail: sendmail, spf, dkim and opendmarc3Marco Moock
13 Nov 24  `* Re: dmarc=fail: sendmail, spf, dkim and opendmarc2Wolfgang Agnes
13 Nov 24   `- Re: dmarc=fail: sendmail, spf, dkim and opendmarc1Marco Moock

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal