RE: Re[2]: How does opendkim determine on whose behalf to sign message?

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Fri, 10 Sep 2010 13:54:29 -0700

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-
> bounce_at_lists.opendkim.org] On Behalf Of Miha Vrhovnik
> Sent: Friday, September 10, 2010 12:56 PM
> To: opendkim-users_at_lists.opendkim.org
> Subject: Re[2]: How does opendkim determine on whose behalf to sign
> message?
>
> Correct me of I'm wrong but you can do that if you do know the IP
> addresses of the senders.

The filter is given the IP address of the SMTP client that's talking to the MTA. It's that IP address upon which the decision is based. Presumably you have IP addresses that are external to you and some that are internal, so you would list the latter in your InternalHosts data set.

Are you saying you have some internal addresses that should not have their mail signed by your domain, or that you're concerned they'll send mail from domains to which they otherwise have no right?

> A didn't compile with --enable-sender_macro and this was getting a
> strange error: "opendkim: /etc/opendkim.conf: configuration error at
> line 269: unrecognized parameter"

What's on line 269 of your configuration file? If it's SenderMacro then you need to do a "make clean; make; make install" after re-doing your ./configure with --enable-sender_macro.

> Nonetheless I'm worried because default settings are so relaxed,
> because you usually don't have your users under control. It would be
> better if by default they would be as tight as I'm trying to make them
> right now.

So far there hasn't been any demand for tighter settings by default. The design of DKIM is completely agnostic when it comes to the envelope, so it's probably not something that's considered too often.

> If this would be implemented in native code then my suggestion is, add
> two new variables to config:
> TakeEmail(Domain)ForSignatureFrom From field || sender macro || (From
> field && sender macro)
> If both compare: full email || domain part ||doesn't matter
>
> 2nd option would be just to add Compare variable which would do just
> that.

I think we have most of that via the SenderMacro setting, which can be used to get the envelope sender. I believe the {mail_addr} macro is the one you'd want. As far as verifying that the two are the same, we can either do that via a Lua example script or as a native feature that's on by default. If you like, you're welcome to open a feature request for this on the SourceForge tracker and we can schedule that work for the 2.3.0 release.

-MSK
Received on Fri Sep 10 2010 - 20:54:38 PST