On 29/03/07, Marc Perkel <[EMAIL PROTECTED]> wrote: > > > Magnus Holmgren wrote: > > On Thursday 29 March 2007 23:27, Marc Perkel wrote: > > > >> If a domain has a policy of signsall=1 and there is no signature - is > >> that good enough to reject the email? > >> > > > > That's up to you if you think that every domain that declares that policy > > actually follows it. Maybe the probability is greater than for domains with > > SPF records ending in "-all". > > > > > >> If a message is signed but result is badsig - can I reject it? > >> > > > > That's up to you, but it's not generally recommended, I believe, as the > > chance > > is too great that some relay alters the message in a way that breaks the > > signature. > > > > I see - so altering the message in any way breaks the signature. I > should probably ignore bad signatures then.
Altering the body certainly does, as I said earlier. What you should probably do is start gathering stats for the domains of interest, and take a view on what the percentages of messages are that 'badsig', and try to do forensics on them. What I find DK most useful for is whitelisting, not blacklisting - if I get a good sig from (eg) PayPal, I skip all the other content checks. Works well for Yahoo Groups, too, so you don't end up bouncing them and triggering unsubscribes on FPs. (Except that not all YG mails have good sigs... but that just reduces the coverage, not the accuracy, in a whitlelist situation). Moral of story: test and log first, then decide what reject policy to apply. Peter -- Peter Bowyer Email: [EMAIL PROTECTED] -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
