Murray S. Kucherawy wrote: > Note the OPERATIONS section of the dkim-filter(8) man page, which reads: > > OPERATION > A message will be verified unless it conforms to the signing > criteria, > which are: (1) the domain on the From: address or Sender: > address (if > present) must be listed by the -d command line switch or > the Domain > configuration file setting, and (2) the client connecting to > the MTA > must (a) have authenticated, or (b) be listed in the file > referenced by > the -i command line switch (or be in the default list for that > option), > or (c) be connected to a daemon port named by the -m > command line > switch. > > Can you verify that both (1) and (2) are satisfied? It sounds to me > like (2) is not. Do you have a "-i" command line option or, > equivalently, an InternalHosts file (referenced from your > configuration file) which lists the sources whose mail should be signed?
(1) is true (2) (a),(b) and (c) are all false. I used telnet mx.my-domain.com 25 from an external host to test this. It doesn't sign the message (as expected), but it doesn't reject it either (which is strange, 'cause I think I've advertised a "we sign everything" policy). If I remember correctly, I even removed that domain from "Domain" (-d) list and tried again; the message was delivered although "UseSSPDeny yes" and "On-SignatureMissing reject" options should have blocked it.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
