Il giorno 26/ago/2011, alle ore 00:37, Murray S. Kucherawy ha scritto:
> On Fri, 26 Aug 2011, Giovanni Bajo wrote:
>> For the double signing, we simply configured dkim with "SenderHeaders Sender,From", giving precedence to Sender when available (so that it picks up the mailing-list in the bounces). I've seen the Resign* options in opendkim.conf but I'm not sure how they are an improvement over our current setup. Can somebody clarify this maybe?
>
> On inspection your doubly-signed message looks fine to me.
>
> The "resign" feature is an attempt at CPU optimization. When an application knows it will verify a message's existing signature(s) and then re-sign the message (such as an MLM might do), it can create a signing handle that's bound to the verifying handle. It then runs the verification pass and then re-uses the body hash computed there when signing rather than computing a new one since the body is (presumably) unchanged between the two operations. The feature is currently an FFR ("For Future Release") because I don't know if anyone's actually using it or if it's a helpful optimization, so it's off-by-default. If I hear it's in some use and appears to be working, I'd consider enabling it in some future release.
OK thank you for the clarification. So it looks like our setup of using SenderHeaders is the correct current way of achieving mailing-list support. Any reason why "Sender,From" isn't the default for that option? It looks like it would make the right thing for most mailing list managers and simplify supporting them with opendkim, but I might be overlooking some other implications.
--
Giovanni Bajo :: rasky_at_develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
Received on Fri Aug 26 2011 - 19:14:13 PST