Re: _FFR_RESIGN in opendkim

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 6 Nov 2009 08:06:29 -0800 (PST)

On Thu, 5 Nov 2009, Daniel Black wrote:
> The main application for this is mail forwarders/relays. So I think it
> could be used with a "Sign verified|always" to sign where all input
> signatures that verified (or always).
>
> Mail lists tend to receive and reinject so we currently can configure
> the filter with "SenderHeader Sender".
>
> With this list think you'd need to use -m/M options to sign the list or,
> because it doesn't actually break signatures - the 'Sign always' from
> above would also work.

Some good ideas in there. So I think my plan is something like a new pair
of settings: "ResignMailTo" (determines destination addresses that are
forwarders/relays/lists whose mail should be resigned) and "ResignAll"
(resign everything if set, verified mail only if not, default to false).
The "i=" would be set to the destination address matching "ResignMailTo"
as long as it matches the rest of the signing configuration.

I took a run at this last night and it got pretty ugly, mainly because the
binding has to be made in a certain place which makes it tricky, plus
_FFR_MULTIPLE_SIGNATURES gums up the works a bit as it is by creating lots
of signing handles that need to be bound. I'll take another run at it
over the weekend.

Worse yet, the current library implementation presumes the resigning will
happen with no header fields added, while the user might want to sign any
Authentication-Results header field generated during verification. That
means half of the benefit of this whole effort goes out the window because
we can only reuse one hash instead of two.
Received on Fri Nov 06 2009 - 16:06:47 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:32:29 PST