Re: How about A-R dkim-adsp's "header.from" value?

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Tue, 6 Jul 2010 12:36:53 -0700 (PDT)

On Tue, 6 Jul 2010, Alessandro Vesely wrote:
>> I'm not clear on what you're proposing. What's an example of the case
>> you're trying to cover?
>
> A downstream filter may want to send a report in case a message is invalid,
> and, say, the domain is subscribed to some sort of FBL. Possibly, learning
> what is the relevant domain would ease its job.

For ADSP, reporting "header.from" is the important thing. It's added to
the registry by RFC5617. The domain in there is the relevant one in this
context.

> I don't actually have that case: it is just a possibility. Thus, I'm
> going to omit that propspec, unless there is an established alternative
> that makes sense. Since you said you were going to amend opendkim, I
> downloaded the last version (2.1.1), but saw no changes in that respect.
> I thought you might just have planned it, hence I'm asking.

I can't recall which amendment we're discussing. I think I was toying
around with the idea of putting A-R addition under the control of a Lua
script, but that hasn't formed into a well-defined idea yet.

> FWIW, the behavior I'm going to code provides for the following, in case
> of a missing or invalid author domain signature: either do an action or
> set a result according to the relevant condition.
>
> condition => action | result
> -------------------+---------+--------
> nxdomain => reject | nxdomain
> other error => ignore --I write no A-R in this case
> policy=unknown => ignore --nor in this one
> policy=all => reject | fail
> policy=discardable => drop | discard

This is pretty close to what the filter does now, which is:

- nxdomain action is covered by ADSPNoSuchDomain
- discardable action is covered by ADSPDiscard
- failures on "all" cause an A-R to be added indicating "fail"
- A-R is added for the remaining cases indicating ADSP status but no
filtering action is taken

The limitations to the current code are that one can't configure a true
"discard" (accept but drop) action; it always does a "reject" (5xx)
action, and there's no way to tell it not to bother including ADSP results
in A-R. We have an open feature request for the former, but not the
latter. Feel free to open one if you like. (If you don't, I probably
will in the next week or so to add it to the potential feature list for
the next version.)

-MSK
Received on Tue Jul 06 2010 - 19:37:12 PST