At 23:10 30-09-2008, Florian Sager wrote: >According to my tests the first field of the list always refers to the > From header. A SIGNINGDOMAIN_HEADER would help in the following case >(we discussed this in our working group): > >An ISP (isp.tld) allows its users to use arbitrary addresses in the From >header, e.g. users send mails by AUTH LOGIN [EMAIL PROTECTED] with FROM: >[EMAIL PROTECTED] >If the ISP wants to include his signatures the following could be done: > >1) Add a header to the email that contains the authenticated user or its >hash to get a unique user level identity inside the domain of the ISP. I >am using the following Postfix Regexp in my >header_checks = regexp:/etc/postfix/set_auth_sender.regexp for that: > > >>> >if /^X-Sender: .*/ >/^Received: .*\s+?Authenticated sender: (.*)\)\s+?by mx.mailserver.tld/ >REPLACE X-Sender: $1 >endif >if !/^X-Sender: .*/ >/^Received: .*\s+?Authenticated sender: (.*)\)\s+?by mx.mailserver.tld/ >PREPEND X-Sender: $1 >endif ><<< > >2) Run dkim-milter with SIGNINGDOMAIN_HEADER=X-Sender to assure that the >signing domain (for which the selection in the keylist is done) refers >to one of the ISPs own domains.
That's third party (DKIM) signing. >3) (I should post this one to the dkim-ietf list) As long as the i= >attribute inside the DKIM signature is set on behalf of the signing >agent I'd like to see an m= attribute that could contain the alleged >mailbox that was authenticated on the signing system (if available; the >content of X-Sender in my example above). If I (as the receiver) trust a >sending ISP I could drag down the reliability of authentication from the >signing domain level to the user level with this information (sure, an >uncertainty remains; but the uncertainty is higher if I heuristically >use the From-header for this drag down of the trust level). The i= is the identity. It's an opaque tag and it doesn't have to match the "From:" or any other header. You could use it for an authenticated sender identity instead of creating a m= tag. BTW, it's not an alleged mailbox if the sender was authenticated. As a verifier, I may not know what the local-part of your i= tag means but I might apply a policy based on the signing domain. Regards, -sm ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
