Re: Having opendkim reject unsigned email from domains with adsp dkim=all

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 2 Nov 2012 08:23:45 -0700 (PDT)

On Fri, 2 Nov 2012, Benoit Panizzon wrote:
> Probably I have configured something wrongly...
>
> mail._domainkey.woody.ch descriptive text "v=DKIM1\; g=*\; k=rsa\;
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoPEw05hVDRt7ogyCMkrdfIJqA2Byrf/i+c9oGhNRS1YTGohtUjaZibbcg44Tw9Sbx9OxmR+jauhGprUKTF9vXFRe4hBvFdXE1PNw/L5x8Sb9UJ8SCdKLn3tyBEKqaqEIbYy7UFeZuE6MwLn1crGyOie0xiOgyzoWMP4/9WW7/5QIDAQAB"
>
> _adsp._domainkey.woody.ch descriptive text "dkim=all\;"
>
> Now I would like to have other DKIM users (or my server) reject all emails
> with 'fake' sender _at_woody.ch which are not signed. I assumed this was the
> default behavior.

By "sender", do you mean the From: field or something else?

> ADSPDiscard yes
> LogWhy yes
> On-BadSignature r
> On-KeyNotFound r
> #On-NoSignature r
>
> With above settings, those emails don't get rejected, I just get a header
> added:
>
> Authentication-Results: magma.woody.ch; dkim=none (no signature);
> dkim-adsp=fail (insecure policy)

This means the arriving message determined there was no DKIM-Signature
field on the message. It's also possible something in your configuration
instructed the library to ignore certain signatures, but I can't say for
sure without seeing your entire configuration.

> If I enable On-NoSignature than all unsigned email, even those who don't
> use dkim at all, get rejected by the milter, not what I want either :-)

> So what am I doing wrong?

I think there are two things going on:

1) Mail from your own users to your own users (on the same machine) may
not be processed through the verification code. The filter typically
decides either to sign a message or verify a message; doing both is
unusual. That is, it decides to sign the message, so all of the
verify-side protections you've set up aren't executed. Mail coming from
outside would, however, be thus filtered.

2) Mail is arriving unsigned for other domains (which don't have ADSP
policies), and those are getting delivered normally.

-MSK
Received on Fri Nov 02 2012 - 15:24:01 PST

This archive was generated by hypermail 2.3.0 : Fri Nov 02 2012 - 15:27:01 PST