Alin, > > What I really want is a "dkim=strict; handling=deny" SSP record. > > Problem is dkim-milter-2.4.2 fails to verify subdomains signed with > > one of domain's selector and I believe is due to the lack of > > "[EMAIL PROTECTED]" tag in DKIM-Signature header.
Keep in mind that signatures where the From domain does not exactly match the domain in 'i' tag are considered third-party signatures. This is not to say that they would not validate, but these are not author's signatures (originator signatures). > I've analyzed the code and conclude that dkim_policy() is to blame. More > precisely, a signature is valid only if signer domain == the domain part > of the sender address. I think it should also accept a signature if both > the following conditions are satisfied: > - dkim->dkim_domain is a subdomain of sig->sig_domain > - SSP entry of the sig->sig_domain doesn't have t=s When From is [EMAIL PROTECTED], the following holds (assuming absence of 's' flag in a public key): - [EMAIL PROTECTED] d=example.com => first party signature - ([EMAIL PROTECTED]) d=example.com => third party signature So even if a DKIM signer offers a choice to sign [EMAIL PROTECTED] as d=example.com (with a default [EMAIL PROTECTED]), this produces a third party signature to recipient and should cause a SSP lookup. Such signature could still have value to recipient though (e.g. for whitelisting). Mark ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
