Re: [ DKIM failure report for p2OKvsn2005015]

From: Murray S. Kucherawy <>
Date: Fri, 25 Mar 2011 06:31:55 -0700 (PDT)

On Fri, 25 Mar 2011, Andreas Schulze wrote:
> Dirty hack idea: the feature "--enable-maxverify" enforce
> "SendADSPReports=no".

That was one of the things I proposed. SM suggested just to document it.
Are there any other opinions?

> I would like to know
> - why Todd configured "MaximumSignaturesToVerify 1"

Todd will have to answer that one. :-)

> - the reason, the feature was introduced into opendkim

There was concern that one could craft an attack involving a message with
a huge number of signatures. There are two possible attacks there:

1) each signature is from a different domain, so it will take a long time
grabbing all the keys and doing all the crypto, taking up a thread slot
and an MTA thread or subprocess for a long time; send enough of those and
you can jam up the receiver altogether

2) each signature is from the same domain but a different selector,
causing opendkim to generate a small DNS storm against the domain; send
lots of those to lots of verifiers and you have a DDoS attack

The default for the value is 3.

Received on Fri Mar 25 2011 - 13:32:29 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:33:09 PST