I have Postfix/DKIM version V 2.8.3 installed. DKIM configuration: ADSPDiscard yes On-DNSError tempfail DNSTimeout 10 On-BadSignature accept On-InternalError tempfail On-NoSignature accept LogWhy yes
ADSP policy implementation: _adsp._domainkey.<mydomain>. 900 IN TXT "dkim=discardable" Test 1: Receiving an external unsigned message with a faked "from" header and DNS server is responding within DNSTimeout. Then I have the following log lines: Oct 8 14:04:54 sf-1 dkim-filter[3607]: (unknown-jobid) external host be-1-data attempted to send as <mydomain> Oct 8 14:04:54 sf-1 dkim-filter[3607]: (unknown-jobid) not internal Oct 8 14:04:54 sf-1 dkim-filter[3607]: (unknown-jobid) not authenticated Oct 8 14:04:54 sf-1 dkim-filter[3607]: (unknown-jobid) mode select: verifying Oct 8 14:04:54 sf-1 dkim-filter[3607]: 1184D2D81B9 rejected per sender domain policy Oct 8 14:04:54 sf-1 postfix/cleanup[29483]: 1184D2D81B9: milter-reject: END-OF-MESSAGE from be-1-data[192.168.200.45]: 5.7.1 rejected due to DKIM ADSP evaluation; from=<j...@mydomain> to=<al...@mydomain> proto=ESMTP helo=<be-1> => the result is as expected = the message is rejected (ok) Test 2 Receiving an external unsigned message with a faked "from" header and DNS server is NOT responding within DNSTimeout To simulate DNS not responding the server has no DNS to resolve. Then I have the following log lines: Oct 7 12:18:32 sf-1 dkim-filter[3685]: (unknown-jobid) external host be-1-data attempted to send as <mydomain> Oct 7 12:18:32 sf-1 dkim-filter[3685]: (unknown-jobid) not internal Oct 7 12:18:32 sf-1 dkim-filter[3685]: (unknown-jobid) not authenticated Oct 7 12:18:32 sf-1 dkim-filter[3685]: (unknown-jobid) mode select: verifying Oct 7 12:19:12 sf-1 dkim-filter[3685]: B93AD2D8019 ADSP query: ar_waitreply(): `_adsp._domainkey.<mydomain>' query error Oct 7 12:19:12 sf-1 dkim-filter[3685]: B93AD2D8019: no signature data => the result is NOT as expected = the message passed (ok)- i expected to have a tmpfail response Test 3 Receiving an external signed message and DNS server is NOT responding within DNSTimeout. To simulate DNS not responding the server has no DNS to resolve. Then I have the following log lines: Oct 8 11:20:20 sf-1 dkim-filter[8747]: (unknown-jobid) no signing domain match for `foo.org' Oct 8 11:20:20 sf-1 dkim-filter[8747]: (unknown-jobid) no signing subdomain match for `foo.org' Oct 8 11:20:20 sf-1 dkim-filter[8747]: (unknown-jobid) no signing keylist match for `[email protected]' Oct 8 11:20:20 sf-1 dkim-filter[8747]: (unknown-jobid) not internal Oct 8 11:20:20 sf-1 dkim-filter[8747]: (unknown-jobid) not authenticated Oct 8 11:20:20 sf-1 dkim-filter[8747]: (unknown-jobid) mode select: verifying Oct 8 11:20:40 sf-1 dkim-filter[8747]: BFEF32D819C: key retrieval failed (s=foo, d=foo.org): ar_waitreply(): `foo._domainkey.foo.org' expired Oct 8 11:20:40 sf-1 postfix/cleanup[31274]: BFEF32D819C: milter-reject: END-OF-MESSAGE from unknown[a.b.c.d]: 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<rep...@mydomain> proto=ESMTP helo=<m01.foo.org> => the result is as expected = the message is temporarly rejected (ok)(I suppose here that On-DNSError tmpfail applied ...) Considering tests 2 and 3 results, I do not understand how "On-DNSError/ADSP" work Has someone any clarifications ? Thank you for your help. Rgds Alain ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
