On Fri, 09 Nov 2007 11:20:12 -0800, SM wrote:
> You are signing the *.riseup.net domain. Your From: address is
> @riseup.net. I'm not sure that will match (Murray will correct me).
You mean in my -d parameter where I specify *.riseup.net. I thought that
would catch all hosts in the domain, but I see that this would omit the
case where there is no hostname.
Are you saying I should use -d @riseup.net, or -d riseup.net? I think
probably the latter, as the former is kind of strange, but please correct
me if I am wrong. Additionally, if I specify that, will I omit any hosts
within that domain?
On Fri, 09 Nov 2007 10:39:50 -0800, Murray S. Kucherawy wrote:
> OPERATION
> A message will be verified unless it conforms to the signing
> criteria, which are: (1) the domain on the From: address or
> Sender: address (if present) must be listed by the -d
> command line switch or the Domain configuration file setting,
> and (2) the client connecting to the MTA must (a) have
> authenticated, or (b) be listed in the file referenced by the -i
> command line switch (or be in the default list for that option),
> or (c) be connected to a daemon port named by the -m
> command line switch.
>
> Does your mailing list manager add a Sender: header containing an
> address in one of your signing domains? If not, your unsigned mail from
> outside your domain is probably failing test (1) above so the filter
> goes to verify mode.
My mailing list manager (sympa) does not add a Sender: header at all, but
there is a From: address contained in the first scenario (message
originating via submission after SASL authentication) which I believe
matches the -d switch (now that I've changed it to be -d riseup.net),
which seems to satisfy criteria number 1.
I thought that the fact I had set the "Mode" to 's', only signing would
happen and it wouldn't fall back to verify mode. I suppose what could be
happening is if signing is the only mode set, and these criteria are not
met, nothing happens instead of it falling back into verify mode.
> In fact the algorithm is a little better than what's documented. The
> headers are searched for Resent-Sender:, Resent-From:, Sender: and
> From:, in that order. The first one it finds is the one whose value is
> applied in test (1) above. Thus, a re-mailer (e.g. your list manager)
> should add one of the former three headers to get external stuff (e.g.
> gmail.com) to be signed upon re-mailing.
I see what you are saying here, looking at my headers I do not see any of
these in the second scenario.
> The other (dangerous) alternative is to set up your filter so it signs
> all domains (e.g. "-d '*'" or equivalent) and rely on the origin
> (internal list) only to make sign vs. verify decisions.
How would the origin make sign decisions? I'm not exactly clear on what
you are suggesting here.
> The other thing I noticed is that you're allowing signing for traffic
> from 204.13.168.0/24 but one of the sources of mail was mx1.riseup.net
> [204.13.164.18] which doesn't match. I'm not totally clear on where in
> that chain of Received: headers you expected signing to be done so that
> may not be important.
Good eye, this is a clear error that I could not see.
Thanks for all the eyes, this helps a lot,
Micah
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
