search

trusteddomainproject / OpenDMARC

This is the Trusted Domain Project's impementation of the DMARC protocol libary and mail filter, called OpenDMARC. A "milter" connects to unix-based mailers (originally, sendmail, but now many) and provides a standard filtering API.
Other
103 stars 55 forks source link

policy Override #36

Closed kenfc closed 5 years ago

kenfc commented 5 years ago

I suppose this would be more of an enhancement patch request than a bug fix. I do apologize, but didn't know where else to post.

I'm currently running OpenDMARC 1.3.2 and recently applied patches which included a MLM override which I was hoping would resolve my issue, but alas it appears it's meant to work with domains using email lists.

In my configuration, policies are enforced, with quarantine policies being held for review. This is intentional as I see a lot of spam getting caught rather than being delivered which to me, is a good thing.

I am also seeing legitimate mail get rejected or quarantined due to issues on the sender side. These are valid actions, however some of these emails have been critical and/or time sensitive in nature.

I would be nice to be to use a file which would contain a list of optional domains which OpenDMARC could check and override reject/quarantine policies for listed domains.

I see the flow as being something along the lines of: Email fails verification > Reject/Quarantine policy found > List checked > Match Found > Override logged > Message delivered No Match Found > Policy enforced

If the MLM patch is supposed to do this for any domain, then there might be a bug as It's not working for me.

I do thank you for your time in reading this, and for everybody's effort with OpenDMARC

Ken

dilyanpalauzov commented 5 years ago

See the configuration options IgnoreHosts and IgnoreMailFrom .

kenfc commented 5 years ago

Thank you for the reply,

I'm aware of those options and they are in use but to my knowledge (and please correct me if I'm wrong) but these methods will not report that a override was made against their posted policy.

There's an issue with domains using Office 365 and DMARC fails because of it.

My thoughts are that by notifying the domains that there has been a failure but a override was given perhaps Microsoft will fix their bug.

It was just a thought

dilyanpalauzov commented 5 years ago

What is the issue with Office365?

Perhaps Microsoft is not going to fix their bug. You likely sent them a report already, if this does not help, then more reports will neither help. Today on the ietf-smtp mailing list was posted, that Microsoft does not do well with DKIM. So I conclude Microsoft is aware of all of this. And you can take the ruf= adress from an office365 dmarc domain report and write there a “manual” report.

Besides, Microsoft discontinued sending aggregate reports, this is likely for a reason. Guess what the reason is.

kenfc commented 5 years ago

You've got a point, I didn't consider that.

I'll go ahead and close this

dilyanpalauzov commented 5 years ago

Can you tell me what the issue with Office365 precisely is and when does it trigger?

kenfc commented 5 years ago

Your comment pretty much summed it up lol

DMARC fails for domains that appear to be using Office 365 for their email DKIM verification fails due to problems with their headers. I only see the issue with those type of domains.

It was discussed a little on the OpenDKIM list: http://lists.opendkim.org/archive/opendkim/users/2019/01/3794.html

kenfc commented 5 years ago

Though I can't say it's not related to Exchange as well or instead of O365