Re: opendkim getting hardfail with Google

From: Mark Martinec <Mark.Martinec+dkim_at_ijs.si>
Date: Thu, 10 Mar 2011 01:10:36 +0100

In absence of the ability to invoke a milter on the sending side,
and instead of trying to equip a signing milter with tricks of
anticipating changes that an MTA will be performing after signing
(some of which are MTA-independent like masquerading, some of which
are very sendmail specific), in my opinion a clean solution is to
dedicate a separate instance of a MTA for mail submission, which
can do mail sanitation, 8-bit to QP encoding, canonicalization of
addresses etc, then feed such mail to a sending MTA, which can safely
invoke a signing milter without fearing of later breaking a signature.

Having a separate MSA (for local and authenticated roaming users)
also makes content filtering easier, firewalling and security policy
cleaner, and facilitates decisions which mail to sign and which to
verify: all mail coming from a dedicated MSA is coming from our
users - as such it is to be signed. All incoming mail arriving
to our MX from elsewhere is inbound, signatures should be verified,
spam checking and other screening performed, ADSP policies enforced,
etc.

  Mark
Received on Thu Mar 10 2011 - 00:10:47 PST