Modify the handling of SPF checks and spam rules for policyd-spf

setup/dkim.sh

@@ -68,9 +68,36 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # of the message. This is useful if you want the filter to perfrom SPF checks
 # itself, or because you don't trust the arriving header. This added header is
 # used by spamassassin to evaluate the mail for spamminess.
+#
+# Differences with mail-in-a-box/mailinabox (PR #1836):
+#
+#   mail-in-a-box/mailinabox uses opendmarc exclusively for SPF checks
+#   so sets the following two setting to true/true respectively.
+#
+#   Whereas, MIAB-LDAP uses policyd-spf to do SPF checks and sets them
+#   to false/false.
+#
+#   policyd-spf has been with with MIAB-LDAP since the fork and is
+#   working fine for SPF checks. It has a couple of additional
+#   benefits/differences over the opendmarc solution:
+#
+#     1. It does SPF checks on submission mail as well as smtpd mail,
+#        whereas opendmarc only does them on smtpd.
+#
+#     2. It rejects messages for "Fail" results whereas
+#        mail-in-a-box/mailinabox sets a spamassassin score of 5.0 to
+#        the message (see ./spamassassin.sh) *potentially* placing
+#        those messages in Spam (that will only occur if the sum of
+#        the other spamassassin scores assigned to the message aren't
+#        negative). "Softfail" is treated the same - both getting a
+#        spamassassin score of 5.0.
+#
+#     3. Although not currently used, policyd-spf has the ability for
+#        per-user configuration, whitelists, result overrides and
+#        other features, which might become useful.
 
 tools/editconf.py /etc/opendmarc.conf -s \
-        "SPFIgnoreResults=true"
+        "SPFIgnoreResults=false"
 
 # SPFSelfValidate causes the filter to perform a fallback SPF check itself
 # when it can find no SPF results in the message header. If SPFIgnoreResults
@@ -79,7 +106,7 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # spamassassin to evaluate the mail for spamminess.
 
 tools/editconf.py /etc/opendmarc.conf -s \
-        "SPFSelfValidate=true"
+        "SPFSelfValidate=false"
 
 # AlwaysAddARHeader Adds an "Authentication-Results:" header field even to
 # unsigned messages from domains with no "signs all" policy. The reported DKIM

setup/spamassassin.sh

@@ -103,18 +103,36 @@ header DMARC_FAIL_REJECT Authentication-Results =~ /$escapedprimaryhostname; dma
 describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
 score DMARC_FAIL_REJECT 10.0
 
-# Evaluate SPF Authentication-Results
-header SPF_PASS Authentication-Results =~ /$escapedprimaryhostname; spf=pass/
-describe SPF_PASS SPF check passed
+# Below are mail-in-a-box/mailinabox's settings for SPF (commented
+# out). Since we're using policyd-spf for SPF checks which adds a
+# "Received-SPF" header that spamassassin already examines, we only
+# need to set scores. Whereas, upstream is using opendmarc for SPF
+# checks so it requires additional header matching rules.
+
+## Evaluate SPF Authentication-Results
+#header SPF_PASS Authentication-Results =~ /$escapedprimaryhostname; spf=pass/
+#describe SPF_PASS SPF check passed
+#score SPF_PASS -0.1
+#
+#header SPF_NONE Authentication-Results =~ /$escapedprimaryhostname; spf=none/
+#describe SPF_NONE SPF record not found
+#score SPF_NONE 2.0
+#
+#header SPF_FAIL Authentication-Results =~ /$escapedprimaryhostname; spf=fail/
+#describe SPF_FAIL SPF check failed
+#score SPF_FAIL 5.0
+
+# MIAB-LDAP notes:
+#   1. Unless there is some special configuration, SPF_FAIL won't
+#      reach spamassassin. policyd-spf has already rejected the mail.
+#   2. The default score in spamassassin for SPF_SOFTFAIL is 1.0 and
+#      is overridden below.
+#   3. mail-in-a-box/mailinabox treats SPF Fail and Softfail the same
+#      (opendmarc sets spf=fail for either condition)
 score SPF_PASS -0.1
-
-header SPF_NONE Authentication-Results =~ /$escapedprimaryhostname; spf=none/
-describe SPF_NONE SPF record not found
 score SPF_NONE 2.0
-
-header SPF_FAIL Authentication-Results =~ /$escapedprimaryhostname; spf=fail/
-describe SPF_FAIL SPF check failed
 score SPF_FAIL 5.0
+score SPF_SOFTFAIL 5.0
 EOF
 
 # Bayesean learning