On Wed, Sep 29, 2010 at 7:17 PM, Phil Pennock <exim-users_at_spodhuis.org> wrote:
>> Now this is a dkim question. My macro to set the signing domain uses
>> $sender_address_domain, which is the domain portion of the _envelope_
>> sender. A previous implementation that I had seen used the domain
>> portion of the _header_ sender. Which is correct? Or is the answer
>> "it depends" ?
>
> AFAICT it's unspecified and up to you. The identity being asserted is
> included in the DKIM signature header. It's worth noting though that
<snip>
> So, it makes most sense to me to match the signature to the From:
> header. Against this, do remember that the From: header is allowed to
> contain multiple email addresses, while the envelope contains only one,
> so the envelope is easier to work with.
>
> I haven't thought about this deeply, but: what are the circumstances
> under which you'd want to sign an email where the envelope sender isn't
> the same as one of the addresses in the From: header? For instance, is
> it worth having the signing Router have a:
I have custA and custB, two different domains, thus two different
email addresses, and both use SMTP Auth to send email. Suppose custA
sends an email, but sets the From to be custB's email. Further
suppose that my system is configured to sign for both domains if the
source is webmail or smtp auth. If I only use the From: header to
determine the signing domain, it will sign custA's email with custB's
key. You might ask, what's the big deal? custA could abuse custB's
reputation by sending email as that user.
> condition = ${if eq{${lc:$sender_address}}\
> {${lc:${sg{${addresses:$h_from:}}{:.*}{}}}}\
> }
My current approach is to use the envelope sender domain if customer
uses SMTP Auth, and the From header if it's from webmail. This is
from my dkim_macros.conf for exim, still a work in progress:
# For smtp auth, use envelope sender, otherwise use From: header
DKIM_DOMAIN = ${if def:sender_host_authenticated \
{${sender_address_domain}} \
{${lc:${domain:$h_from:}}} }
DKIM_LOCAL_PART = ${if def:sender_host_authenticated \
{${sender_address_local_part}} \
{${lc:${local_part:$h_from:}}} }
Based on your example above, I need to modify my domain and local_part
extractions to perform the ${sg...} on the From: header to extract
only the first address because I just plain forgot that From: could
have multiple addresses :-(
> on it, so that cases where the envelope sender doesn't match the first
> from address are not signed?
That's another possibility, which would solve my particular concern above.
> This appears to be an area which the RFC writers have punted upon.
Agreed, it could use more detail WRT to virtual hosters. Maybe a
mention in the IETF-DKIM list as well? Murray, should I? (Offlist or
in irc is cool.)
--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius
Received on Thu Sep 30 2010 - 13:44:40 PST