- Fixed webauthn config after upgrade to v2
- Added check for
X-AnonAddy-Dmarc-Allow
header added by Rspamd custom routine (see below)
Potentially breaking changes
If you are still running OpenDMARC / OpenDKIM and not Rspamd then this update will likely break your ability to reply/send from aliases as the above header will not be present. I recommend migrating to Rspamd if possible since it has many more features and is extremely fast.
Rspamd config update required
Please update /etc/rspamd/local.d/milter_headers.conf
so that is looks like this:
use = ["authentication-results", "remove-headers", "spam-header", "add_dmarc_allow_header"];
routines {
remove-headers {
headers {
"X-Spam" = 0;
"X-Spamd-Bar" = 0;
"X-Spam-Level" = 0;
"X-Spam-Status" = 0;
"X-Spam-Flag" = 0;
}
}
authentication-results {
header = "X-AnonAddy-Authentication-Results";
remove = 0;
}
spam-header {
header = "X-AnonAddy-Spam";
value = "Yes";
remove = 0;
}
}
custom {
add_dmarc_allow_header = <<EOD
return function(task, common_meta)
if task:has_symbol('DMARC_POLICY_ALLOW') then
return nil,
{['X-AnonAddy-Dmarc-Allow'] = 'Yes'},
{['X-AnonAddy-Dmarc-Allow'] = 0},
{}
end
return nil,
{},
{['X-AnonAddy-Dmarc-Allow'] = 0},
{}
end
EOD;
}
The custom routine we've created add_dmarc_allow_header
will simply add a header to messages that have the DMARC_POLICY_ALLOW
symbol present Rspamd. We will use this to only allow replies / sends from aliases that are explicity permitted by their DMARC policy, in order to prevent anyone spoofing any of your recipient's email addresses.
The previous check just for the X-AnonAddy-Spam
header was not enough since many major email providers have a DMARC policy of p=none such as Gmail and Hotmail. This means there is a chance your recipient address could be spoofed.