Re: Handling mail from mailer daemons

From: Daniel Black <daniel.subs_at_internode.on.net>
Date: Sun, 10 Oct 2010 12:07:32 +1100

On Friday 08 October 2010 09:14:55 Murray S. Kucherawy wrote:
> What do people think opendkim should do when it gets mail from a mailer
> daemon (i.e. one with an empty envelope sender)? Right now such mail gets
> no special treatment. However I've observed this behavior:
>
> - owner of MTA 2 posts an ADSP policy of "all"
> - MTA 1 (running opendkim) sends DKIM-signed mail to MTA 2
> - MTA 2 feeds that mail to a program, which doesn't like it so it exits
> with an error - MTA 2 generates a DSN to MTA 1; DSN is not signed
> - MTA 1 receives DSN
> - MTA 1 has "SendADSPReports" set
> - MTA 1 observes DSN is unsigned, contradicting MTA 2's ADSP policy
> - MTA 1 generates an ADSP report back to MTA 2
>
> In fact MTA 2 would have signed the DSN, except that DSNs are not passed
> through signing filters by MTA 2 by design, so its DSNs will never be
> signed.
>
> Is the owner of MTA 2 limited by his own architecture never to use ADSP, or
> should opendkim simply ignore incoming bounces by default (with, of
> course, a switch to override the default) so that ADSP can be used to
> protect non-DSN mail?
>
> -MSK

I think no special treatment should be done. In the case here it is an error
condition that generates a few more emails than usual. This is probably useful
to identify the problem or to encourage the MTA2 owner to do error handling
better.

Were it not an error condition could it be possible for the MTA2 owner to put
bounce messages on a different domain to the ADSP policy? Alternately the MTA2
owner could setup a report interval to prevent a overload of ADSP reports.
Received on Sun Oct 10 2010 - 00:46:48 PST