Handling mail from mailer daemons

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Thu, 7 Oct 2010 15:14:55 -0700

What do people think opendkim should do when it gets mail from a mailer daemon (i.e. one with an empty envelope sender)? Right now such mail gets no special treatment. However I've observed this behavior:

- owner of MTA 2 posts an ADSP policy of "all"
- MTA 1 (running opendkim) sends DKIM-signed mail to MTA 2
- MTA 2 feeds that mail to a program, which doesn't like it so it exits with an error
- MTA 2 generates a DSN to MTA 1; DSN is not signed
- MTA 1 receives DSN
- MTA 1 has "SendADSPReports" set
- MTA 1 observes DSN is unsigned, contradicting MTA 2's ADSP policy
- MTA 1 generates an ADSP report back to MTA 2

In fact MTA 2 would have signed the DSN, except that DSNs are not passed through signing filters by MTA 2 by design, so its DSNs will never be signed.

Is the owner of MTA 2 limited by his own architecture never to use ADSP, or should opendkim simply ignore incoming bounces by default (with, of course, a switch to override the default) so that ADSP can be used to protect non-DSN mail?

-MSK
Received on Thu Oct 07 2010 - 22:15:04 PST