Re: Signing problems with OpenDKIM on Ubuntu

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Wed, 24 Apr 2013 11:03:02 -0700 (PDT)

On Wed, 24 Apr 2013, Scott Kitterman wrote:
>> Yes indeed. This is fixed for 2.8.3, which I'll push out later this
>> week (it was in the hopper already for some lesser things). I
>> currently have the default action set to temp-fail when this happens;
>> should it be "accept" (pass the message anyway)? Something is logged
>> in either case.
>
> Since many verifiers won't accept keys << 1024 bits, I think it would be
> a mistake to allow signing messages by default. It ought to fail hard
> and permanently with (maybe) an option to disable the check.
>
> Why temp-fail? There's nothing temporary about it.

It would be easy to replace a faulty key without loss of mail, only delay.
The messages would then be signed and sent on the next queue run.

By "accept", I mean it would send the message unsigned, and still log
something about why it went out unsigned. This is for the signing case
only.

There is already an option to disable the check by setting MinimumKeyBits
to some value equal to or less than the key size you're trying to use.
However, it also affects the key size limit for verification.

-MSK
Received on Wed Apr 24 2013 - 18:03:19 PST

This archive was generated by hypermail 2.3.0 : Wed Apr 24 2013 - 18:09:02 PST