Re: [dkim-milter-discuss] Postfix signing trouble

Fri, 09 Nov 2007 10:40:04 -0800 

After a cursory look at your configuration and headers...

Note that the dkim-filter(8) man page describes the signing vs. verifying 
algorithm as follows:

OPERATION
        A  message will be verified unless it conforms to the signing criteria,
        which are: (1) the domain on the From: address or Sender:  address  (if
        present)  must  be  listed  by the -d command line switch or the Domain
        configuration file setting, and (2) the client connecting  to  the  MTA
        must (a) have authenticated, or (b) be listed in the file referenced by
        the -i command line switch (or be in the default list for that option),
        or  (c)  be  connected  to  a  daemon port named by the -m command line
        switch.

Does your mailing list manager add a Sender: header containing an address 
in one of your signing domains?  If not, your unsigned mail from outside 
your domain is probably failing test (1) above so the filter goes to 
verify mode.

In fact the algorithm is a little better than what's documented.  The 
headers are searched for Resent-Sender:, Resent-From:, Sender: and From:, 
in that order.  The first one it finds is the one whose value is applied 
in test (1) above.  Thus, a re-mailer (e.g. your list manager) should add 
one of the former three headers to get external stuff (e.g. gmail.com) to 
be signed upon re-mailing.

The other (dangerous) alternative is to set up your filter so it signs all 
domains (e.g. "-d '*'" or equivalent) and rely on the origin (internal 
list) only to make sign vs. verify decisions.

The other thing I noticed is that you're allowing signing for traffic from 
204.13.168.0/24 but one of the sources of mail was mx1.riseup.net 
[204.13.164.18] which doesn't match.  I'm not totally clear on where in 
that chain of Received: headers you expected signing to be done so that 
may not be important.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Reply via email to