Whitelisting mail servers

[Benny Pedersen]

Nikolaos Milas skrev den 2022-11-27 19:35:
> On 24/11/2022 8:23 π.μ., Patrick Ben Koetter wrote:
> 
>> I suggest to use valid DKIM signatures, if your bank sends DKIM
>> signed
>> messages and use one or a list of policy banks to overrule (here:
>> disable)
>> specific content classifications:
> 
> Hi Patrick and everyone who replied,
> 
> Thanks for your valuable feedback. No, unfortunately the Banks we are
> having issues with do not use DKIM signatures.
> 
> However, they are using *dedicated* mail servers, so I assume I can
> use @mynetworks to safely whitelist these. Isn't that right?
> 
> Regarding DMARC, I don't see amavis / spamassassin to be adjusting
> scoring using DMARC validation. Should such behavior be enabled
> somehow?
> 
> Patrick, for other cases with mails with DKIM signatures, please
> clarify: using @author_to_policy_bank_maps applies ONLY to valid
> DKIM-signed mails?
> 
> Would you suggest to also increase negative scoring of SPF_PASS
> (currently -0.1)?
> 
> Matus, you suggested to make an exception at the MTA level. I guess
> you mean something like (in Postfix):
> 
>> smtpd_recipient_restrictions = reject_invalid_hostname,
>> reject_unauth_pipelining,
>> permit_mynetworks,
>> permit_sasl_authenticated,
>> reject_unauth_destination,
>> check_client_access
>> hash:/etc/postfix/rbl_override,

alternative is

smtpd_milter_maps=

this will work if amavisd is used as milter

>> ...
> 
> where /etc/postfix/rbl_override is:
> 
>> 1.2.3.4 OK
>> 1.2.3.5 OK
>> mail.freemailer.tld OK
> 
> Right?

ips is fine in that map, lost how secure hostname is

for the smtpd_milter_maps change content in rbl_override

1.2.3.4 DISABLE
1.2.3.5 DISABLE

if you used fuglu life would be more easy