Re: postfix for 2 domains on 1 vps 1 ip

To: Bob Proulx <bob%proulx.com@localhost>
Subject: Re: postfix for 2 domains on 1 vps 1 ip
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Sun, 03 Jan 2021 09:45:07 -0500

Bob Proulx <bob%proulx.com@localhost> writes:

> Mailing lists have one very important need and that is to look for
> DMARC.  A number of sites set "v=DMARC1; p=quarantine;" but notably
> for me the sites that set "v=DMARC1; p=reject; sp=reject;" are the
> problems.
>
>     $ host -t txt _dmarc.yahoo.com
>     _dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua%yahoo.com@localhost;";
>
>     $ host -t txt _dmarc.zoho.eu
>     _dmarc.zoho.eu descriptive text "v=DMARC1; p=reject; sp=reject; fo=0; rua=mailto:dmarc.reports.eu%zoho.eu@localhost; ruf=mailto:dmarc.reports.eu%zoho.eu@localhost";
>
> This means that mail with a From: header of @yahoo.com will be
> rejected by servers unless it is either sent by Yahoo's servers or the
> DKIM signature is verified.  A signed DKIM signature means the headers
> and body have not been modified.

I have never been 100% clear on DMARC.  Do you really mean "or", so that
a message which has a valid DKIM signature but which fails the SPF check
is still acceptable?

> If the sending address site has set a strict DMARC configuration then
> you basically have two options.  One is to modify the headers and
> forward it through the mailing list.  Or two it can be discarded or
> rejected.  Forwarding a message from a sender site with strict DMARC
> set will be seen as a forgery by the recipient site receiving the
> mailing list and many sites, Google for one, will reject those
> messages.

If valid DKIM is ok, then you have a third option: Do not modify the
message.  Specifically, do not add a subject tag and do not add a
footer.

I believe the NetBSD lists operate this way.

I find the sender rewriting icky.   If it rewrote to a per-user
forwarding address at the mail host, so that sending to that address
went only to the user, that would be ok, but combined with incorrect
List Reply-To: it becomes all too easy for private replies to end up on
lists.   To me that is a bigger problem than just not allowing addresses
with strict DMARC policies to be on lists :-)

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Roy Marples

References:
- postfix for 2 domains on 1 vps 1 ip
  - From: Mayuresh
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Mayuresh
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Edgar Pettijohn
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Mayuresh
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Bob Proulx
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Mayuresh
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Bob Proulx

Prev by Date: Re: postfix for 2 domains on 1 vps 1 ip
Next by Date: Re: postfix for 2 domains on 1 vps 1 ip
Previous by Thread: Re: postfix for 2 domains on 1 vps 1 ip
Next by Thread: Re: postfix for 2 domains on 1 vps 1 ip
Indexes:

Home | Main Index | Thread Index | Old Index