Postscreen, SPF and DKIM?
Yes, I do realize the more added to postscreen, the slower it gets, etc. However, one function that would seem to fit perfectly if it's not too slow would be spf and dkim checks. SPF we are doing via a milter, and, seems to be fast. Yes, it's DNS records, but, postscreen already does much worse with dnsrbls. Not sure about dkim efficiency. And the same whitelist rules apply once a given sender passes the test, added to temp whitelist and no need to do it the next time. However, it is good practice to reject mail that fails spf or dkim tests, since theoretically it is forged. And if it isn't then, the sender will be made aware that they have an error in their setup. It would be better to reject these before they ever get to the smtp server, would it not? Seems like this would be a function, if fast enough, that would fit the intended use of postscreen. However, this may not be easy to do either since I am sure you don't want to add milter or content screening capability to postscreen, that would surely slow it down. Perhaps one can use the libraries, not sure. Nevertheless, I hope someone considers this possibility for future postfix versions. Steve
Re: Postscreen, SPF and DKIM?
Steve Fatula: Yes, I do realize the more added to postscreen, the slower it gets, etc. However, one function that would seem to fit perfectly if it's not too slow would be spf and dkim checks. SPF we are doing Postscreen by design NEVER SEES THE ENVELOPE OR CONTENT of email that is received by Postfix. DKIM, on the other hand, requires computing a digital hash over the header and body content. Wietse
RE: Postscreen, SPF and DKIM?
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Steve Fatula Sent: Tuesday, August 09, 2011 11:12 AM To: Postfix Users Subject: Postscreen, SPF and DKIM? However, it is good practice to reject mail that fails spf or dkim tests, since theoretically it is forged. And if it isn't then, the sender will be made aware that they have an error in their setup. It would be better to reject these before they ever get to the smtp server, would it not? Seems like this would be a function, if fast enough, that would fit the intended use of postscreen. Postfix architecture aside, I think this is bad advice, at least about DKIM. The premises are false.
Re: Postscreen, SPF and DKIM?
Postfix architecture aside, I think this is bad advice, at least about DKIM. The premises are false. Care to elaborate? Clearly, this is not possible to do in postscreen sort of making this moot, but, SPF spec says to reject messages that have status fail. DKIM says you MAY, and, several pieces of software such as dkim-milter allow you to do so. Also, ADSP records seem to have the capability to say please discard this message under various conditions, why shouldn't that be respected? Gmail (at least) already REJECTS mail based on dkim, at least for some domains like ebay.com I suppose to prevent phishing from reaching inbox or spam folders. I am not as familiar with DKIM as I am SPF. It would be helpful to know what specifically is wrong with the premise, and more importantly, why rejecting would be wrong. I realize there are some issues such as modified headers that can cause signature verification errors, however, the dkim-milter at least accounts for this by using the relaxed mode. Anyway, I'd love to know why the premise is wrong, if you have the time to enlighten me!
RE: Postscreen, SPF and DKIM?
-Original Message- From: Steve Fatula [mailto:compconsult...@yahoo.com] Sent: Tuesday, August 09, 2011 1:15 PM To: Murray S. Kucherawy; Postfix Users Subject: Re: Postscreen, SPF and DKIM? Care to elaborate? Clearly, this is not possible to do in postscreen sort of making this moot, but, SPF spec says to reject messages that have status fail. DKIM says you MAY, and, several pieces of software such as dkim-milter allow you to do so. Also, ADSP records seem to have the capability to say please discard this message under various conditions, why shouldn't that be respected? Gmail (at least) already REJECTS mail based on dkim, at least for some domains like ebay.com I suppose to prevent phishing from reaching inbox or spam folders. I am not as familiar with DKIM as I am SPF. It would be helpful to know what specifically is wrong with the premise, and more importantly, why rejecting would be wrong. I realize there are some issues such as modified headers that can cause signature verification errors, however, the dkim-milter at least accounts for this by using the relaxed mode. I realize this is off-topic but it might be of interest to the Postfix community so I'll reply here until someone tells me to stop. A DKIM signature can fail to verify for perfectly legitimate reasons. The list of possible reasons is large, not the least of which is a signed message that traverses a mailing list that makes major header or body changes, or an MTA that rewrites important header fields like From:. If you treat such messages as suspicious, then you will begin to think DKIM has a huge false negative problem. That's why we wrote the DKIM specifications to be very clear about warning people not to treat a message with a broken signature any differently than one would treat an unsigned message. ADSP is dangerous. We've seen many cases in the wild that back up this claim. Three examples: - a certain open source MTA (not postfix) doesn't pass DSNs/MDNs it generates through its signing filters (if enabled), which means if you advertise an ADSP policy other than unknown, you're immediately violating your own policy - several sites that use ADSP then let their users post mail to lists, many of which invalidate signatures, so legitimate list postings get discarded or (worse) rejected on delivery - in this latter case, the rejection hits the MLM, which decides the recipient's mail is bouncing and unsubscribes the user even though its mail is otherwise just fine Gmail does NOT reject mail based on DKIM, unless Gmail has a prior non-protocol arrangement with a sender to do so, one that involves contracts signed by both parties, such as ebay.com or paypal.com. Gmail has said publicly they will never honour something like ADSP because it is a legal exposure. The dkim-milter (you should switch to opendkim, by the way; dkim-milter is unmaintained), use of relaxed header canonicalization is not a way around the signature invalidation problem overall. It does not account for the header changes that most commonly invalidate signatures. There is (currently) no solution for that other than to get lists to quit modifying messages and get clients to generate legal email so the MTAs don't have to fix it for them post-signing. To understand how to use all of these things properly, try to break the deeply-engrained mindset that we're trying to identify bad stuff to keep out. Rather, start thinking about how to identify the good stuff to let in. That's when DKIM is most useful. -MSK
Re: Postscreen, SPF and DKIM?
Wietse Venema: Steve Fatula: Yes, I do realize the more added to postscreen, the slower it gets, etc. However, one function that would seem to fit perfectly if it's not too slow would be spf and dkim checks. SPF we are doing Postscreen by design NEVER SEES THE ENVELOPE OR CONTENT of email that is received by Postfix. To clarify, postscreen attempts to answer one question: - Is the client a spambot? Postscreen is not concerned with this question: - Is this email message spam? Each approach has its merits, but the first one can eliminate most spam with the least effort, given that ~90% of email is spam, and that ~90% of spam is sent from botnets. Deciding if message is spam is much more difficult. Wietse DKIM, on the other hand, requires computing a digital hash over the header and body content. Wietse
