Re: Opendkim on-(error) configs for production systems?

From: <jasonsu_at_mail-central.com>
Date: Tue, 21 Jun 2016 15:59:32 -0700

Andreas

I understand your principle, kindof, but think I don't understand what

        On-SignatureError

implies. I'd appreciate getting this straightened out. It seems to me that most of my checking is working correctly, but now I wonder if I've cause myself some trouble.

Also I have a question about

> If you'r using DMARC *only* your DMARC instance should reject after

SHOULD we be using DMARC *only*? If you do, and there's for example no DMARC policy published, but SPF/DKIM fails to validate, how do you properly reject in the absence of a DMARC record?


My inbound mail sees checks in the following order

        pre-queue
                pypolicy-spf
                headers
                clamav
                opendkim
                opendmarc

        post-queue
                spam/content

currently, SPF has this policy

        HELO_reject = Fail
        Mail_From_reject = Fail
        No_Mail = False
        PermError_reject = True
        TempError_Defer = False

OPENDKIM has

        # On-Default
        On-BadSignature accept
        On-DNSError tempfail
        On-InternalError tempfail
        On-KeyNotFound accept
        On-NoSignature accept
        On-Security tempfail
        On-SignatureError reject

& OPENDMARC

        SPFIgnoreResults false
        SPFSelfValidate false

I guess the first question is -- should we use DMARC *only*. And the answer helps direct the rest of the config?

I'd be interested in what configuration you run ...

Jas
Received on Tue Jun 21 2016 - 22:59:45 PST