Barry Warsaw writes:
On Jul 11, 2013, at 03:23 AM, Stephen J. Turnbull wrote:
This is somewhat problematic. DMARC results are potentially trivalent. If action is "reject" and pct is less than 100, some hits are "rejects" and some are "quarantine". Misses are misses. So I guess you do this with a chain of two rules, the first one verifying the message and if that hits (ie, verification fails) the second one rolls the dice for pct.
While ugly, that might be the best we can do for now.
Verbose, yes. Is it really ugly, though? I don't know how much you were directly influenced by iptables and SIEVE, but the idea of rule chains as a way to very flexibly configure filters has been implemented many times. The model is very simple and completely flexible.
Instead it would jump to a custom (terminal) chain that made the more specific determination of whether to reject or hold the message.
This is pretty much what I was suggesting.
Silent discards without content analysis make me queasy.
Of course, we'd likely log and fire an event, so at least it wouldn't happen completely silently.
No, but it might be many days before the originator gets around to asking why their message hasn't appeared.
Yep. There is some limited ability to do additional checking at LMTP time, but this isn't pluggable currently.
Does LMTP provide the necessary ability to reject?
Steve