Re: Ordering of On- configuration Options

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Thu, 13 Mar 2014 08:19:54 -0700 (PDT)

On Thu, 13 Mar 2014, Alan Chandler wrote:
> I am trying to set-up dkim-filter to reject mails from people who have
> invalidly signed it, but accept mails for domains that do not sign there
> mail (and unfortunately, since I can't add the publick key to my dns, I
> can't sign my own outgoing mails)

dkim-filter has been deprecated ad unsupported for a few years now. If
you actually meant dkim-filter, you should switch to opendkim.

> I am getting a situation where I seem to be rejecting mails with no
> signature data. These tend to be from mailing lists, and I am getting
> unsubscribed from the list because of the bounces.
>
> My config file has
>
> On-Default accept
> On-NoSignature accept
> On-DNSError tempfail
> On-BadSignature reject
> On-InternalError tempfail
> On-Security tempfail
>
> But I can find no explanation of ordering and if a Bad-Signature reject
> trumps the On-NoSignature accept.

The order doesn't matter.

> It is possible that mail to the mailing list had a dkim signature added,
> which because of the extra data added by the mailing list causes the
> signature to be deemed false?

If the list added a signature, it's more likely added after the message is
fully generated. On the other hand, the list quite possibly invalidated
the author signature, if any.

> I am a nearly complete newbie on this, so any pointers as to what best to do
> would be appreciated. For the time being I have add to drop the filtering on
> signatures.

On-NoSignature has always had "accept" as a default, so you shouldn't have
to set it. If it's rejecting based on that, something is broken.

What's being logged when this happens?

-MSK
Received on Thu Mar 13 2014 - 15:20:17 PST