Hi Jim,
At 10:00 26-08-2009, Jim Fenton wrote:
I'm not entirely happy with all of the defaults for handling DNS
failures. The CONFIGURATION section of the dkim-filter manpage says "In
the interests of minimal initial impact, the defaults for badsignature
and nosignature are accept, and the default for the others is tempfail."
Which means that if it can't access the key record, it'll tempfail the
message, which I don't consider minimal initial impact.
That setting was helpful in identifying (DKIM) sender related
issues. The impact has been minimal (excluding DKIM testing). You
have better control on how the different DNS cases are handled in
OpenDKIM v1.1.0 which is planned for release next Monday.
The case of a (DNS) NXDOMAIN brings up the question of what is a "bad
signature". Suggestions and/or patches about what should be done are welcome.
Regards,
-sm
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops