Hi Serge,
I am currently implementing DKIM features into a mailing list software
(sympa).
I noticed this the other day - http://www.sympa.org/manual/dkim - great work.
Looking forward to doing my upgrade to Sympa 6+.
mailing list server may change subject or
add an attachement to message body
any chance of a global dkimfriendly=true to globally disable dkim unfriendly
options? It would make a listmaster's life easer if they wanting a dkim
friendly policy and had a large number of listowners to deal with.
The development version allows sympa add a signature by the list server
it self. ....
Good to see a remailer signature here and one list server developer taking
DKIM seriously. Well done and thank you.
My question is related to the interpretation of this sentence from rfc
5617 (ADSP) section 3.2 :
o If a message has a Valid Signature other than an Author Domain
Signature, the receiver can use both the Signature and the ADSP
result in its evaluation of the message.
Does this mean that teh receiver should check the "From:" domain ADSP record
assuming the signature is valid ?
The ADSP record really only has meaning if the Author Domain Signature is
invalid.
To me it says the receiver can check the Author Domain Signature and the non-
author domain signature and come up with a solution in some magical non-
specified way.
What should the receiver MTA do with such message depending if the ADSP
record for subscriber.domain is "discardable" or 'all' ?
You can take one of two opinions:
Opinion 1:
Assuming that it is unlikely that you would be chaining another intermediary
mailer before the sympa email list.
Option 1:
In this case there is no reason for the signature to be broken or missing
hence you could reject/discard the email where dkim-adsp=discard or fail
(rfc5617 - 5.4)
Opinion 2:
Assume that a intermediary mailer could break the ADSP and add its own third
party signature.
In this case your in the same boat as every other poor email admin trying to
determine what to do with dkim-adsp=discard or fail because of email lists (or
intermediary mailer) breaks.
Option 2A:
My suggestion here is to create a white list of IPs, envelope senders or DKIM
domains that can fail ADSP and still be accepted. This should probably be
confirmed by a list master, owner or moderator rather than a subscriber or
automated acceptance. Perhaps there should even be two lists - one for
ADSP=all and the other for ADSP=discardable.
Option 2B:
Push back a confirm probe to the Reply-To/Sender/From address and confirm the
email. Of course if the intermediary emailer forces the Reply-To to their list
address you could be in the nasty situation of requesting confirmation from a
list of people. Oh well can't always win but its better than letting
unconfirmed forgeries though:-).
Other options here most welcome. I'm really trying to work out what to do here
too.
--
Daniel Black
Infrastructure Administrator
CAcert
signature.asc
Description: This is a digitally signed message part.
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev