Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
amavis-dkim: How to discard mail with no or invalid signature
1,518 views
Skip to first unread message
Gerhard Rappenecker
Jan 12, 2016, 9:03:40 AM1/12/16
to
Hi all,
I'd like to discard, reject or quarantine mails from a specific domain, but only if they have no or no valid DKIM signature.
I suspect that's a trivial task but I'm a beginner working with postfix/amavis and cannot find any helpful documentation about this.
My environment:
postfix 2.11.6
amavisd-new-2.8.1
amavisd.conf:
$enable_dkim_verification = 1
$enable_dkim_signing = 1;
DKIM signing and verification work fine, but the mail is beeing delivered independent of the DKIM authentication-result
Can anyone help me?
Regards
Gerhard
I'd like to discard, reject or quarantine mails from a specific domain, but only if they have no or no valid DKIM signature.
I suspect that's a trivial task but I'm a beginner working with postfix/amavis and cannot find any helpful documentation about this.
My environment:
postfix 2.11.6
amavisd-new-2.8.1
amavisd.conf:
$enable_dkim_verification = 1
$enable_dkim_signing = 1;
DKIM signing and verification work fine, but the mail is beeing delivered independent of the DKIM authentication-result
Can anyone help me?
Regards
Gerhard
Patrick Ben Koetter
Jan 12, 2016, 9:31:31 AM1/12/16
to
* Gerhard Rappenecker <G.Rapp...@hs-offenburg.de>:
p@rick
>
> I suspect that's a trivial task but I'm a beginner working with postfix/amavis and cannot find any helpful documentation about this.
>
> My environment:
> postfix 2.11.6
> amavisd-new-2.8.1
> amavisd.conf:
> $enable_dkim_verification = 1
> $enable_dkim_signing = 1;
>
> DKIM signing and verification work fine, but the mail is beeing delivered independent of the DKIM authentication-result
>
> Can anyone help me?
>
> Regards
> Gerhard
>
>
>
>
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
> Hi all,
>
> I'd like to discard, reject or quarantine mails from a specific domain, but only if they have no or no valid DKIM signature.
Do they serve DMARC DNS records?
>
> I'd like to discard, reject or quarantine mails from a specific domain, but only if they have no or no valid DKIM signature.
p@rick
>
> I suspect that's a trivial task but I'm a beginner working with postfix/amavis and cannot find any helpful documentation about this.
>
> My environment:
> postfix 2.11.6
> amavisd-new-2.8.1
> amavisd.conf:
> $enable_dkim_verification = 1
> $enable_dkim_signing = 1;
>
> DKIM signing and verification work fine, but the mail is beeing delivered independent of the DKIM authentication-result
>
> Can anyone help me?
>
> Regards
> Gerhard
>
>
>
>
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
A. Schulze
Jan 12, 2016, 12:09:45 PM1/12/16
to
Am 12.01.2016 um 15:03 schrieb Gerhard Rappenecker:
> I'd like to discard, reject or quarantine mails from a specific domain, but only if they have no or no valid DKIM signature.
You want DMARC but DMARC validation is not implemented in amavisd-new
we run a pipeline of milters here:
- smf-spf milter for SPF validation
- opendkim for DKIM validation
- opendmarc to inspect SPF+DKIM result and apply a policy
- amavisd-milter for content inspection
Andreas
¹) https://tools.ietf.org/html/rfc6376#section-6.1:
... a Verifier SHOULD NOT treat a message that has one or more
bad signatures and no good signatures differently from a message with
no signature at all.
Gerhard Rappenecker
Jan 13, 2016, 5:16:59 AM1/13/16
to
>>> Patrick Ben Koetter <p...@sys4.de> schrieb am Dienstag, 12. Januar
2016 um 15:30
in Nachricht <20160112143...@sys4.de>:
>> I'd like to discard, reject or quarantine mails from a specific
domain, but
> only if they have no or no valid DKIM signature.
>
domain, but
> only if they have no or no valid DKIM signature.
>
> Do they serve DMARC DNS records?
no, they don't.
Gerhard
Gerhard Rappenecker
Jan 13, 2016, 6:02:41 AM1/13/16
to
Hi Andreas,
thnaks for your answer. I agree with you. That's not a usual policy.
My intention is, to reject mail from outside with a faked sender adress
of our own domain. In the past we were attacked by such mails to our
mailinglists.
So if I ensure that all mails originating from our domain have a valid
DKIM signature it should be easy to identify and reject mails with our
sender domain and with no or invalid DKIM signature.
I'd like to achieve this aim without DMARC because I want to use
amavisd-new installed in our SuSE linux.
Is there any way do do this without DMARC?
Best regards
Gerhard
>>> "A. Schulze" <s...@andreasschulze.de> schrieb am Dienstag, 12.
Januar 2016 um
17:59 in Nachricht <569530D...@andreasschulze.de>:
>
> Am 12.01.2016 um 15:03 schrieb Gerhard Rappenecker:
DKIM
thnaks for your answer. I agree with you. That's not a usual policy.
My intention is, to reject mail from outside with a faked sender adress
of our own domain. In the past we were attacked by such mails to our
mailinglists.
So if I ensure that all mails originating from our domain have a valid
DKIM signature it should be easy to identify and reject mails with our
sender domain and with no or invalid DKIM signature.
I'd like to achieve this aim without DMARC because I want to use
amavisd-new installed in our SuSE linux.
Is there any way do do this without DMARC?
Best regards
Gerhard
>>> "A. Schulze" <s...@andreasschulze.de> schrieb am Dienstag, 12.
Januar 2016 um
17:59 in Nachricht <569530D...@andreasschulze.de>:
>
> Am 12.01.2016 um 15:03 schrieb Gerhard Rappenecker:
>> I'd like to discard, reject or quarantine mails from a specific
domain, but
> only if they have no or no valid DKIM signature.
>
> it's your policy but usually it's wrong to reject on no or no valid
domain, but
> only if they have no or no valid DKIM signature.
>
DKIM
Gerhard Rappenecker
Jan 13, 2016, 11:20:45 AM1/13/16
to
Hello all,
thanks a lot for all answers.
It seems I have to use SPF or DMARC to get what I want. Unfortunately these components are not integrated in the SuSE Linux software distribution. I'd like to use only the onboard resources postfix, amavis-new with DCIM, spamassassin because of automatic updating.
Is there actually no way in amavis (or spamassassin) to reject/quaratine mails from a specific sender with no or an invalid DKIM signatur?
Is there any way to reject those mails in postfix after amavis DKIM verifying?
I've allready tried to check the headers in postfix for DKIMs "Authentication-Results", but "header_checks" take place before the DKIM verification and "smtp_header_checks" do not allow to cutoff the mail delivery.
Hope anyone can help me
best regards
Gerhard
>>> Maurizio Marini <mau...@datalogica.com> schrieb am Mittwoch, 13. Januar 2016 um
12:27 in Nachricht <20160113122726....@datalogica.com>:
> I use spf with -all instead of ~all to do exactly what you want.
> I do not received anymore spam with my domain in from address
> I mean: @datalogica.com
> -m
thanks a lot for all answers.
It seems I have to use SPF or DMARC to get what I want. Unfortunately these components are not integrated in the SuSE Linux software distribution. I'd like to use only the onboard resources postfix, amavis-new with DCIM, spamassassin because of automatic updating.
Is there actually no way in amavis (or spamassassin) to reject/quaratine mails from a specific sender with no or an invalid DKIM signatur?
Is there any way to reject those mails in postfix after amavis DKIM verifying?
I've allready tried to check the headers in postfix for DKIMs "Authentication-Results", but "header_checks" take place before the DKIM verification and "smtp_header_checks" do not allow to cutoff the mail delivery.
Hope anyone can help me
best regards
Gerhard
>>> Maurizio Marini <mau...@datalogica.com> schrieb am Mittwoch, 13. Januar 2016 um
12:27 in Nachricht <20160113122726....@datalogica.com>:
> On Wed, 13 Jan 2016 12:01:52 +0100
> "Gerhard Rappenecker" <G.Rapp...@hs-offenburg.de> wrote:
>
>> My intention is, to reject mail from outside with a faked sender adress
>> of our own domain. In the past we were attacked by such mails to our
>> mailinglists.
> Hello Gerhard
> "Gerhard Rappenecker" <G.Rapp...@hs-offenburg.de> wrote:
>
>> My intention is, to reject mail from outside with a faked sender adress
>> of our own domain. In the past we were attacked by such mails to our
>> mailinglists.
> I use spf with -all instead of ~all to do exactly what you want.
> I do not received anymore spam with my domain in from address
> I mean: @datalogica.com
> -m
Matthias Weigel
Jan 13, 2016, 1:07:11 PM1/13/16
to
Hello Gerhard,
you could try a custom spamassassin rule.
These rules go into ~amavis/.spamassassin/user_prefs
There are already some SPF/DKIM rules in spamassassin. See file
25_spf.cf or 25_dkim.cf of spamassassin.
# Then you create a rule to identify your domain:
header MY_FROM From =~ /example.com/i
describe MY_FROM Sender is from example.com
# Now you create a rule to combine them:
meta MY_FROM_WITHOUT_SPF MY_FROM && (SPF_NONE || SPF_FAIL)
describe MY_FROM_WITHOUT_SPF Sender is from my domain, but has no SPF
score MY_FROM_WITHOUT_SPF 9
# or:
meta MY_FROM_WITHOUT_DKIM MY_FROM && !DKIM_VALID
describe MY_FROM_WITHOUT_DKIM Sender is from my domain, but has no DKIM
score MY_FROM_WITHOUT_DKIM 9
The high score tells amavis to quarantine such mails.
Please check, if the above criteria are really useful for you. Have a
look in /usr/share/spamassassin/ . Maybe some other criteria is more
apropriate?
Test before using this in production. See "debug-sa" parameter to amavis.
Best Regards
Matthias
you could try a custom spamassassin rule.
These rules go into ~amavis/.spamassassin/user_prefs
There are already some SPF/DKIM rules in spamassassin. See file
25_spf.cf or 25_dkim.cf of spamassassin.
# Then you create a rule to identify your domain:
header MY_FROM From =~ /example.com/i
describe MY_FROM Sender is from example.com
# Now you create a rule to combine them:
meta MY_FROM_WITHOUT_SPF MY_FROM && (SPF_NONE || SPF_FAIL)
describe MY_FROM_WITHOUT_SPF Sender is from my domain, but has no SPF
score MY_FROM_WITHOUT_SPF 9
# or:
meta MY_FROM_WITHOUT_DKIM MY_FROM && !DKIM_VALID
describe MY_FROM_WITHOUT_DKIM Sender is from my domain, but has no DKIM
score MY_FROM_WITHOUT_DKIM 9
The high score tells amavis to quarantine such mails.
Please check, if the above criteria are really useful for you. Have a
look in /usr/share/spamassassin/ . Maybe some other criteria is more
apropriate?
Test before using this in production. See "debug-sa" parameter to amavis.
Best Regards
Matthias
Gerhard Rappenecker
Jan 14, 2016, 10:25:25 AM1/14/16
to
Hello Matthias,
that works! Thanks a lot!
In my SuSE Linux I put the rules MY_FROM and MY_FROM_WITHOUT_DKIM in /etc/mail/spamassassin/local.cf:
To avoid to check the originating mails which don't have a DKIM Signature at this point I bypass spam check in amavisd.conf with:
$policy_bank{'MYNETS'} = {
...
bypass_spam_checks_maps => [1]
};
$policy_bank{'ORIGINATING'} = {
...
bypass_spam_checks_maps => [1]
};
I think this could be done better.
Is it possible to bypass DKIM-checking for originating mails in spamassassin instead of bypassing the spam check at all for such mails?
Now amavis-new quaratine positive mails to /var/spool/amavis/virusmails and also delivers them.
How can I manage to discard them instead or to do somthing else? (I'm a beginner with amavis ;)
Is there any notification-/cleaning-tool in amavis to manage the quaratine files?
Best regards
Gerhard
>>> Matthias Weigel <matthia...@maweos.de> schrieb am Mittwoch, 13. Januar
2016 um 18:47 in Nachricht <56968DA6...@maweos.de>:
that works! Thanks a lot!
In my SuSE Linux I put the rules MY_FROM and MY_FROM_WITHOUT_DKIM in /etc/mail/spamassassin/local.cf:
To avoid to check the originating mails which don't have a DKIM Signature at this point I bypass spam check in amavisd.conf with:
$policy_bank{'MYNETS'} = {
...
bypass_spam_checks_maps => [1]
};
$policy_bank{'ORIGINATING'} = {
...
bypass_spam_checks_maps => [1]
};
I think this could be done better.
Is it possible to bypass DKIM-checking for originating mails in spamassassin instead of bypassing the spam check at all for such mails?
Now amavis-new quaratine positive mails to /var/spool/amavis/virusmails and also delivers them.
How can I manage to discard them instead or to do somthing else? (I'm a beginner with amavis ;)
Is there any notification-/cleaning-tool in amavis to manage the quaratine files?
Best regards
Gerhard
>>> Matthias Weigel <matthia...@maweos.de> schrieb am Mittwoch, 13. Januar
2016 um 18:47 in Nachricht <56968DA6...@maweos.de>:
Matthias Weigel
Jan 14, 2016, 11:16:54 AM1/14/16
to
Hello Gerhard,
try this in user_prefs (or your local.cf):
internal_networks = ... (your internal Mailsystems IPs here)
trusted_networks = ... (your internal Mailsystems IPs here)
then you can use ALL_TRUSTED in the rules. E.g. like this:
meta MY_FROM_WITHOUT_DKIM MY_FROM && !DKIM_VALID && !ALL_TRUSTED
For quarantine management there are multiple possible solutions:
- mark only and forward to the user. User creates his own quarantine
rule in his mailer.
- send everything to a different quarantine mail system.
- create your own cron scripts to send summary quarantine reports to users.
- amavisd-release
- Frontends like Maia Mailguard or others.
To discard the original mail use this in amavisd.conf :
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;
Best Regards
Matthias
try this in user_prefs (or your local.cf):
internal_networks = ... (your internal Mailsystems IPs here)
trusted_networks = ... (your internal Mailsystems IPs here)
then you can use ALL_TRUSTED in the rules. E.g. like this:
meta MY_FROM_WITHOUT_DKIM MY_FROM && !DKIM_VALID && !ALL_TRUSTED
For quarantine management there are multiple possible solutions:
- mark only and forward to the user. User creates his own quarantine
rule in his mailer.
- send everything to a different quarantine mail system.
- create your own cron scripts to send summary quarantine reports to users.
- amavisd-release
- Frontends like Maia Mailguard or others.
To discard the original mail use this in amavisd.conf :
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;
Best Regards
Matthias
0 new messages