Merge branch 'jvolk-spf-opendd'

setup/dkim.sh

@@ -64,6 +64,59 @@ tools/editconf.py /etc/opendmarc.conf -s \
 	"Syslog=true" \
 	"Socket=inet:8893@[127.0.0.1]"
 
+# SPFIgnoreResults causes the filter to ignore any SPF results in the header
+# of the message. This is useful if you want the filter to perfrom SPF checks
+# itself, or because you don't trust the arriving header. This added header is
+# used by spamassassin to evaluate the mail for spamminess.
+#
+# Differences with mail-in-a-box/mailinabox (PR #1836):
+#
+#   mail-in-a-box/mailinabox uses opendmarc exclusively for SPF checks
+#   so sets the following two setting to true/true respectively.
+#
+#   Whereas, MIAB-LDAP uses policyd-spf to do SPF checks and sets them
+#   to false/false.
+#
+#   policyd-spf has been with with MIAB-LDAP since the fork and is
+#   working fine for SPF checks. It has a couple of additional
+#   benefits/differences over the opendmarc solution:
+#
+#     1. It does SPF checks on submission mail as well as smtpd mail,
+#        whereas opendmarc only does them on smtpd.
+#
+#     2. It rejects messages for "Fail" results whereas
+#        mail-in-a-box/mailinabox sets a spamassassin score of 5.0 to
+#        the message (see ./spamassassin.sh) *potentially* placing
+#        those messages in Spam (that will only occur if the sum of
+#        the other spamassassin scores assigned to the message aren't
+#        negative). "Softfail" is treated the same - both getting a
+#        spamassassin score of 5.0.
+#
+#     3. Although not currently used, policyd-spf has the ability for
+#        per-user configuration, whitelists, result overrides and
+#        other features, which might become useful.
+
+tools/editconf.py /etc/opendmarc.conf -s \
+        "SPFIgnoreResults=false"
+
+# SPFSelfValidate causes the filter to perform a fallback SPF check itself
+# when it can find no SPF results in the message header. If SPFIgnoreResults
+# is also set, it never looks for SPF results in headers and always performs
+# the SPF check itself when this is set. This added header is used by
+# spamassassin to evaluate the mail for spamminess.
+
+tools/editconf.py /etc/opendmarc.conf -s \
+        "SPFSelfValidate=false"
+
+# AlwaysAddARHeader Adds an "Authentication-Results:" header field even to
+# unsigned messages from domains with no "signs all" policy. The reported DKIM
+# result will be  "none" in such cases. Normally unsigned mail from non-strict
+# domains does not cause the results header field to be added. This added header
+# is used by spamassassin to evaluate the mail for spamminess.
+
+tools/editconf.py /etc/opendkim.conf -s \
+        "AlwaysAddARHeader=true"
+
 # Add OpenDKIM and OpenDMARC as milters to postfix, which is how OpenDKIM
 # intercepts outgoing mail to perform the signing (by adding a mail header)
 # and how they both intercept incoming mail to add Authentication-Results

setup/spamassassin.sh

@@ -67,6 +67,74 @@ tools/editconf.py /etc/spamassassin/local.cf -s \
 	"add_header all Report"=_REPORT_ \
 	"add_header all Score"=_SCORE_
 
+
+# Authentication-Results SPF/Dmarc checks
+# ---------------------------------------
+# OpenDKIM and OpenDMARC are configured to validate and add "Authentication-Results: ..."
+# headers by checking the sender's SPF & DMARC policies. Instead of blocking mail that fails
+# these checks, we can use these headers to evaluate the mail as spam.
+#
+# Our custom rules are added to their own file so that an update to the deb package config
+# does not remove our changes.
+#
+# We need to escape period's in $PRIMARY_HOSTNAME since spamassassin config uses regex.
+
+escapedprimaryhostname="${PRIMARY_HOSTNAME//./\\.}"
+
+cat > /etc/spamassassin/miab_spf_dmarc.cf << EOF
+# Evaluate DMARC Authentication-Results
+header DMARC_PASS Authentication-Results =~ /$escapedprimaryhostname; dmarc=pass/
+describe DMARC_PASS DMARC check passed
+score DMARC_PASS -0.1
+
+header DMARC_NONE Authentication-Results =~ /$escapedprimaryhostname; dmarc=none/
+describe DMARC_NONE DMARC record not found
+score DMARC_NONE 0.1
+
+header DMARC_FAIL_NONE Authentication-Results =~ /$escapedprimaryhostname; dmarc=fail \(p=none/
+describe DMARC_FAIL_NONE DMARC check failed (p=none)
+score DMARC_FAIL_NONE 2.0
+
+header DMARC_FAIL_QUARANTINE Authentication-Results =~ /$escapedprimaryhostname; dmarc=fail \(p=quarantine/
+describe DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine)
+score DMARC_FAIL_QUARANTINE 5.0
+
+header DMARC_FAIL_REJECT Authentication-Results =~ /$escapedprimaryhostname; dmarc=fail \(p=reject/
+describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
+score DMARC_FAIL_REJECT 10.0
+
+# Below are mail-in-a-box/mailinabox's settings for SPF (commented
+# out). Since we're using policyd-spf for SPF checks which adds a
+# "Received-SPF" header that spamassassin already examines, we only
+# need to set scores. Whereas, upstream is using opendmarc for SPF
+# checks so it requires additional header matching rules.
+
+## Evaluate SPF Authentication-Results
+#header SPF_PASS Authentication-Results =~ /$escapedprimaryhostname; spf=pass/
+#describe SPF_PASS SPF check passed
+#score SPF_PASS -0.1
+#
+#header SPF_NONE Authentication-Results =~ /$escapedprimaryhostname; spf=none/
+#describe SPF_NONE SPF record not found
+#score SPF_NONE 2.0
+#
+#header SPF_FAIL Authentication-Results =~ /$escapedprimaryhostname; spf=fail/
+#describe SPF_FAIL SPF check failed
+#score SPF_FAIL 5.0
+
+# MIAB-LDAP notes:
+#   1. Unless there is some special configuration, SPF_FAIL won't
+#      reach spamassassin. policyd-spf has already rejected the mail.
+#   2. The default score in spamassassin for SPF_SOFTFAIL is 1.0 and
+#      is overridden below.
+#   3. mail-in-a-box/mailinabox treats SPF Fail and Softfail the same
+#      (opendmarc sets spf=fail for either condition)
+score SPF_PASS -0.1
+score SPF_NONE 2.0
+score SPF_FAIL 5.0
+score SPF_SOFTFAIL 5.0
+EOF
+
 # Bayesean learning
 # -----------------
 #