Hm, sorry people..
Steffen Nurpmeso wrote in
<20250708010154.3qxReRwY@steffen%sdaoden.eu>:
|aah, sigh.. surely you see it then..
i expanded on that locally, with some further changes (lots of
typo fixes, cruft DKIMACDC->ACDC, DKIM-Diff:->DKIM-DC:, shorter
tags). Also because the sent examples missed the Y and y flags,
which are permanent (Sigmund Freud surely would have his fun) ...
So here that example, fixed (Yy), and extended with more
recipients, also which will fail SPF and DMARC without
Mitigations'25, and one second-line recipient.
Originator (yet forged for recipient domain f.g):
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
RCPT TO: <[email protected]>
...
DKIM-AC: sn=1; s=K1; [email protected]; d=f.g; t=d; t=e; b=...
DKIM-Signature: acdc=1:O; s=K1; ...
DKIX-Signature: acdc=1:O; s=K1; ...
From: [email protected]
To: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
bla
f.g, local delivery:
...
DKIM-Signature: acdc=2:IV; ...
DKIX-Signature: acdc=1:O; s=K1; ...
From: [email protected]
...
[email protected] -- a mailing-list!
It redistributes after RFC 2369 and RFC 2919 additions,
in-message unsubscribe footer, and From: mitigated
(in best RFC 3461 manner):
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
...
DKIM-AC: sn=2; s=K2; [email protected]; d=m.n; t=l; b=...
DKIM-DC: sn=2; c=xz; h=BASE64; b=BASE64
DKIM-Signature: acdc=2:DEOVYy; s=K2 ...
DKIX-Signature: acdc=2:DEOVYy; s=K2 ...
DKIX-Signature: acdc=1:O; s=K1; ...
From: a(AT)b(DOT)c via [email protected] <[email protected]>
...
List-Unsubscribe: bla
[email protected] -- an expanded alias!
The host honours RFC 3461, and changes MAIL FROM:
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
...
DKIM-AC: sn=2; s=K2; [email protected]; d=realv.realw; t=realu; b=...
DKIM-Signature: acdc=2:EOVy; s=K2 ...
DKIX-Signature: acdc=2:EOVy; s=K2 ...
DKIX-Signature: acdc=1:O; s=K1; ...
From: [email protected]
...
[email protected] -- an expanded alias!
Note: will fail SPF of [email protected] without Mitigations'25!
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
...
DKIM-AC: sn=2; s=K2; [email protected]; d=reals.realt; t=realr; b=...
DKIM-Signature: acdc=2:EOVy; s=K2 ...
DKIX-Signature: acdc=2:EOVy; s=K2 ...
DKIX-Signature: acdc=1:O; s=K1; ...
From: [email protected]
...
[email protected] -- a mailing-list!
It redistributes after RFC 2369 and RFC 2919 additions,
in-message unsubscribe footer, without From: mitigation.
Note: will fail DMARC of [email protected] without Mitigations'25!
(This is why DKIM-Signature "1" is in.)
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
...
DKIM-AC: sn=2; s=K2; [email protected]; d=X.X; t=X; b=...
DKIM-DC: sn=2; c=xz; h=BASE64; b=BASE64
DKIM-Signature: acdc=2:DEOVYy; s=K2 ...
DKIX-Signature: acdc=2:DEOVYy; s=K2 ...
DKIM-Signature: acdc=1:O; s=K1; ...
DKIX-Signature: acdc=1:O; s=K1; ...
From: [email protected]
...
List-Unsubscribe: bla
[email protected] (recipient of x.y.z mailing-list), local delivery:
...
DKIM-Signature: acdc=3:IVYy;
DKIM-DC: sn=2; c=xz; h=BASE64; b=BASE64
DKIX-Signature: acdc=2:DEOVYy; s=K2 ...
DKIX-Signature: acdc=1:O; s=K1; ...
From: a(AT)b(DOT)c via [email protected] <[email protected]>
...
Doesn't look bad, though i would have loved DKIM-Sig, the OpenPGP
people introduce a "sig" at the moment, that short it can be.
So now that it is for me. I will post -07 with the above example
(maybe i'll add some more local delivery examples) and the
mentioned fixes, and with Mitigations'25 layed out.
I'd only wish we would get SMTP VERP extension, and, of course,
Implicit TLS SMTP!! In addition that is. The sheer amount of I/O
and roundtrips etc etc saved is beyond imagination.
Thank you,
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
|
|During summer's humble, here's David Leonard's grumble
|
|The black bear, The black bear,
|blithely holds his own holds himself at leisure
|beating it, up and down tossing over his ups and downs with pleasure
|
|Farewell, dear collar bear
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
