| Deutsch English Français Italiano |
|
<87h68clzko.fsf@example.com> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder2.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Wolfgang Agnes <wagnes@example.com>
Newsgroups: comp.mail.sendmail
Subject: Re: dmarc=fail: sendmail, spf, dkim and opendmarc
Date: Tue, 12 Nov 2024 21:58:15 -0300
Organization: A noiseless patient Spider
Lines: 63
Message-ID: <87h68clzko.fsf@example.com>
References: <8734jwnxoj.fsf@jemoni.to>
<20241112204507.22816497@ryz.dorfdsl.de>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Date: Wed, 13 Nov 2024 01:58:20 +0100 (CET)
Injection-Info: dont-email.me; posting-host="28366000ab524cbe2c77653d04aed304";
logging-data="1967810"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/mOMJdAKet0zJQtT+7uoG42FzLNnUm3sk="
Cancel-Lock: sha1:k1FkABB1ysJyCAv8Z+T4CtGe000=
sha1:Bw5yuzpsr9Nden/bbLyxLJBnwpM=
Bytes: 3458
Marco Moock <mm+usenet-es@dorfdsl.de> writes:
> On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:
>
>> This is long because I had LogLevel=15. You'll see below that
>> opendmarc adds the authentication-results header with a failure, but
>> the spf and dkim headers appear to be correct. I show these two
>> relevant log lines first and then I show the entire set of log lines
>> in case it's useful.
>
> If you send outgoing mail, neither SPF nor DMARC must be checked
> because they fail by design in this situation.
Can you elaborate? I thought I could have authenticated users trying to
spoof mail. For instance, my domain may be antartida.xyz, but some
authenticated user could try to use, say, presidency.antartida.xyz or
something like that.
> You need to configure the dmarc milter not to check if the mail is
> being submitted from your clients (e.g. because they use auth or come
> from your own IP ranges).
> Sadly, I cannot tell you how to configure it to do that, I had the same
> problem and I am currently not using any SPF nor dmarc milters.
Thanks! We've got IgnoreAuthenticatedClients, which eliminates ``the
problem''. With this option enabled, OpenDMARC now only says it
acccepts the message---no questions asked.
--8<-------------------------------------------------------->8---
Nov 12 21:49:02 antartida sm-mta[81837]: 4AD0n2v0081837: milter=opendmarc, action=mail, accepted
--8<-------------------------------------------------------->8---
## IgnoreAuthenticatedClients { true | false }
## default "false"
##
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter.
#
IgnoreAuthenticatedClients true
(*) Other options
In the same spirit, there's also IgnoreHosts and IgnoreMailFrom.
## IgnoreHosts path
## default (internal)
##
## Specifies the path to a file that contains a list of hostnames, IP
## addresses, and/or CIDR expressions identifying hosts whose SMTP
## connections are to be ignored by the filter. If not specified, defaults
## to "127.0.0.1" only.
#
# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
## IgnoreMailFrom domain[,...]
## default (none)
##
## Gives a list of domain names whose mail (based on the From: domain) is to
## be ignored by the filter. The list should be comma-separated. Matching
## against this list is case-insensitive. The default is an empty list,
## meaning no mail is ignored.
#
# IgnoreMailFrom example.com