Leonardo,
> OK, i upgraded amavisd from 2.5.4 to 2.6.0, installed Mail::DKIM and
> enabled dkim verification ... signing is next step.
>
> I can see, in my logs, entries like:
>
> May 20 18:35:14 correio amavis[14826]: (14826-06) dkim: VALID
> MailFrom+Sender+Author signature by [EMAIL PROTECTED], From:
> <[EMAIL PROTECTED]>, a=rsa-sha1, c=nofws, s=s1024, d=yahoo.com.br
>
> May 20 18:37:53 correio amavis[14826]: (14826-08) dkim: FAILED
> MailFrom+Sender+Author signature by [EMAIL PROTECTED], From:
> <[EMAIL PROTECTED]>, a=rsa-sha1, c=nofws, s=s1024,
> d=yahoo.com.br, fail (message has been altered)
>
> This second one, which got dkim FAILED really came from yahoo.com
> servers, as i checked on my logs.
Perhaps the second one came through some mailing list or through
a front-end MX which modified it (sendmail?). I see messages coming
from yahoo.com and its country variants do have valid signatures
if they come directly to our mailer. Messages from yahoo-inc.com
and reply.yahoo.com do exhibit problems though. A detailed look at
the raw message with its header might reveal what a problem was.
> Anyway, even this dkim FAILED is getting the 'Passed CLEAN' status
> and being delivered.
> i checked 50_scores.cf and seems no rule at all punishes failed dkim
> verifications.
> maybe i got it wrong ... but what's all DKIM about if nothing
> punishes a failed dkim verification ?? Please help me understand that :)
Yes, this is normal. Default SpamAssassin rules do not punish or
put to an advantage messages with a valid (or broken) signature.
For domains which gained some reputation for always signing their
messages, and are known not to spew spam, one can add secific rules,
punishing mail claiming to be from such domains but failing validation.
Good examples of such domains are paypal.com and ebay.com with its
national subsidiaries. Also some financial institutions and companies
are good candidates, such as alert.bankofamerica.com, amazon.com,
cisco.com, ...
Here are some of the rules I'm using for yahoo, gmail, paypal
and ebay (also found in my sandbox directory in SpamAssassin's
SVN directory spamassassin-trunk/rulesrc/sandbox/mmartinec/ ):
#25_dkim.cf
#----------
# SpamAssassin rules file: DKIM
if version >= 3.002004
ifplugin Mail::SpamAssassin::Plugin::DKIM
# alias to a misnomer DKIM_VERIFIED
full DKIM_VALID eval:check_dkim_valid()
tflags DKIM_VALID net nice
describe DKIM_VALID Has a valid DKIM or DK signature
full DKIM_VALID_AU eval:check_dkim_valid_author_sig()
tflags DKIM_VALID_AU net nice
describe DKIM_VALID_AU Has a valid first-party DKIM or DK signature (i.e.
author signature)
#score DKIM_VALID -0.1
#score DKIM_VALID_AU -0.05
#score DKIM_SIGNED 0.01
#score DKIM_VERIFIED 0
#score DKIM_POLICY_SIGNALL 0
#score DKIM_POLICY_SIGNSOME 0
#score DKIM_POLICY_TESTING 0
endif
endif
#25_yg.cf
#--------
# SpamAssassin rules file: Gmail, Yahoo! and similar providers
if version >= 3.002004
ifplugin Mail::SpamAssassin::Plugin::DKIM
header __ML1 Precedence =~ m{\b(list|bulk)\b}i
header __ML2 exists:List-Id
header __ML3 exists:List-Post
header __ML4 exists:Mailing-List
header __ML5 Return-Path:addr =~ m{^([EMAIL
PROTECTED](request|bounces|admin|owner)|[EMAIL PROTECTED])(\@|\z)}mi
meta __VIA_ML __ML1 || __ML2 || __ML3 || __ML4 || __ML5
describe __VIA_ML Mail from a mailing list
header __AUTH_YAHOO1 From:addr =~ [EMAIL PROTECTED]
header __AUTH_YAHOO2 From:addr =~ [EMAIL PROTECTED](ar|br|cn|hk|my|sg)$}mi
header __AUTH_YAHOO3 From:addr =~ [EMAIL PROTECTED](id|in|jp|nz|uk)$}mi
header __AUTH_YAHOO4 From:addr =~ [EMAIL
PROTECTED](ca|de|dk|es|fr|gr|ie|it|pl|se)$}mi
meta __AUTH_YAHOO __AUTH_YAHOO1 || __AUTH_YAHOO2 || __AUTH_YAHOO3 ||
__AUTH_YAHOO4
describe __AUTH_YAHOO Author claims to be from Yahoo
header __AUTH_GMAIL From:addr =~ [EMAIL PROTECTED]
describe __AUTH_GMAIL Author claims to be from gmail.com
header __AUTH_PAYPAL From:addr =~ /[EMAIL PROTECTED]/mi
describe __AUTH_PAYPAL Author claims to be from paypal.com
header __AUTH_EBAY From:addr =~ /[EMAIL
PROTECTED](com|at|be|ca|ch|de|ee|es|fr|hu|ie|in|it|nl|ph|pl|pt|se|co\.(kr|uk)|com\.(au|cn|hk|mx|my|sg))$/mi
describe __AUTH_EBAY Author claims to be from eBay
meta NOTVALID_YAHOO !DKIM_VALID && __AUTH_YAHOO && !__VIA_ML
priority NOTVALID_YAHOO 500
describe NOTVALID_YAHOO Claims to be from Yahoo but is not
meta NOTVALID_GMAIL !DKIM_VALID && __AUTH_GMAIL && !__VIA_ML
priority NOTVALID_GMAIL 500
describe NOTVALID_GMAIL Claims to be from gmail.com but is not
meta NOTVALID_PAY !DKIM_VALID && (__AUTH_PAYPAL || __AUTH_EBAY)
priority NOTVALID_PAY 500
describe NOTVALID_PAY Claims to be from PayPal or eBay, but is not
#score NOTVALID_YAHOO 2.8
#score NOTVALID_GMAIL 2.8
#score NOTVALID_PAY 6
endif
endif
More could be automated when domains start publishing a strict
author signing policy (the document is still a draft). Until then
rules like above could be used, but also the @signer_reputation_maps
mechanism of amavisd-new 2.6.0, and emerging public or commercial
reputation services are of use.
Mark
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
