| Deutsch English Français Italiano |
|
<20241113170940.4e091272@ryz.dorfdsl.de> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder2.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Marco Moock <mm+usenet-es@dorfdsl.de> Newsgroups: comp.mail.sendmail Subject: Re: dmarc=fail: sendmail, spf, dkim and opendmarc Date: Wed, 13 Nov 2024 17:09:40 +0100 Organization: A noiseless patient Spider Lines: 53 Message-ID: <20241113170940.4e091272@ryz.dorfdsl.de> References: <8734jwnxoj.fsf@jemoni.to> <20241112204507.22816497@ryz.dorfdsl.de> <87h68clzko.fsf@example.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Injection-Date: Wed, 13 Nov 2024 17:09:41 +0100 (CET) Injection-Info: dont-email.me; posting-host="55af9603836a9c16cc52dcb050498309"; logging-data="2389693"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+WCJwQmixLlFydN8+mGzuP" Cancel-Lock: sha1:/ND/vDiM9m4+f/i1OJ57GrXhUBQ= Bytes: 2887 On 12.11.2024 um 21:58 Uhr Wolfgang Agnes wrote: > Marco Moock <mm+usenet-es@dorfdsl.de> writes: > > > On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote: > > > >> This is long because I had LogLevel=15. You'll see below that > >> opendmarc adds the authentication-results header with a failure, > >> but the spf and dkim headers appear to be correct. I show these > >> two relevant log lines first and then I show the entire set of log > >> lines in case it's useful. > > > > If you send outgoing mail, neither SPF nor DMARC must be checked > > because they fail by design in this situation. > > Can you elaborate? The SPF record of a domain includes IP addresses of the outgoing mail servers. Your users have other IP addresses from anywhere in the world. They use authentication to proof their identity. Maybe there are milters to map such an identity to an email address, so address forging can be prevented. SPF doesn't work for that. DMARC needs DKIM and SPF to work and is intended for incoming mail. As there is no Authentication-Results SPF header when mail is being submitted, DMARC makes no sense here. If there is already a DKIM signature, it could verify the policy, but that makes no sense in that situation. > > You need to configure the dmarc milter not to check if the mail is > > being submitted from your clients (e.g. because they use auth or > > come from your own IP ranges). > > Sadly, I cannot tell you how to configure it to do that, I had the > > same problem and I am currently not using any SPF nor dmarc > > milters. > > Thanks! We've got IgnoreAuthenticatedClients, which eliminates ``the > problem''. With this option enabled, OpenDMARC now only says it > acccepts the message---no questions asked. Thanks! I was searching for that and didn't find it. -- kind regards Marco Send spam to 1731445095muell@cartoonies.org