revsuine/revsuine.xyz
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: add footnote about postfix-policyd-spf-perl being executed after opendmarc

Browse source
This commit is contained in:
revsuine 2024-11-25 00:49:20 +00:00
parent 754a1eb803
commit 54f2e52bbc
Signed by: revsuine
GPG key ID: 3F257B68F5BC9339
1 changed files with 28 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md
View file

@ -1334,7 +1334,7 @@ The `fo` tag indicates when you would like to receive reports. The options are:
</tr>
</table>
### OpenDMARC
### OpenDMARC[^spf_processing_redundancy]
We can use software called OpenDMARC to enforce DMARC policies for incoming mail. OpenDMARC is another milter. Let's
install it and enable its service:
@ -1444,14 +1444,16 @@ Restart Postfix for the changes to take effect:
And when you receive emails from a legitimate source that implements DMARC, you should see the following headers in
your emails:
```
<pre id="double-spf-headers">
<code>
Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched)) receiver=master.revsuine.xyz; identity=mailfrom; envelope-from="revsuine@protonmail.com"; helo=mail-40130.protonmail.ch; client-ip=185.70.40.130
DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 88CFF1288D1
Authentication-Results: OpenDMARC; dmarc=pass (p=quarantine dis=none) header.from=protonmail.com
Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=protonmail.com
Authentication-Results: master.revsuine.xyz;
dkim=pass (2048-bit key; secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=nc4YWVM/
```
</code>
</pre>
<!--
TODO: switch SPF filter to a milter e.g. https://www.acme.com/software/spfmilter/ so that SPF isn't checked twice
@ -1857,3 +1859,26 @@ admins can submit their domain and IP address to indicate trustworthiness.
to find out where this file should be.
[^spf_processing_redundancy]: The OpenDMARC milter will be run before the SPF policy daemon, meaning that OpenDMARC
must do its own SPF checking. This makes postfix-policyd-spf-perl redundant, and results in multiple SPF checks in
our email headers (e.g. see email headers [here](#double-spf-headers)).
To get around this, you'd probably have to use a milter to validate SPF, and just list the milter before OpenDMARC.
I had a bit of a look around for SPF milters and found [ACME's
spfmilter](https://www.acme.com/software/spfmilter/), but had issues compiling it on Alpine; it complained about
```
spfmilter.c:1623:2: error: #error "neither libspf nor libspf2 is present - please provide one"
1623 | #error "neither libspf nor libspf2 is present - please provide one"
| ^~~~~
```
despite having `libspf2` installed. Potentially this is a musl issue, but I'm doubtful that a project like this
would be tied to glibc specifically.
I tried compiling it on Artix Linux and it compiled just fine with the right dependencies installed, so the program
does compile.
If anyone can either [suggest](/contact) a way to get ACME's spfmilter to compile on Alpine, or an alternative
solution to this problem, that would be helpful.