Murray S. Kucherawy schrieb: > On Fri, 12 Sep 2008, Florian Sager wrote: > >> I am looking for something similar, a SIGNINGDOMAIN_HEADER: >> Enable selection of which signing domain to use when signing based >> on the >> contents of an arbitrary header (default is signing by the domain in >> the From >> header). >> > > Doesn't the key list already support this behaviour? For example: > > [EMAIL PROTECTED]:domain1.com:/path/to/keys/for/domain1/foo > [EMAIL PROTECTED]:domain2.com:/path/to/keys/for/domain2/bar >
According to my tests the first field of the list always refers to the From header. A SIGNINGDOMAIN_HEADER would help in the following case (we discussed this in our working group): An ISP (isp.tld) allows its users to use arbitrary addresses in the From header, e.g. users send mails by AUTH LOGIN [EMAIL PROTECTED] with FROM: [EMAIL PROTECTED] If the ISP wants to include his signatures the following could be done: 1) Add a header to the email that contains the authenticated user or its hash to get a unique user level identity inside the domain of the ISP. I am using the following Postfix Regexp in my header_checks = regexp:/etc/postfix/set_auth_sender.regexp for that: >>> if /^X-Sender: .*/ /^Received: .*\s+?Authenticated sender: (.*)\)\s+?by mx.mailserver.tld/ REPLACE X-Sender: $1 endif if !/^X-Sender: .*/ /^Received: .*\s+?Authenticated sender: (.*)\)\s+?by mx.mailserver.tld/ PREPEND X-Sender: $1 endif <<< 2) Run dkim-milter with SIGNINGDOMAIN_HEADER=X-Sender to assure that the signing domain (for which the selection in the keylist is done) refers to one of the ISPs own domains. 3) (I should post this one to the dkim-ietf list) As long as the i= attribute inside the DKIM signature is set on behalf of the signing agent I'd like to see an m= attribute that could contain the alleged mailbox that was authenticated on the signing system (if available; the content of X-Sender in my example above). If I (as the receiver) trust a sending ISP I could drag down the reliability of authentication from the signing domain level to the user level with this information (sure, an uncertainty remains; but the uncertainty is higher if I heuristically use the From-header for this drag down of the trust level). Regards, Florian ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
