Amavis is responsible for managing SA, clamav, its own rules and also managing the DMARC checks. I view it as the judge/coordinator is how I conceptually think of it.
For example... this header you can not match with SA. Drove me crazy debugging this in production because during testing of my rules with spamassassin -D it would match because the header was present in my test message from my cut/paste of an actual email for my new rule.
Code: Select all
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=L2VQAW+PBcSzvlv860JhDGv83Eg3dkOQwgH2TC4rx+I=;
b=TqyU3UVmkiboHJT5IRCpz8bTi7gA4gdtoyUOsmXE/VbUnd3mPx30ftawBQgW/dEBc1
B+jnLetSqgL0tynXQ1V4sGr+fNbtrP0Kesz/M4RRLg4fj/lIf75LSg7HGTqQKbhoxX5z
98NI4GJHFlmpSOEn2UJsbI9pAiKpWWn2scTxCkhBanODm5Kuy1+kCUkntX803jOBaCuH
3lsjPDTeVT4eO3Ry4lMY5oYJBMIG5dEk5ubojqPWeBa9sOZkw/xo37d5F25v5ISXFT65
K3/20PsG9dLE2TzqShSS1dzZFodLeo08uMebIlf78dYO1192CAkCNyMW3VKrAC1RohmZ
31Yw==
You have some choices... DMARC_FAIL_REJECT=9
1) You could match the domain in your own rule based on the from header or Return-Path (from envelope) with a big negative score compensating for +9... ie) -99
2) You could whitelist it in amavis.conf which is the judge at the end
3) Change the score of DMARC_FAIL_REJECT in your salocal.cf... I have ours at 1.5 because I think users should be able to forward email to their zimbra account from AOL for example. The irony is the majority of spam to our servers is perfectly signed these days but business email isn't necessarily perfect.
HTH,
Jim