>ASSP only looks to i= according to the gui:
...
GUI - 18087
If a valid DKIM or DomainKey signature is found and the signature identity 
(mostly the signature tag i=u...@domain.tld) matches any of these 
addresses,
...

No, I told you many times, assp uses the DKIM identity not the i= tag. If 
an i= tag is not available, the d= tag provides the identity. For 
DomainKey signatures the 'Sender' or 'From' header provides the identity 
(they never have an i= tag).
This is only, but the important half of the truth. The DKIM RFC's 
describes how a DKIM/Domainkey identiy is "calculated" - I already told 
you this. Also the POD and the Code of Mail::DKIM makes this very clear.
Again - and for the last time: It is impossible to create a valid 
DKIM/DomainKey signature without providing an identity. This identity is 
used by ASSP - how ever this identiy is provided by the policy author or 
signer or sender. 

If ValidateSenderLog is enabled and DKIMWLAddresses or DKIMNPAddresses is 
set, the maillog shows the detected DKIM identity for every DKIM mail. The 
analyzer shows it, if a match is found (the next version will show the 
identity every time).

maillog:
Apr-04-18 08:43:57 [Worker_1]......... Info: found DKIM signature identity 
'user....@....domain....tld' 

analyzer (1809x):
DKIM-check returned OK verified-OK for identity 
'user....@....domain....tld'

>I went into more detail in the last thread
>but that irritated you Thomas

No, it frustrated me - because you are not willing to read and learn how 
DKIM is working. Instead you are bothering me and the community with 
things, that are already clear

CLOSED!

Thomas



Von:    "K Post" <nntp.p...@gmail.com>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Datum:  03.04.2018 21:35
Betreff:        [Assp-test] d= DKIM validation for WL/NP Addresses




The new DKIMWLAddress / DKIMNPAddress functionality is terrific, and I 
greatly appreciate you implementing it at my request.  It's already helped 
significantly when senders sign with a i= in their DKIM signature.  Great 
stuff.

I know we've been round and round on the d= only messages last week, but 
I'm hoping that you are still willing to help or if my concept is flawed, 
please correct me and explain where I'm going wrong.

I went into more detail in the last thread, but that irritated you Thomas, 
so I won't go deeper here unless you want me to better explain myself.  
Essentially,  a lot of the vendors that our little charity use send 
invoices when using Office365.  Scammers are doing the same thing and are 
being blocked.  I'm getting false positives on some of the legit mail 
because, well, it looks just like the spam that ASSP has been trained to 
block.  

We can't whitelist the legit email addresses because scammers are using 
them in some cases.  We can't NP the IP because it's from public Office365 
servers. Fortunately, most of these messages are DKIM signed, but they're 
only doing a d= signing, not an i=   For the DKIMWL/NP address 
functionality, ASSP only looks to i= according to the gui:
If a valid DKIM or DomainKey signature is found and the signature identity 
tag (i=u...@domain.tld) matches any of these addresses....

Wouldn't checking d= if i= isn't there be something that would be 
universally beneficial to ASSP users?  If we trust a domain when it's DKIM 
signed, just let the mail through.  With the current version of ASSP, if 
there's no i= signature, this won't work, but the d= entry is just waiting 
there to be used....




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test





DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to