On Sat 24/Oct/2015 12:46:40 +0200 A. Schulze wrote:
> Murray S. Kucherawy:
>
>> The major thing in this version is an experimental implementation of the
>> conditional signatures proposal.
>
> I now found a configuration where OpenDKIM generate a v=2 signature.
>
> opendkim-2.11.0.conf:
> ConditionalSignatures file:/path/to/conditional_table
>
> conditional_table:
> sender.domain:destination.domain x
That scheme looks wrong to me. It should be "recipient-address:domain x" (BTW,
what is x?)
For example, if you send to postmaster_at_lists.opendkim.org, you likely want a
regular v=1 signature.
I'd suggest parsing incoming mail in order to fill the table. Whenever you
have, say:
List-Post: <mailto:list_at_example.org>
and
Authentication-Results: [...];
dkim=pass header.d=something.aligned.with.example.org
you can safely add "list_at_example.org:something.aligned.with.example.org x" to
that table. I see no security concerns doing it this way, because an MTA only
acts on that line when a (trusted) user does send to that recipient. Correct?
> It may be possible that this is a consequence of the ignorance that test155 fail.
Hm... the reason test155 fails is s/!fs/!cd/. (Then also change b=, see
attachment)
Ale
Received on Mon Oct 26 2015 - 11:32:09 PST