Re: What are reasonable signing policies?

From: SM <sm_at_resistor.net>
Date: Wed, 27 Oct 2010 12:42:06 -0700

Hi Gary,
At 08:03 26-10-10, Gary Mills wrote:
>I'm responsible for the central e-mail server, available to everyone
>at this university, but some departments operate their own e-mail
>servers. Both e-mail clients and other e-mail servers reside on the
>same IP networks. How does the trust relationship apply in this
>environment?

Consider which messages going through the central e-mail server you
want to take responsibility for. You don't have to be concerned
about other messages unless the messages from the other e-mail
servers go through the central e-mail server.

>Certainly the central MTA should sign e-mail messages when the user
>has authenticated with SMTP. Messages originating on the server

It's possible to do that with OpenDKIM. As the users use SMTP
authentication, you can always hunt them down if there are abuse reports.

>Are there any disadvantages to DKIM-signing? Does this affect e-mail

Yes, we can blame you if we don't like your messages. :-)

>forwarding, for example? How about cases where a user sends messages
>through their ISP's e-mail server but sets the sender to their
>university address? Will anything stop working when I enable signing?

DKIM signing does not affect email forwarding. If you want to allow
users to send email from their ISP, use a "dkim=unknown" ADSP
policy. Enabling signing does not stop anything from
working. Messages from this mailing list are DKIM signed. The only
problem encountered is that some subscribers have rejected messages
which fail DKIM verification. It's a bad idea to do that unless the
DKIM signer advertises such a policy.

There are a lot of knobs in OpenDKIM for you to come up with a
reasonable signing policy; i.e. which messages should be DKIM
signed. There is also Lua for the verification side. It can be used
to fine-tune what checks should be done during DKIM verification and
what action should be taken,

To answer the question in the subject line, how about you telling us
what signing policies you consider as reasonable? We can discuss
about them and make suggestions but we won't tell you how you should
run your e-mail server as that would be a layering violation. :-)

Regards,
-sm
Received on Wed Oct 27 2010 - 19:43:03 PST