redirect HOLD queue to alternate MTA??

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

redirect HOLD queue to alternate MTA??

Chi Min Wang
Hello Everyone:
       I am using OpenDKIM/OpenDMARC as some sort of anti spam. The
OpenDMARC could handle DMARC p=none or p=reject without any problem. But
if p=quarantine,OpenDMARC just let the incoming mail goes to Postfix
HOLD queue. Is it possible to let Postfix redirect incoming mail
alternate MTA when it got smfir_quarantine by milter?? Thanks!!

***********************************************
CONFIDENTIALITY NOTICE:This e-mail and any attachments are confidential and may be legally privileged.
If you are not the intended recipient, (i) please do not read or disclose to others, and (ii) please
notify immediately the sender by reply mail, and (iii) please delete all copies of the email from your
system. Failure to follow this process may be unlawful. We greatly appreciate your cooperation.


Reply | Threaded
Open this post in threaded view
|

Re: redirect HOLD queue to alternate MTA??

Benny Pedersen-2
Chi Min Wang skrev den 2019-11-05 04:31:
> Hello Everyone:
>       I am using OpenDKIM/OpenDMARC as some sort of anti spam. The
> OpenDMARC could handle DMARC p=none or p=reject without any problem.
> But if p=quarantine,OpenDMARC just let the incoming mail goes to
> Postfix HOLD queue. Is it possible to let Postfix redirect incoming
> mail alternate MTA when it got smfir_quarantine by milter?? Thanks!!

why have you configured opendmarc to put anything on hold based on dmarc
when you now ask how to do something with it ?

i solve it with:

main.cf
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_maps.cidr

/etc/postfix/smtpd_milter_maps.cidr
168.100.1.1                             DISABLE
168.100.1.3                             DISABLE
168.100.1.4                             DISABLE
168.100.1.7                             DISABLE
2604:8d00:0:1::1                        DISABLE
2604:8d00:0:1::3                        DISABLE
2604:8d00:0:1::4                        DISABLE
2604:8d00:0:1::7                        DISABLE

this disables all milters where sender ip ia postfix maillist, and it
would protect not accepting maillist flow when dmarc fails for some
reason, when domain owners post direct its still protected with dmarc
put on hold, dont know if its you problem yet, atleast now  i have
shared it again

opendkim and opendmarc can self disable maillist checking, but i find
postfix more elegant :=)
Reply | Threaded
Open this post in threaded view
|

Re: redirect HOLD queue to alternate MTA??

Noel Jones-2
In reply to this post by Chi Min Wang
On 11/4/2019 9:31 PM, Chi Min Wang wrote:
> Hello Everyone:
>        I am using OpenDKIM/OpenDMARC as some sort of anti spam. The
> OpenDMARC could handle DMARC p=ne or p=reject without any problem.
> But if p=arantine,OpenDMARC just let the incoming mail goes to
> Postfix HOLD queue. Is it possible to let Postfix redirect incoming
> mail alternate MTA when it got smfir_quarantine by milter?? Thanks!!

After a message is put on hold, the only postfix actions available
are to use postcat to view the raw message, or to either release or
delete the message with postsuper.

If you don't mind a little shell scripting, it's not very hard to
use postcat to extract the message and pipe it to sendmail with a
new recipient.

Or maybe just configure your milter to not quarantine messages.



   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: redirect HOLD queue to alternate MTA??

Chi Min Wang
In reply to this post by Benny Pedersen-2
Benny Pedersen wrote:

why have you configured opendmarc to put anything on hold based on dmarc when you now ask how to do something with it ?


The OpenDMARC just informs Postfix to put the suspicious mail into its HOLD queue(Postfix's quarantine) without notify anyone. So no one knows this incident until postmaster release those mail from HOLD queue. If Postfix could redirect the quarantined mail to alternative MTA,we could deliver the suspicious mail to user's quarantine. In my opinion,it's will be more reasonable to treat suspicious mail in this manner rather than released by postmaster.
Reply | Threaded
Open this post in threaded view
|

Re: redirect HOLD queue to alternate MTA??

Matus UHLAR - fantomas
>   Benny Pedersen wrote:
>
>     why have you configured opendmarc to put anything on hold based on dmarc
>     when you now ask how to do something with it ?

On 06.11.19 10:30, Chi Min Wang wrote:
>   The OpenDMARC just informs Postfix to put the suspicious mail into its
>   HOLD queue(Postfix's quarantine) without notify anyone. So no one knows
>   this incident until postmaster release those mail from HOLD queue. If
>   Postfix could redirect the quarantined mail to alternative MTA,we could
>   deliver the suspicious mail to user's quarantine. In my opinion,it's will
>   be more reasonable to treat suspicious mail in this manner rather than
>   released by postmaster.

this looks like a job for spam filter, not opendmarc.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Reply | Threaded
Open this post in threaded view
|

Re: redirect HOLD queue to alternate MTA??

Benny Pedersen-2
In reply to this post by Chi Min Wang
Chi Min Wang skrev den 2019-11-06 03:30:
> Benny Pedersen wrote:
>
>> why have you configured opendmarc to put anything on hold based on
>> dmarc when you now ask how to do something with it ?
>
> The OpenDMARC just informs Postfix to put the suspicious mail into its
> HOLD queue(Postfix's quarantine) without notify anyone.

start notify domain owners with dmarc quarantine ?

opendmarc does not put on hold random

what will your openddmarc do on reject ?

will it unsubsccripbe you from postfix maillist if you reject maillists
with dmarc reject policy ?

i have postted how to avoid that part of the problem

> So no one
> knows this incident until postmaster release those mail from HOLD
> queue.

this is not a postfix problem to solve, its opendmarc policy that need
fixing so it does not just put things on hold without notify postmasters

> If Postfix could redirect the quarantined mail to alternative
> MTA,we could deliver the suspicious mail to user's quarantine. In my
> opinion,it's will be more reasonable to treat suspicious mail in this
> manner rather than released by postmaster.

we talk about postfix things of view on postfix mailling list, if you
need more help with opendmarc then ask there on how to eg use lua in
opendmarc to solve more specific needs
Reply | Threaded
Open this post in threaded view
|

Re: redirect HOLD queue to alternate MTA??

Benny Pedersen-2
In reply to this post by Matus UHLAR - fantomas
Matus UHLAR - fantomas skrev den 2019-11-06 10:26:

> this looks like a job for spam filter, not opendmarc.

opendmarc is not spam, its forged protection

i have posted how to avoid dmarc reject on maillist