Hi Murray,
[following up on the mailing list as suggested]
At 20:31 24-03-2011, Murray S. Kucherawy wrote:
>Bingo. It stops verifying after the first one (flagging the rest to
>be ignored), which means the signature whose domain ("d=") matches
>the From: domain was not verified, which means the rules for ADSP
>weren't satisfied, and so a report is generated.
>
>My inclination is simply to document that this is a possible side
>effect of using MaximumSignaturesToVerify. I can't think of a good
>software solution off the top of my head, other than suppressing
>SendADSPReports if there were any ignored signatures or something
>like that. Or maybe we could have a setting that makes that
>optional, but do we really think one more config item to cover this
>case is a good idea?
When we have MaximumSignaturesToVerify set to 1, we have to determine
which DKIM is signature verified. Currently, it is the top-most DKIM
signature. If the mailing list resigns the message, as this one
does, this bug will be triggered. In practice, there aren't a lot of
mailing lists that behave like this one. The software solutions I
can think of all make some assumptions that may not hold in all
cases. We don't need one more config item here.
Suppressing SendADSPReports only fixes the visible part of the
problem. A glance at the headers point to OpenDKIM making an
incorrect assessment. The assessment is not incorrect if we delve
into the details.
My opinion is to document this as a bug for now as it is better not
to make major changes when we are at the Beta stage.
Regards,
-sm
Received on Fri Mar 25 2011 - 05:03:11 PST
This archive was generated by hypermail 2.2.0+W3C-0.50 : Sun May 15 2011 - 15:59:41 PST