mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-04 00:17:06 +00:00
Modify the handling of SPF checks and spam rules for policyd-spf
This commit is contained in:
parent
4661a29248
commit
4cc672e852
@ -68,9 +68,36 @@ tools/editconf.py /etc/opendmarc.conf -s \
|
||||
# of the message. This is useful if you want the filter to perfrom SPF checks
|
||||
# itself, or because you don't trust the arriving header. This added header is
|
||||
# used by spamassassin to evaluate the mail for spamminess.
|
||||
#
|
||||
# Differences with mail-in-a-box/mailinabox (PR #1836):
|
||||
#
|
||||
# mail-in-a-box/mailinabox uses opendmarc exclusively for SPF checks
|
||||
# so sets the following two setting to true/true respectively.
|
||||
#
|
||||
# Whereas, MIAB-LDAP uses policyd-spf to do SPF checks and sets them
|
||||
# to false/false.
|
||||
#
|
||||
# policyd-spf has been with with MIAB-LDAP since the fork and is
|
||||
# working fine for SPF checks. It has a couple of additional
|
||||
# benefits/differences over the opendmarc solution:
|
||||
#
|
||||
# 1. It does SPF checks on submission mail as well as smtpd mail,
|
||||
# whereas opendmarc only does them on smtpd.
|
||||
#
|
||||
# 2. It rejects messages for "Fail" results whereas
|
||||
# mail-in-a-box/mailinabox sets a spamassassin score of 5.0 to
|
||||
# the message (see ./spamassassin.sh) *potentially* placing
|
||||
# those messages in Spam (that will only occur if the sum of
|
||||
# the other spamassassin scores assigned to the message aren't
|
||||
# negative). "Softfail" is treated the same - both getting a
|
||||
# spamassassin score of 5.0.
|
||||
#
|
||||
# 3. Although not currently used, policyd-spf has the ability for
|
||||
# per-user configuration, whitelists, result overrides and
|
||||
# other features, which might become useful.
|
||||
|
||||
tools/editconf.py /etc/opendmarc.conf -s \
|
||||
"SPFIgnoreResults=true"
|
||||
"SPFIgnoreResults=false"
|
||||
|
||||
# SPFSelfValidate causes the filter to perform a fallback SPF check itself
|
||||
# when it can find no SPF results in the message header. If SPFIgnoreResults
|
||||
@ -79,7 +106,7 @@ tools/editconf.py /etc/opendmarc.conf -s \
|
||||
# spamassassin to evaluate the mail for spamminess.
|
||||
|
||||
tools/editconf.py /etc/opendmarc.conf -s \
|
||||
"SPFSelfValidate=true"
|
||||
"SPFSelfValidate=false"
|
||||
|
||||
# AlwaysAddARHeader Adds an "Authentication-Results:" header field even to
|
||||
# unsigned messages from domains with no "signs all" policy. The reported DKIM
|
||||
|
@ -103,18 +103,36 @@ header DMARC_FAIL_REJECT Authentication-Results =~ /$escapedprimaryhostname; dma
|
||||
describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
|
||||
score DMARC_FAIL_REJECT 10.0
|
||||
|
||||
# Evaluate SPF Authentication-Results
|
||||
header SPF_PASS Authentication-Results =~ /$escapedprimaryhostname; spf=pass/
|
||||
describe SPF_PASS SPF check passed
|
||||
# Below are mail-in-a-box/mailinabox's settings for SPF (commented
|
||||
# out). Since we're using policyd-spf for SPF checks which adds a
|
||||
# "Received-SPF" header that spamassassin already examines, we only
|
||||
# need to set scores. Whereas, upstream is using opendmarc for SPF
|
||||
# checks so it requires additional header matching rules.
|
||||
|
||||
## Evaluate SPF Authentication-Results
|
||||
#header SPF_PASS Authentication-Results =~ /$escapedprimaryhostname; spf=pass/
|
||||
#describe SPF_PASS SPF check passed
|
||||
#score SPF_PASS -0.1
|
||||
#
|
||||
#header SPF_NONE Authentication-Results =~ /$escapedprimaryhostname; spf=none/
|
||||
#describe SPF_NONE SPF record not found
|
||||
#score SPF_NONE 2.0
|
||||
#
|
||||
#header SPF_FAIL Authentication-Results =~ /$escapedprimaryhostname; spf=fail/
|
||||
#describe SPF_FAIL SPF check failed
|
||||
#score SPF_FAIL 5.0
|
||||
|
||||
# MIAB-LDAP notes:
|
||||
# 1. Unless there is some special configuration, SPF_FAIL won't
|
||||
# reach spamassassin. policyd-spf has already rejected the mail.
|
||||
# 2. The default score in spamassassin for SPF_SOFTFAIL is 1.0 and
|
||||
# is overridden below.
|
||||
# 3. mail-in-a-box/mailinabox treats SPF Fail and Softfail the same
|
||||
# (opendmarc sets spf=fail for either condition)
|
||||
score SPF_PASS -0.1
|
||||
|
||||
header SPF_NONE Authentication-Results =~ /$escapedprimaryhostname; spf=none/
|
||||
describe SPF_NONE SPF record not found
|
||||
score SPF_NONE 2.0
|
||||
|
||||
header SPF_FAIL Authentication-Results =~ /$escapedprimaryhostname; spf=fail/
|
||||
describe SPF_FAIL SPF check failed
|
||||
score SPF_FAIL 5.0
|
||||
score SPF_SOFTFAIL 5.0
|
||||
EOF
|
||||
|
||||
# Bayesean learning
|
||||
|
Loading…
Reference in New Issue
Block a user