-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement SPF/DMARC checks, add spam weight to those mails #1836
Implement SPF/DMARC checks, add spam weight to those mails #1836
Conversation
I've installed this on my machine. Works like a charm! Thanks for this 👍 |
Looks like it's operating correctly for me. I've gotten two false positives so far (which for me is a lot, not surprisingly the previous Mail-in-a-Box defaults worked flawlessly for me), in the sense that they were legitimate emails but seemed to have improperly configured SPF. |
The default score for softfail appears to be 1.0.
|
A score of 5.0 for SPF_FAIL won't always send the message to spam due to negative scoring like in the above. Not sure if that was intended or not. |
If I drop off a message to the submission port, there is no SPF information at all in the delivered message. Is a DKIM signature required for SPF checks?
|
What happens if a milter timeout occurs (http://www.postfix.org/MILTER_README.html#timeouts)? Which timeouts apply for SPF checks? Even if you summed up all the milter timeouts they're still significantly shorter than what is recommended by Ubuntu with policyd-spf-python (https://help.ubuntu.com/community/Postfix/SPF). |
The PR configuration does not differentiate between A simple failure of SPF does not need to cause the message to be declared as spam. An SPF failure is usually accompanied with other modifiers, so will either be declared not spam or spam based on other scores in the message.
The primary purpose of this change, as referenced in the issue linked to this PR (which I would request you please review every post there), is to make spoofed emails landing in an inbox non-trivial. Issues related to trusted hosts I would consider outside the scope of my original issue.
No.
Why does |
SPF_SOFTFAIL score (1.0) occurs when "Received-SPF: Softfail" is present in the mail headers. For me, that occurs because I'm using policyd-spf, which adds it. If you don't care to differentiate, cool. The dkim milter appears to be the only milter attached to submission. I guess this means incoming mail from submission is not SPF checked. That appears to be true in this configuration. policyd-spf does SPF checks on submission mail, btw. Regarding timeouts. I don't have answers. I presume they're related to bind timeouts. No idea what those are. Maybe 30 seconds for a single dns query, worst case according to this serverfault post (#1836 (comment)) on bind10. There might be more than 1 query, right? But forgetting all that. The question I posed was "what happens if a milter timeout occurs?" I don't know, but I thought it might be nice to know. Thanks for this great work |
I also used I may be misunderstanding the postfix page, but it seems the timeout refers to each request to a milter, so the OpenDMARC requests are separate from other requests. When I run |
As I said in #1755 but repeating here, I think folks are in agreement that this is ready to be merged. Speak now or forever hold your peace. :) If there are no objections, I'll merge. I really appreciate all the efforts here both in figuring out the configuration changes and in the discussions vetting its reliability. |
Fixes #1755
Comments welcome.