Re: Ordering of On- configuration Options

From: Alan Chandler <alan_at_chandlerfamily.org.uk>
Date: Thu, 13 Mar 2014 15:38:52 +0000

On 13/03/14 15:19, Murray S. Kucherawy wrote:
> On Thu, 13 Mar 2014, Alan Chandler wrote:
>> I am trying to set-up dkim-filter to reject mails from people who
>> have invalidly signed it, but accept mails for domains that do not
>> sign there mail (and unfortunately, since I can't add the publick key
>> to my dns, I can't sign my own outgoing mails)
>
> dkim-filter has been deprecated ad unsupported for a few years now.
> If you actually meant dkim-filter, you should switch to opendkim.

Ah - I am running Debian Stable, and hadn't appreciated. I can install
opendkim and work with that. I need to bit of reading first on how to
set that up.


>
>> I am getting a situation where I seem to be rejecting mails with no
>> signature data. These tend to be from mailing lists, and I am
>> getting unsubscribed from the list because of the bounces.
>>
>> My config file has
>>
>> On-Default accept
>> On-NoSignature accept
>> On-DNSError tempfail
>> On-BadSignature reject
>> On-InternalError tempfail
>> On-Security tempfail
>>
>> But I can find no explanation of ordering and if a Bad-Signature
>> reject trumps the On-NoSignature accept.
>
> The order doesn't matter.
>
>> It is possible that mail to the mailing list had a dkim signature
>> added, which because of the extra data added by the mailing list
>> causes the signature to be deemed false?
>
> If the list added a signature, it's more likely added after the
> message is fully generated. On the other hand, the list quite
> possibly invalidated the author signature, if any.
>
>> I am a nearly complete newbie on this, so any pointers as to what
>> best to do would be appreciated. For the time being I have add to
>> drop the filtering on signatures.
>
> On-NoSignature has always had "accept" as a default, so you shouldn't
> have to set it. If it's rejecting based on that, something is broken.
Since not much was being logged (see below) I was postulating that if no
signature, then both no-Signature and BadSignature events were being
detected, and the ordering mattered
As you say it doesn't then my postulate was wrong.

>
> What's being logged when this happens?
Mar 12 13:01:56 piserver milter-greylist: (unknown id): skipping
greylist because this is the default action,
(from=<dovecot-bounces_at_dovecot.org>, rcpt=<alan_at_chandlerfamily.org.uk>,
addr=wursti.dovecot.fi[87.106.245.223]) ACL 39
Mar 12 13:01:56 piserver postfix/smtpd[19372]: E39DA200C5:
client=wursti.dovecot.fi[87.106.245.223]
Mar 12 13:01:57 piserver postfix/cleanup[19393]: E39DA200C5:
milter-reject: END-OF-MESSAGE from wursti.dovecot.fi[87.106.245.223]:
5.7.0 bad DKIM signature data; from=<dovecot-bounces_at_dovecot.org>
to=<alan_at_chandlerfamily.org.uk> proto=ESMTP helo=<wursti.dovecot.fi>
Mar 12 13:01:57 piserver postfix/smtpd[19372]: disconnect from
wursti.dovecot.fi[87.106.245.223]

Here is an example - (although I am getting plenty of good e-mails from
this source)

I expect a submitter to the list is signing his e-mails - when it comes
back from the list its been mangled.


-- 
Alan Chandler
http://www.chandlerfamily.org.uk
Received on Thu Mar 13 2014 - 15:39:08 PST

This archive was generated by hypermail 2.3.0 : Thu Mar 13 2014 - 15:45:02 PST