Re: Having opendkim reject unsigned email from domains with adsp dkim=all from Benoit Panizzon on 2012-11-02 (OpenDKIM Users mailing list)

From: Benoit Panizzon <panizzon_at_woody.ch>
Date: Fri, 2 Nov 2012 16:41:06 +0100

Hi Murray

> > Authentication-Results: magma.woody.ch; dkim=none (no signature);
> >
> > dkim-adsp=fail (insecure policy)
>
> This means the arriving message determined there was no DKIM-Signature
> field on the message. It's also possible something in your configuration
> instructed the library to ignore certain signatures, but I can't say for
> sure without seeing your entire configuration.

Ok I try to describe the problem more specificaly.

I wanted to set up dkim on woody.ch to prevent unautorized fake of this domain
by spambots.

I have published my public key and dspk in my DNS:

mail._domainkey.woody.ch descriptive text "v=DKIM1\; g=*\; k=rsa\;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoPEw05hVDRt7ogyCMkrdfIJqA2Byrf/i+c9oGhNRS1YTGohtUjaZibbcg44Tw9Sbx9OxmR+jauhGprUKTF9vXFRe4hBvFdXE1PNw/L5x8Sb9UJ8SCdKLn3tyBEKqaqEIbYy7UFeZuE6MwLn1crGyOie0xiOgyzoWMP4/9WW7/5QIDAQAB"

_adsp._domainkey.woody.ch descriptive text "dkim=all\;"

So email I send via my server (authenticated) get signed. Like this very
email. I hope others can verify this signature and accept those emails. (well
I assume my email gets through to the list, because the verification is
successfull).

Authentication-Results: mx.elandsys.com; dkim=pass
        reason="1024-bit key; insecure key" header.i=_at_woody.ch
        header.b=K3SNWRuy; dkim-adsp=pass

Now some spamer (I send email from another host using panizzon_at_woody.ch and
not signing this email to panizzon_at_woody.ch

Now I would except my MX (and all the others) which runs sendmail and opendkim
milter, to reject this email, becuase my adsp record tells everyone out there
that I sign all emails.

But this is not what happens. The email is happily accepted and just a header
added, that the dkim-adsp failed.

Authentication-Results: magma.woody.ch; dkim=none (no signature);
        dkim-adsp=fail (insecure policy)

What do I have to do to have those email without signature which should be
signed, are rejected?

-Benoît-

-- 
SPAM SPAM SPAM SPAM / Hormel's new miracle meat in a can
Tastes fine, saves time. / If you want something grand, / Ask for SPAM!
  - Hormel's 1937 jingle for SPAM
Hippopotomonstrosesquippedaliophobia sh: http://en.wikipedia.org/wiki/-phobia

Received on Fri Nov 02 2012 - 15:41:27 PST

This archive was generated by hypermail 2.3.0 : Fri Nov 02 2012 - 15:45:01 PST