Re: Handling mail from mailer daemons

From: SM <sm_at_resistor.net>
Date: Sat, 09 Oct 2010 22:39:57 -0700

Hi Murray,
At 15:14 07-10-10, Murray S. Kucherawy wrote:
>What do people think opendkim should do when it gets mail from a
>mailer daemon (i.e. one with an empty envelope sender)? Right now
>such mail gets no special treatment. However I've observed this behavior:
>
>- owner of MTA 2 posts an ADSP policy of "all"
>- MTA 1 (running opendkim) sends DKIM-signed mail to MTA 2
>- MTA 2 feeds that mail to a program, which doesn't like it so it
>exits with an error
>- MTA 2 generates a DSN to MTA 1; DSN is not signed
>- MTA 1 receives DSN
>- MTA 1 has "SendADSPReports" set
>- MTA 1 observes DSN is unsigned, contradicting MTA 2's ADSP policy
>- MTA 1 generates an ADSP report back to MTA 2
>
>In fact MTA 2 would have signed the DSN, except that DSNs are not
>passed through signing filters by MTA 2 by design, so its DSNs will
>never be signed.
>
>Is the owner of MTA 2 limited by his own architecture never to use
>ADSP, or should opendkim simply ignore incoming bounces by default
>(with, of course, a switch to override the default) so that ADSP can
>be used to protect non-DSN mail?

The message is sometimes sent with "mailer-daemon" as the
author. That address is rewritten to include the FQDN; sometimes
after going through the signing milter. If we know the architecture,
we already how what rewrite will be applied to the "From:" header
field and we could catch this case to avoid contradicting the ADSP
policy of MTA 2. MTA 1 could also detect that this is an automatic
response and the ADSP report should not be sent.

Regards,
-sm
Received on Sun Oct 10 2010 - 05:40:44 PST