<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="moz-cite-prefix"><font face="monospace">On 24/11/2022
        8:23 π.μ., Patrick Ben Koetter wrote:<br>
      </font></div>
    <blockquote type="cite"
      cite="mid:20221124062309.cgi2he563sl33uio@sys4.de">
      <pre class="moz-quote-pre" wrap="">I suggest to use valid DKIM signatures, if your bank sends DKIM signed
messages and use one or a list of policy banks to overrule (here: disable)
specific content classifications:</pre>
    </blockquote>
    <p><font face="monospace">Hi Patrick and everyone who replied,</font></p>
    <p><font face="monospace">Thanks for your valuable feedback. No,
        unfortunately the Banks we are having issues with do not use
        DKIM signatures. <br>
      </font></p>
    <p><font face="monospace">However, they are using *dedicated* mail
        servers, so I assume I can use @mynetworks to safely whitelist
        these. Isn't that right?<br>
      </font></p>
    <p><font face="monospace">Regarding DMARC, I don't see amavis /
        spamassassin to be adjusting scoring using DMARC validation.
        Should such behavior be enabled somehow? <br>
      </font></p>
    <p><font face="monospace">Patrick, for other cases with mails with
        DKIM signatures, please clarify: using
        @author_to_policy_bank_maps applies ONLY to valid DKIM-signed
        mails? <br>
      </font></p>
    <p><font face="monospace"></font></p>
    <p><font face="monospace">Would you suggest to also increase
        negative scoring of SPF_PASS (currently -0.1)?<br>
      </font></p>
    <p><font face="monospace">Matus, you suggested to make an exception
        at the MTA level. I guess you mean something like (in Postfix):
        <br>
      </font></p>
    <blockquote>
      <pre>smtpd_recipient_restrictions = reject_invalid_hostname,
                               reject_unauth_pipelining,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               check_client_access hash:/etc/postfix/rbl_override,
                               ...
</pre>
    </blockquote>
    <pre>where /etc/postfix/rbl_override is:
</pre>
    <blockquote>
      <pre>1.2.3.4 OK
1.2.3.5 OK
mail.freemailer.tld OK
</pre>
    </blockquote>
    <p><font face="monospace">Right?</font></p>
    <font face="monospace">Thank you all,</font><font face="monospace"><br>
      Nick<br>
    </font>
    <pre>
</pre>
    <blockquote>
      <pre>
</pre>
    </blockquote>
    <p>
    </p>
  </body>
</html>