Dear, on an our perfect server configuration setup (debian 10, with amavis) we have seen that the dkim/spf verification on inbound mail most of the time are not completed. Basically an email for a local domain with dkim and spf record enabled are accepted also if that email is sent from a server not included on the spf nor with dkim enabled. In order to debug that problem, can you point us on the right directions where start the debug? On amavis configuration file we see that the flag `$enable_dkim_verification = 1` is enabled, but nothing related to spf check. On both postfix or amavis. The perfect server configuration check for the inbound mail the spf and dkim record of the local domains? ty
I believe spamassassin checks both, but unsure about amavis itself. What do you get in mail.log for such a message, and what are the resulting message headers?
i did some more debug. the spf (and dkim) verification goes throught postfix, with: check_policy_service on the configuration variable smtpd_recipient_restrictions. We forward the check_policy_service to an external server that run a cluebringer/policyd instance and from there we can enable (or disable the spf check, for the incoming email. policyd does not support dkim at this time). what is strange to me, is that the perfect configuration setup (or the autoinstaller) does not make any kind of the for spf and dkim on the inbound/incoming email. this, in my opinion, is wrong.
Both the perfect server and the autoinstaller setup would use the spam scanner (rspamd or amavis+spamassassin) for checking spf and dkim. This allows more flexibility (you should at least not reject for SPF failures if the sending domain is using DMARC), and you can configure it locally to be more restrictive. It does of course imply that adding a spamfilter whitelist will probably bypass spf and dkim checks, which may bother the more pedantic, and perhaps this is "wrong" but it is the current state of affairs. You might look into using rspamd, which runs as a milter; you could configure dmarc and/or dkim failures to reject in smtp if you like (though it does not do so by default).
well as far as i can see in my perfect server setup i can confirm that my local amavis+spamassassin configuration does not control any spf or dkim on the inbound email, as everything checked about spf belong to my external policyd instance. removed the spf check from there nothing happens. are you sure that spf and dkim are checked by default on amavis+spamassassin setup?
I can't say without installing a new system, but it certainly is checked on our last remaining amavis+spamassassin box. Maybe check all your /etc/spamassassin/*.pre files to see what all is enabled (where all the default spamassassin tests are enabled and/or configured for your local setup), eg. /etc/spamassassin/init.pre loads SPF and /etc/spamassassin/v312.pre loads DKIM.
