Alin Năstac wrote: > Murray S. Kucherawy wrote: >> The use of the "SubDomains" option is intended to generate signatures >> for arbitrary subdomains using a key advertised by the parent >> domain. That is, mail from "x.example.com" will be signed using >> "d=example.com". It's intended as blanket coverage for subdomains >> you may not know are in use. >> >> If that isn't what you want, then I believe you have more stringent >> requirements than the DKIM subdomain signing concept supports, and >> you should include "x.example.com" explicitly in your signing domains >> list (and advertise a specific policy for it). > > I have dkim-milter-2.4.2. > > What I really want is a "dkim=strict; handling=deny" SSP record. > Problem is dkim-milter-2.4.2 fails to verify subdomains signed with > one of domain's selector and I believe is due to the lack of > "[EMAIL PROTECTED]" tag in DKIM-Signature header. However I didn't > analysed the source code, so it is more like a educated guess. > > Since dkim-milter gives me the option to sign subdomain messages, > verification of such messages should succeed, don't you think? More so > if the signer and verifier use the exact same DKIM software and > therefore it couldn't be due to different interpretation of the DKIM > specification. > I've analyzed the code and conclude that dkim_policy() is to blame. More precisely, a signature is valid only if signer domain == the domain part of the sender address. I think it should also accept a signature if both the following conditions are satisfied: - dkim->dkim_domain is a subdomain of sig->sig_domain - SSP entry of the sig->sig_domain doesn't have t=s
Will you accept a patch that does just that? For proving my point (that DKIM should also accept valid domain signatures on subdomain messages), please see example from the appendix A of the RFC 4871.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
