dkim-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[dkim-dev] dkim validation software and mail lists

2009-09-29 02:17:03
from [Daniel Black] [Permanent Link] 

I've presented my thoughts on how mail list software can become DKIM friendly 
in the previous post however for the interim the email list / ADSP 
incompatibility still remains[1].

A more detailed paper in progress also talks about verification associated with 
this problem[2].

So the problem for the verifier is that you've received an email with a invalid 
DKIM signature and a ADSP record saying there should be one. The email is 
either spoofed or its come through one of those mailing list programs that 
breaks signatures. What do we do?

As I haven't though of an automated way to do this that doesn't add a big 
loophole for every email spoofer here's a summary of what I think could be 
done. Simplistic checking of unsuccessful DKIM validation and deciding to 
drop/reject a message isn't going to work so these emails need to be referred 
to a mail filtering policy process. Successful DKIM validation can pass through 
without this policy process.

Generic Mail Filtering Policy Process:

The way that I would allow users to have free control over what to do with a 
DKIM failed message to to pass them through to a policy daemon process like 
postfix's[3] with the Authenticated-Results[4] headers also included in the 
interface.

This would allow users and other programmers to quickly write a the decision 
logic in a few lines of code. The most useful of the policy process return 
status[5] include HOLD (for sysadmin intervention), REDIRECT (sysadmin 
analysis in own mailbox or to user+folder as an indication of DKIM failure), 
WARN (if testing policy), FILTER (to put "warning DKIM failure" in the message 
before delivery) and REJECT/DISCARD (if there is a blacklist for what has been 
presented).

Policy WhiteBlack list:

The policy filtering process that I would choose is:

Extract the folllowing information from the email:
* client_address
* sender (note this is the envelope sender which is the list email address in 
a form)
* authenticated-results headers[4] especially from dkim-adsp[6]

# We'd rather lists DKIM verified the results so we can use this as a third
# party trust. SpamAssassin has a similar config though they allow third party
# signatures for specified author domain signatures[7]

FOR authenticated-header(method=dkim-adsp,from=domain(Header['From'])) AS ah
  # database of trusted list of (ip,authserv) who's dkim-adsp/dkim
  # Authenticated-headers we trust. Use DKIM validation of list domain as
  # alternate to IP
  SELECT _ip,_authserv FROM dkimahtrust WHERE _authserv=ah->authserv-id
  IF _ip=client_address OR authenticated-
header(method=dkim,d=domain(sender),result=pass,authservid=us)
     SWITCH ah->results
     CASE pass) RETURN ACCEPT
     CASE nxdomain)
        # assume since no DKIM-ADSP result we'll base our accept on DKIM-
Signature
        IF (authenticated-header(authserv-
id=_authsev,method=dkim,result=pass,i=Header['From'],subdomain(domain(i),d))
             RETURN ACCEPT
        ELSE RETURN REJECT
        ENDIF
     CASE fail) RETURN REJECT
     CASE discard) RETURN REJECT
  ENDIF
NEXT  

# here we have a (sender,ip) whitelist and blacklist
SELECT _ip,_sender,_bwtype FROM dkimdb WHERE _ip=client_address AND 
sender=_sender
# hope its not in both
IF FOUND
  IF _bwtype='white' RETURN ACCEPT
  ELSE IF _bwtype='black RETURN REJECT
ENDIF

# no rules match - 
now present admin with easy email/web interface to whitelist, blacklist this 
entry based on the headers present and release/drop this email to its original 
recipient.

For list owners:
DKIM validate email in and add a authenticated header
optionally reject DKIM failed messages
Add a DKIM-Signature of email you pass out

This makes it easier for the receiving domain to filter bad messages based on 
your assertions.

[1] http://mipassoc.org/pipermail/dkim-dev/2009-September/000202.html
[2] https://community.cacert.org/dkim/
[3] http://www.postfix.org/SMTPD_POLICY_README.html
[4] http://tools.ietf.org/html/rfc5451
[5] http://www.postfix.org/access.5.html
[6] http://tools.ietf.org/html/rfc5617#section-5.4
[7] 
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_DKIM.html


-- 
Daniel Black
Infrastructure Administrator
CAcert

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [dkim-dev] dkim and email list software - potential solution, Daniel Black
Next by Date:  Re: [dkim-dev] dkim validation software and mail lists, Hector Santos
Previous by Thread:  [dkim-dev] dkim and email list software - potential solution, Daniel Black
Next by Thread:  Re: [dkim-dev] dkim validation software and mail lists, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]