Re: Opendkim on-(error) configs for production systems?
Andreas
I understand your principle, kindof, but think I don't understand what
On-SignatureError
implies. I'd appreciate getting this straightened out. It seems to me that most of my checking is working correctly, but now I wonder if I've cause myself some trouble.
Also I have a question about
> If you'r using DMARC *only* your DMARC instance should reject after
SHOULD we be using DMARC *only*? If you do, and there's for example no DMARC policy published, but SPF/DKIM fails to validate, how do you properly reject in the absence of a DMARC record?
My inbound mail sees checks in the following order
pre-queue
pypolicy-spf
headers
clamav
opendkim
opendmarc
post-queue
spam/content
currently, SPF has this policy
HELO_reject = Fail
Mail_From_reject = Fail
No_Mail = False
PermError_reject = True
TempError_Defer = False
OPENDKIM has
# On-Default
On-BadSignature accept
On-DNSError tempfail
On-InternalError tempfail
On-KeyNotFound accept
On-NoSignature accept
On-Security tempfail
On-SignatureError reject
& OPENDMARC
SPFIgnoreResults false
SPFSelfValidate false
I guess the first question is -- should we use DMARC *only*. And the answer helps direct the rest of the config?
I'd be interested in what configuration you run ...
Jas
Received on Tue Jun 21 2016 - 22:59:45 PST
This archive was generated by hypermail 2.3.0
: Tue Jun 21 2016 - 23:09:01 PST