diff --git a/setup/dkim.sh b/setup/dkim.sh index 05221b27..b8bc29d9 100755 --- a/setup/dkim.sh +++ b/setup/dkim.sh @@ -68,9 +68,36 @@ tools/editconf.py /etc/opendmarc.conf -s \ # of the message. This is useful if you want the filter to perfrom SPF checks # itself, or because you don't trust the arriving header. This added header is # used by spamassassin to evaluate the mail for spamminess. +# +# Differences with mail-in-a-box/mailinabox (PR #1836): +# +# mail-in-a-box/mailinabox uses opendmarc exclusively for SPF checks +# so sets the following two setting to true/true respectively. +# +# Whereas, MIAB-LDAP uses policyd-spf to do SPF checks and sets them +# to false/false. +# +# policyd-spf has been with with MIAB-LDAP since the fork and is +# working fine for SPF checks. It has a couple of additional +# benefits/differences over the opendmarc solution: +# +# 1. It does SPF checks on submission mail as well as smtpd mail, +# whereas opendmarc only does them on smtpd. +# +# 2. It rejects messages for "Fail" results whereas +# mail-in-a-box/mailinabox sets a spamassassin score of 5.0 to +# the message (see ./spamassassin.sh) *potentially* placing +# those messages in Spam (that will only occur if the sum of +# the other spamassassin scores assigned to the message aren't +# negative). "Softfail" is treated the same - both getting a +# spamassassin score of 5.0. +# +# 3. Although not currently used, policyd-spf has the ability for +# per-user configuration, whitelists, result overrides and +# other features, which might become useful. tools/editconf.py /etc/opendmarc.conf -s \ - "SPFIgnoreResults=true" + "SPFIgnoreResults=false" # SPFSelfValidate causes the filter to perform a fallback SPF check itself # when it can find no SPF results in the message header. If SPFIgnoreResults @@ -79,7 +106,7 @@ tools/editconf.py /etc/opendmarc.conf -s \ # spamassassin to evaluate the mail for spamminess. tools/editconf.py /etc/opendmarc.conf -s \ - "SPFSelfValidate=true" + "SPFSelfValidate=false" # AlwaysAddARHeader Adds an "Authentication-Results:" header field even to # unsigned messages from domains with no "signs all" policy. The reported DKIM diff --git a/setup/spamassassin.sh b/setup/spamassassin.sh index 989bbff4..2f8c1a6b 100755 --- a/setup/spamassassin.sh +++ b/setup/spamassassin.sh @@ -103,18 +103,36 @@ header DMARC_FAIL_REJECT Authentication-Results =~ /$escapedprimaryhostname; dma describe DMARC_FAIL_REJECT DMARC check failed (p=reject) score DMARC_FAIL_REJECT 10.0 -# Evaluate SPF Authentication-Results -header SPF_PASS Authentication-Results =~ /$escapedprimaryhostname; spf=pass/ -describe SPF_PASS SPF check passed +# Below are mail-in-a-box/mailinabox's settings for SPF (commented +# out). Since we're using policyd-spf for SPF checks which adds a +# "Received-SPF" header that spamassassin already examines, we only +# need to set scores. Whereas, upstream is using opendmarc for SPF +# checks so it requires additional header matching rules. + +## Evaluate SPF Authentication-Results +#header SPF_PASS Authentication-Results =~ /$escapedprimaryhostname; spf=pass/ +#describe SPF_PASS SPF check passed +#score SPF_PASS -0.1 +# +#header SPF_NONE Authentication-Results =~ /$escapedprimaryhostname; spf=none/ +#describe SPF_NONE SPF record not found +#score SPF_NONE 2.0 +# +#header SPF_FAIL Authentication-Results =~ /$escapedprimaryhostname; spf=fail/ +#describe SPF_FAIL SPF check failed +#score SPF_FAIL 5.0 + +# MIAB-LDAP notes: +# 1. Unless there is some special configuration, SPF_FAIL won't +# reach spamassassin. policyd-spf has already rejected the mail. +# 2. The default score in spamassassin for SPF_SOFTFAIL is 1.0 and +# is overridden below. +# 3. mail-in-a-box/mailinabox treats SPF Fail and Softfail the same +# (opendmarc sets spf=fail for either condition) score SPF_PASS -0.1 - -header SPF_NONE Authentication-Results =~ /$escapedprimaryhostname; spf=none/ -describe SPF_NONE SPF record not found score SPF_NONE 2.0 - -header SPF_FAIL Authentication-Results =~ /$escapedprimaryhostname; spf=fail/ -describe SPF_FAIL SPF check failed score SPF_FAIL 5.0 +score SPF_SOFTFAIL 5.0 EOF # Bayesean learning