From fbe99652b19cb01231b8f6868e2b482249d82a96 Mon Sep 17 00:00:00 2001
From: "fox.cpp" <fox.cpp@disroot.org>
Date: Mon, 18 Nov 2019 18:56:21 +0300
Subject: [PATCH] Document DMARC support and it enable it by default

Despite being incomplete, it can be still be useful and provide
protection for users.

The missing part is the report generation, which is defined as a part of
a minimal implementation by RFC 7489, though.
---
 README.md                      |  3 +--
 dist/vim/syntax/maddy-conf.vim |  1 +
 maddy.conf                     |  4 ++++
 man/maddy-smtp.5.scd           | 16 ++++++++++++++++
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 69496bf..5cced0c 100644
--- a/README.md
+++ b/README.md
@@ -14,8 +14,7 @@ changes happen from time to time**
   - IMAP4rev1 & SMTP server in one binary
   - [DKIM][dkim] signing and verification
   - [SPF][spf] policy enforcement
-  - [DMARC][dmarc] policy enforcement (experimental,
-    enable with `dmarc on` in smtp config)
+  - [DMARC][dmarc] policy enforcement
   - [MTA-STS][mtasts] policy enforcement
 * Simple to configure
   - Two steps (excluding messing with DNS) to get your own
diff --git a/dist/vim/syntax/maddy-conf.vim b/dist/vim/syntax/maddy-conf.vim
index db99609..94fa097 100644
--- a/dist/vim/syntax/maddy-conf.vim
+++ b/dist/vim/syntax/maddy-conf.vim
@@ -78,6 +78,7 @@ syn keyword maddyDispatchDir
 	\ reject
 	\ deliver_to
 	\ reroute
+	\ dmarc
 
 " grep --no-file -E 'cfg..+\(".+", ' **.go | sed -E 's/.+cfg..+\("([^"]+)", .+/\1/' | sort -u
 syn keyword maddyModDir
diff --git a/maddy.conf b/maddy.conf
index df3d132..23984dd 100644
--- a/maddy.conf
+++ b/maddy.conf
@@ -53,6 +53,10 @@ smtp tcp://0.0.0.0:25 {
         apply_spf
     }
 
+    # Enforce sender's DMARC policy.
+    # Report generation is not implemented yet.
+    dmarc on
+
     modify {
         # Implement plus-address notation.
         replace_rcpt /(.+)\+(.+)@(.+)/ $1@$3
diff --git a/man/maddy-smtp.5.scd b/man/maddy-smtp.5.scd
index faceec1..0458106 100644
--- a/man/maddy-smtp.5.scd
+++ b/man/maddy-smtp.5.scd
@@ -20,6 +20,7 @@ smtp tcp://0.0.0.0:25 {
     max_message_size 32M
     auth pam
     defer_sender_reject yes
+    dmarc yes
 
     # Example pipeline ocnfiguration.
     destination example.org {
@@ -104,6 +105,17 @@ Amount of RCPT-time errors that should be logged. Further errors will be
 handled silently. This is to prevent log flooding during email dictonary
 attacks (address probing).
 
+*Syntax*: dmarc _boolean_ ++
+*Default*: yes
+
+Enforce sender's DMARC policy. Due to implementation limitations, it is not a
+check module.
+
+*NOTE*: Report generation is not implemented now.
+
+*NOTE*: DMARC needs apply_spf and verify_dkim checks to function correctly.
+Without these checks, you will get false negatives.
+
 # Submission module (submission)
 
 Module 'submission' implements all functionality of the 'smtp' module and adds
@@ -380,6 +392,10 @@ This configuration allows to specify alias local addresses to remote ones
 without being an open relay, since remote_queue can be used only if remote
 address was introduced as a result of rewrite of local address.
 
+*WARNING*: If you have DMARC enabled (default), results generated by apply_spf
+and verify_dkim checks inside a reroute block *will not* be considered in DMARC
+evaluation.
+
 *Syntax*: destination _rule..._ { ... } ++
 *Context*: pipeline configuration, source block