Hi Murray & SM: You guys are awesome, as usual -- thanks for the quick response and help.
Murray: I recompiled with _FFR_SENDER_HEADERS enabled and added "SenderHeaders From" to my config. I was quite confident that this would solve the problem, but it did not seem to. The good news is that we made some progress; the logs are interesting: Jul 27 08:35:52 starfish sendmail[18840]: n6RDZkT2018840: from=<[email protected]>, size=5169, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=lists.XCF.Berkeley.EDU [128.32.112.242] Jul 27 08:35:52 starfish sendmail[18840]: n6RDZkT2018840: Milter add: header: X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/ Jul 27 08:35:52 starfish sendmail[18840]: n6RDZkT2018840: Milter add: header: Received-SPF: None (starfish.lotspeich.org: domain of [email protected]\n\tdoes not designate permitted sender hosts)\n\treceiver=starfish.lotspeich.org; client-ip=128.32.112.242;\n\tenvelope-from=<[email protected]>; helo=lists.XCF.Berkeley.EDU; Jul 27 08:35:52 starfish dkim-filter[20159]: n6RDZkT2018840 external host lists.XCF.Berkeley.EDU attempted to send as lotspeich.org Jul 27 08:35:52 starfish dkim-filter[20159]: n6RDZkT2018840 not internal Jul 27 08:35:52 starfish dkim-filter[20159]: n6RDZkT2018840 not authenticated Jul 27 08:35:52 starfish dkim-filter[20159]: n6RDZkT2018840 mode select: verifying Jul 27 08:35:53 starfish sendmail[18840]: n6RDZkT2018840: Milter insert (1): header: Authentication-Results: starfish.lotspeich.org; dkim=none (no signature)\n\theader.i=unknown; x-dkim-adsp=none Jul 27 08:35:53 starfish sendmail[18840]: n6RDZkT2018840: Milter insert (1): header: X-DKIM: Sendmail DKIM Filter v2.8.3 starfish.lotspeich.org n6RDZkT2018840 Jul 27 08:35:53 starfish sendmail[18843]: n6RDZkT2018840: to=<[email protected]>, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=35871, dsn=2.0.0, stat=Sent I see "external host lists.XCF.Berkeley.EDU attempted to send as lotspeich.org". This is exactly what I would expect; I would think that this would result in an ADSP "fail". Despite this, however, dkim-filter constructs a header with "x-dkim-adsp=none". Regards, Erik. Murray S. Kucherawy wrote: >> -----Original Message----- >> From: Erik Lotspeich [mailto:[email protected]] >> Sent: Saturday, July 25, 2009 9:19 PM >> To: dkim-milter >> Subject: [dkim-milter-discuss] Verification not failing >> >> Hi, >> >> I am extremely stumped by this issue. Here are some e-mail headers for >> an e-mail that is not failing an ADSP check. My policy is sign >> everything. This mailing list strips the DKIM signature out of the >> headers, as you can see. >> [...] > > I'm on a layover enroute to IETF, but I had a quick look and thus here's a > guess. There's some old code that's still in there from the early DomainKeys > days which specifies a list of headers to search for the actual sender of the > message. That list is not constrained to "From" only by default (as it > probably should be for modern DKIM), so it's probably doing its ADSP check > based on the "Sender" header which, in this case, contains the address of the > list and not that of the message's author. > > To test this, recompile enabling _FFR_SENDER_HEADERS, then set this in your > configuration file: > > SenderHeaders From > > ...and watch your logs for another message from the list. > > -MSK > > ------------------------------------------------------------------------------ > _______________________________________________ > dkim-milter-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss ------------------------------------------------------------------------------ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
