Split DKIM checks into separate rules
Now errors distinguish between missing DKIM singature, missing DNS entry or invalid DKIM signature.
This commit is contained in:
parent
d575d62b18
commit
700256c273
@ -1,19 +1,32 @@
|
|||||||
rules {
|
rules {
|
||||||
# Reject on missing or invalid DKIM signature.
|
## Reject on missing or invalid DKIM signatures.
|
||||||
#
|
##
|
||||||
# We require DKIM signature on incoming mails regardless of DMARC policy.
|
## We require DKIM signature on incoming mails regardless of DMARC policy.
|
||||||
#
|
|
||||||
# - R_DKIM_REJECT: DKIM reject inserted by `dkim` module.
|
# R_DKIM_REJECT: DKIM reject inserted by `dkim` module.
|
||||||
# - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
|
REJECT_INVALID_DKIM {
|
||||||
# - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
|
|
||||||
REJECT_DKIM {
|
|
||||||
action = "reject";
|
action = "reject";
|
||||||
expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA";
|
expression = "R_DKIM_REJECT";
|
||||||
message = "Rejected due to missing or invalid DKIM signature";
|
message = "Rejected due to invalid DKIM signature";
|
||||||
}
|
}
|
||||||
|
|
||||||
# Reject on SPF failure.
|
# R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
|
||||||
#
|
REJECT_PERMFAIL_DKIM {
|
||||||
|
action = "reject";
|
||||||
|
expression = "R_DKIM_PERMFAIL";
|
||||||
|
message = "Rejected due to missing DKIM DNS entry";
|
||||||
|
}
|
||||||
|
|
||||||
|
# No DKIM signature (R_DKIM_NA symbol inserted by `dkim` module).
|
||||||
|
REJECT_MISSING_DKIM {
|
||||||
|
action = "reject";
|
||||||
|
expression = "R_DKIM_NA";
|
||||||
|
message = "Rejected due to missing DKIM signature";
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## Reject on SPF failure.
|
||||||
|
|
||||||
# - SPF failure (R_SPF_FAIL)
|
# - SPF failure (R_SPF_FAIL)
|
||||||
# - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
|
# - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
|
||||||
REJECT_SPF {
|
REJECT_SPF {
|
||||||
@ -29,6 +42,7 @@ rules {
|
|||||||
message = "Rejected due to DMARC policy";
|
message = "Rejected due to DMARC policy";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Do not reject if:
|
# Do not reject if:
|
||||||
# - R_DKIM_TEMPFAIL, it is a DNS resolution failure
|
# - R_DKIM_TEMPFAIL, it is a DNS resolution failure
|
||||||
# and we do not want to lose messages because of faulty network.
|
# and we do not want to lose messages because of faulty network.
|
||||||
|
Loading…
Reference in New Issue
Block a user