Hello,
Recently Jason has implemented dkimproxy protecting subdomains.
First, let's see example story: (long)
John Smith is a student of Department of Computer Science in DKIM
University. DKIM University's default domain is "dkim.edu". The
Department of Computer Science's domain is "cs.dkim.edu". And John's
email address is "smith(_at_)cs(_dot_)dkim(_dot_)edu".
John always want to sign a signature his own outgoing email. So the
University's central security officer made setup John's email signature
policy.
[1] John's Full Name: John Smith
[2] John's Position: Student of Computer Science Dept.
[3] John's email address: smith(_at_)cs(_dot_)dkim(_dot_)edu
[4] Signature's Default Domain: dkim.edu
[5] Signature's Selector: student.cs
[6] Personal Identity of the Signature: smith(_at_)cs(_dot_)dkim(_dot_)edu
===> dkimproxy's sender_map.conf of the University
smith(_at_)cs(_dot_)dkim(_dot_)edu
dkim(c=relaxed,a=rsa-sha256,s=student.cs,d=dkim.edu,i=smith(_at_)cs(_dot_)dkim(_dot_)edu)
Someday John sent email to his girlfriend (Susan) using Gmail.
......
Susan's email header: (It's confirmed by my testing)
Authentication-Results: mx.google.com; (...)
smtp(_dot_)mail=smith(_at_)cs(_dot_)dkim(_dot_)edu; dkim=pass (test mode)
header(_dot_)i=smith(_at_)dkim(_dot_)edu
(...)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dkim.edu;
h=message-id:date:from:mime-version:to:subject:content-type:
content-transfer-encoding; s=student.cs;
i=smith(_at_)cs(_dot_)dkim(_dot_)edu;
(...)
From: John Smith <smith(_at_)cs(_dot_)dkim(_dot_)edu>
Subject: Wednesday Homework (Linux Kernel debuging)
To: Susan Lee <susan(_dot_)lee(_at_)gmail(_dot_)com>
......
OK, as see above, manually we can input by selecting "d=" tag's value
and "i=" tag's value into sender_map.conf. The sender_map.conf is good
solution. Google's Gmail also give us good and correct answer under RFC4871.
RFC4871 does not force "i=" tag's implementation in signature. However
Several company (eg., port25.com) try to match headers each 2822-From
and "i=" tag. That's somewhat dangerous (at least to me using subdomains
often). At reflector of port25.com, the result is *not* "pass" whenever
i send email with subdomains. So to Jason i suggested to make a way
protecting subdomains. And now, i see "DKIM Result: pass" at refelector
of port25.com. Let's go with dkimproxy. Now it's safe with subdomains..;;
byunghee
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops