On 02/Aug/10 17:07, SM wrote:
> At 05:37 02-08-10, Alessandro Vesely wrote:
>> BTW, source now says "554 DKIM signature required by ADSP" --not
>> released yet.
>
> A 550 code would be better as it is a policy decision. But it isn't
> for me to decide on that.
554 is in Murray's draft...
>> It breaks most of the times, though. (About 3:1 in my current folder)
>
> It should not break for this mailing list except for one known case.
I've found that Courier-MTA rewrites messages more often than it's
strictly required, and posted a possible solution*. I'll let the list
know if that will sort an effect.
*
http://www.mail-archive.com/courier-users_at_lists.sourceforge.net/msg35102.html
When rewriting, the odds that quotes around tokens in Content-Type may
be altered is 50%. Wouldn't it be more robust to avoid signing that
field, given current canonicalization capabilities?
>> Zdkimfilter has whitelisting options, and orders signatures
>> according to their domain being author, whitelisted, sender, helo,
>> using dkim_set_final. Then, the library delivers the first verified
>> signature. However, I had forgotten to whitelist opendkim.org :-/
>
> The quick fix is to whitelist opendkim.org.
Blindly?
> I suggest returning all the verified signatures if you want to
> catch cases like this one.
That might be a good hint in general. When I saw that the library
returns just one signature, with various options for pre-sorting them,
I thought that checking all signatures had been limited in order to
avoid some kind of DoS attack, e.g. messages with inordinate amounts
of signatures --just guessing. Is that the reason the library has
been designed that way?
Received on Mon Aug 02 2010 - 19:13:28 PST