Opendkim on-(error) configs for production systems?
I've been happily using OpenDKIM (and SPF, and OpenDMARC) for a bit -- both for outbound signing and inbound verification/authentication.
Outbound works perfectly. At least according to all the tests I've run so far.
In bound mostly works, except in the case of a few mailing list message that keep getting sucked into Quaratine.
That's a 'few'. A VERY few. Not all by any stretch. Most work just fine.
My problem at the moment is that ones that are failing signature verification and getting quarantined are from 'big' vendors, IBM Marketing, FeedBlitz, etc.
I'm well aware of the issues , discussed for ages, of DKIM signing "vs" mailing list software. And I don't believe for one second that necessarily "big vendor" == done correctly.
That said, I'm starting with a review of my config -- and a thorough re-read of the docs.
Which brings me to my specific question:
If my goal is to NOT quarantine broken mailing lists' mail, but still not hobble my opendkim verification of inbound, what's a recommended production error policy for inbound DKIM verification?
Right now, mine happens to be
#On-Default
On-BadSignature accept
On-DNSError tempfail
On-InternalError tempfail
On-KeyNotFound accept
On-NoSignature accept
On-Security tempfail
On-SignatureError reject
I've re-read the docs over and over, and still can't understand what a recommended config is.
One thing that matters is, as much as possible, I do NOT want to accommodate lazy/broken senders' (mis)configs. I understand that -- even though it's 2016 -- I may still have to. But that's where production recommendations will help.
Jason
Received on Tue Jun 21 2016 - 18:07:42 PST
This archive was generated by hypermail 2.3.0
: Tue Jun 21 2016 - 18:18:01 PST