subject:"\[qmailtoaster\] DKIM Verification Question"

Re: [qmailtoaster] DKIM Verification Question

2020-06-03 Thread Gary Bowling


  
  


To save you some searching. Here's a page with a lot of good
  info. It's about how to do all this on postfix, so it's not a
  cookie cutter for doing it on our toaster, but good info
  nonetheless. He also uses "opendmarc" to process DMARC things, but
  spamasssassin also has it built in as per my previous note. 



https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/


Gary


On 6/3/2020 11:12 AM, Eric Broch wrote:


  
  Thanks, Gary.
  I'll have a look
  
  On 6/3/2020 8:52 AM, Gary Bowling
wrote:
  
  

 

Further to this subject. I am learning that there are more
  pieces that can help us out. Spamassassin gives us a way to
  assign a spam score to messages with various DKIM results. But
  it doesn't know what the original sender wanted us to do with
  messages that have DKIM problems, therefore we just default to
  giving scores with some predetermined weighting.


There are two more tools, ADSP (Author Domain Signing
  Practices), and DMARC (Domain based Message Authentication,
  Reporting and Conformance). Which are both fancy ways of
  saying, "I want to tell other servers that messages from MY
  server should have DKIM and what to do if they don't"


For outbound mail, both ADSP and DMARC simply require you to
  set up DNS TXT records telling remote servers how to handle
  messages received from your server. If you want to use either
  of these, do a search for them and you'll find info on how to
  set up the DNS records. Without explanation of all the fields,
  here's what I put in my bind DNS.


_adsp._domainkey.mail  IN TXT    "dkim=all"

_demarc.mail    IN   TXT   "v=DMARC1; p=quarantine; rua=mailto:postmas...@example.com;
  ruf=mailto:postmas...@example.com;
  fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400;
  sp=quarantine"



For inbound mail, we can set up spamassassin to query DNS
  records for inbound mail and score them based on info that
  others might have configured in DMARC. It requires a plugin
  called AskDNS, but that looks to already be available in our
  spamassassin and also in the EPEL version of spamassassin, so
  it should just require us to assign scores. Here's what I have
  configured in my /etc/spamassassin/local.cf



ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=none;/
  askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=quarantine;/
  askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=reject;/
  
  meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_REJECT
  score DMARC_REJECT 10
  meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_QUAR
  score DMARC_QUAR 5
  meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_NONE
  score DMARC_NONE 0.1
  endif # Mail::SpamAssassin::Plugin::AskDNS










On 6/2/2020 5:12 PM, Gary Bowling
  wrote:


  
  
  
  Yea, I had already looked in there, they aren't there. I
eventually found them in 
  
  
  
  /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm
  
  
  Looks like the defaults are, 
  
    score DKIM_ADSP_ALL  2.5
  score DKIM_ADSP_DISCARD 25
  score DKIM_ADSP_NXDOMAIN 3

  score DKIM_ADSP_CUSTOM_LOW   1
  score DKIM_ADSP_CUSTOM_MED   3.5
  score DKIM_ADSP_CUSTOM_HIGH  8
  
  
  For right now, I'm going to adjust a few of these and also
adjust some of the SPF settings. Here's what I'm trying
right now in my /etc/spamassassin/local.cf
  
  
  
  
#Adjust scores for SPF FAIL
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_SOFTFAIL 3.0
score SPF_SOFTFAIL 3.0
 
#adjust DKIM scores
score DKIM_ADSP_ALL 3.0
score DKIM_ADSP_DISCARD  10.0
score DKIM_ADSP_NXDOMAIN 3.0

  

  
Thanks, Gary

Re: [qmailtoaster] DKIM Verification Question

2020-06-03 Thread Eric Broch


Thanks, Gary.

I'll have a look

On 6/3/2020 8:52 AM, Gary Bowling wrote:



Further to this subject. I am learning that there are more pieces that 
can help us out. Spamassassin gives us a way to assign a spam score to 
messages with various DKIM results. But it doesn't know what the 
original sender wanted us to do with messages that have DKIM problems, 
therefore we just default to giving scores with some predetermined 
weighting.



There are two more tools, ADSP (Author Domain Signing Practices), and 
DMARC (Domain based Message Authentication, Reporting and 
Conformance). Which are both fancy ways of saying, "I want to tell 
other servers that messages from MY server should have DKIM and what 
to do if they don't"



For outbound mail, both ADSP and DMARC simply require you to set up 
DNS TXT records telling remote servers how to handle messages received 
from your server. If you want to use either of these, do a search for 
them and you'll find info on how to set up the DNS records. Without 
explanation of all the fields, here's what I put in my bind DNS.



_adsp._domainkey.mail  IN TXT    "dkim=all"

_demarc.mail    IN   TXT   "v=DMARC1; p=quarantine; 
rua=mailto:postmas...@example.com; ruf=mailto:postmas...@example.com; 
fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine"



For inbound mail, we can set up spamassassin to query DNS records for 
inbound mail and score them based on info that others might have 
configured in DMARC. It requires a plugin called AskDNS, but that 
looks to already be available in our spamassassin and also in the EPEL 
version of spamassassin, so it should just require us to assign 
scores. Here's what I have configured in my /etc/spamassassin/local.cf



ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT 
/^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT 
/^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT 
/^v=DMARC1;.*\bp=reject;/


meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif # Mail::SpamAssassin::Plugin::AskDNS






On 6/2/2020 5:12 PM, Gary Bowling wrote:



Yea, I had already looked in there, they aren't there. I eventually 
found them in



/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm


Looks like the defaults are,

  score DKIM_ADSP_ALL  2.5
  score DKIM_ADSP_DISCARD 25
  score DKIM_ADSP_NXDOMAIN 3

  score DKIM_ADSP_CUSTOM_LOW   1
  score DKIM_ADSP_CUSTOM_MED   3.5
  score DKIM_ADSP_CUSTOM_HIGH  8


For right now, I'm going to adjust a few of these and also adjust 
some of the SPF settings. Here's what I'm trying right now in my 
/etc/spamassassin/local.cf



|#Adjust scores for SPF FAIL|
|score SPF_FAIL 4.0|
|score SPF_HELO_FAIL 4.0|
|score SPF_HELO_SOFTFAIL 3.0|
|score SPF_SOFTFAIL 3.0|
|#adjust DKIM scores|
|score DKIM_ADSP_ALL 3.0|
|score DKIM_ADSP_DISCARD  10.0|
|score DKIM_ADSP_NXDOMAIN 3.0|
|
|
|
|
|Thanks, Gary
|



On 6/2/2020 12:29 PM, Eric Broch wrote:


Gary,

The stock scores for spamassassin are in /usr/share/spamassassin/*.cf.

# grep DKIM /usr/share/spamassassin/*.cf

For your local configuration you can override the scores in 
/etc/mail/spamassassin/local.cf on COS8 or 
/etc/spamassassin/local.cf on COS7. I know THAT one can manipulate 
scores to fit their needs with spamassassin, however, I have NEVER 
done it. This is me sloughing it off. ;-) The reason I like 
spamassassin DKIM verification is because it doesn't just reject bad 
DKIM which as you mentioned can have bad effects but scores it with 
other things for rejection.


If you find some configuration that suits you and your system I'd we 
willing to post in on the QMT web as a stock 'QMT' setting.


Eric

On 6/2/2020 10:11 AM, Gary Bowling wrote:



Thanks Eric. What is the config setting in local.cf to change the 
DKIM scoring? I don't find any setting in my /etc/spamassassin/ 
directories that sets that score. Is the scoring for the stock EPEL 
local.cf different from what we have? I assume not since you said 
you didn't tailor any of that in QMT.



I think that's a good move to use the stock spamassassin from EPEL.


As DKIM seems to be more pervasive these days, I might be tempted 
to increase the score in spamassassin if I can find the local.cf 
setting.



Thanks, Gary


On 6/2/2020 11:56 AM, Eric Broch wrote:


Hi Gary,

My intent, which I articulated in another email on the list and 
instead of reinventing the wheel, was exactly as you deduced in 
your email, that is, to allow spamassassin to score DKIM which it 
does; however, I have not done anything as far as a tailoring 
configuration for QMT and was content to allow users that scoring 
decision. My goal is to drop the specially created

Re: [qmailtoaster] DKIM Verification Question

2020-06-03 Thread Gary Bowling


  
  
 

Further to this subject. I am learning that there are more pieces
  that can help us out. Spamassassin gives us a way to assign a spam
  score to messages with various DKIM results. But it doesn't know
  what the original sender wanted us to do with messages that have
  DKIM problems, therefore we just default to giving scores with
  some predetermined weighting.


There are two more tools, ADSP (Author Domain Signing Practices),
  and DMARC (Domain based Message Authentication, Reporting and
  Conformance). Which are both fancy ways of saying, "I want to tell
  other servers that messages from MY server should have DKIM and
  what to do if they don't"


For outbound mail, both ADSP and DMARC simply require you to set
  up DNS TXT records telling remote servers how to handle messages
  received from your server. If you want to use either of these, do
  a search for them and you'll find info on how to set up the DNS
  records. Without explanation of all the fields, here's what I put
  in my bind DNS.


_adsp._domainkey.mail  IN TXT    "dkim=all"

_demarc.mail    IN   TXT   "v=DMARC1; p=quarantine;
  rua=mailto:postmas...@example.com;
  ruf=mailto:postmas...@example.com; fo=1; adkim=r; aspf=r; pct=100;
  rf=afrf; ri=86400; sp=quarantine"



For inbound mail, we can set up spamassassin to query DNS records
  for inbound mail and score them based on info that others might
  have configured in DMARC. It requires a plugin called AskDNS, but
  that looks to already be available in our spamassassin and also in
  the EPEL version of spamassassin, so it should just require us to
  assign scores. Here's what I have configured in my
  /etc/spamassassin/local.cf



ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=none;/
  askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=quarantine;/
  askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT
  /^v=DMARC1;.*\bp=reject;/
  
  meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_REJECT
  score DMARC_REJECT 10
  meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_QUAR
  score DMARC_QUAR 5
  meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) &&
  __DMARC_POLICY_NONE
  score DMARC_NONE 0.1
  endif # Mail::SpamAssassin::Plugin::AskDNS










On 6/2/2020 5:12 PM, Gary Bowling
  wrote:


  
  
  
  Yea, I had already looked in there, they aren't there. I
eventually found them in 
  
  
  
  /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm
  
  
  Looks like the defaults are, 
  
    score DKIM_ADSP_ALL  2.5
  score DKIM_ADSP_DISCARD 25
  score DKIM_ADSP_NXDOMAIN 3

  score DKIM_ADSP_CUSTOM_LOW   1
  score DKIM_ADSP_CUSTOM_MED   3.5
  score DKIM_ADSP_CUSTOM_HIGH  8
  
  
  For right now, I'm going to adjust a few of these and also
adjust some of the SPF settings. Here's what I'm trying right
now in my /etc/spamassassin/local.cf
  
  
  
  
#Adjust scores for SPF FAIL
score
SPF_FAIL 4.0
score
SPF_HELO_FAIL 4.0
score
SPF_HELO_SOFTFAIL 3.0
score
SPF_SOFTFAIL 3.0
 
#adjust DKIM scores
score
DKIM_ADSP_ALL 3.0
score
DKIM_ADSP_DISCARD  10.0
score
DKIM_ADSP_NXDOMAIN 3.0

  

  
Thanks,
Gary
  
  
  
  
  
  
  On 6/2/2020 12:29 PM, Eric Broch
wrote:
  
  

Gary,
The stock scores for spamassassin are in
  /usr/share/spamassassin/*.cf. 

# grep DKIM /usr/share/spamassassin/*.cf
For your local configuration you can override the scores in
  /etc/mail/spamassassin/local.cf on COS8 or
  /etc/spamassassin/local.cf on COS7. I know THAT one can
  manipulate scores to fit their needs with spamassassin,
  however, I have NEVER done it. This is me sloughing it off.
  ;-) The reason I like spamassassin DKIM verification is
  because it doesn't just reject bad DKIM which as you mentioned
  can have bad effects but scores it with other things for
  rejection.

If you find some configuration that suits you and your system
  I'd we willing to post in on the QMT web as a stock 'QMT'
  setting.
Eric

On 6/2/2020 10:11 AM, Gary Bowling
  wrote:

Re: [qmailtoaster] DKIM Verification Question

2020-06-02 Thread Gary Bowling


  
  


Yea, I had already looked in there, they aren't there. I
  eventually found them in 



/usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DKIM.pm


Looks like the defaults are, 

  score DKIM_ADSP_ALL  2.5
    score DKIM_ADSP_DISCARD 25
    score DKIM_ADSP_NXDOMAIN 3
  
    score DKIM_ADSP_CUSTOM_LOW   1
    score DKIM_ADSP_CUSTOM_MED   3.5
    score DKIM_ADSP_CUSTOM_HIGH  8


For right now, I'm going to adjust a few of these and also adjust
  some of the SPF settings. Here's what I'm trying right now in my
  /etc/spamassassin/local.cf




  #Adjust
  scores for SPF FAIL
  score
  SPF_FAIL 4.0
  score
  SPF_HELO_FAIL 4.0
  score
  SPF_HELO_SOFTFAIL 3.0
  score
  SPF_SOFTFAIL 3.0
   
  #adjust
  DKIM scores
  score
  DKIM_ADSP_ALL 3.0
  score
  DKIM_ADSP_DISCARD  10.0
  score
  DKIM_ADSP_NXDOMAIN 3.0
  

  

  Thanks,
  Gary






On 6/2/2020 12:29 PM, Eric Broch wrote:


  
  Gary,
  The stock scores for spamassassin are in
/usr/share/spamassassin/*.cf. 
  
  # grep DKIM /usr/share/spamassassin/*.cf
  For your local configuration you can override the scores in
/etc/mail/spamassassin/local.cf on COS8 or
/etc/spamassassin/local.cf on COS7. I know THAT one can
manipulate scores to fit their needs with spamassassin, however,
I have NEVER done it. This is me sloughing it off. ;-) The
reason I like spamassassin DKIM verification is because it
doesn't just reject bad DKIM which as you mentioned can have bad
effects but scores it with other things for rejection.
  
  If you find some configuration that suits you and your system
I'd we willing to post in on the QMT web as a stock 'QMT'
setting.
  Eric
  
  On 6/2/2020 10:11 AM, Gary Bowling
wrote:
  
  


  Thanks Eric. What is the config setting in local.cf to change
  the DKIM scoring? I don't find any setting in my
  /etc/spamassassin/ directories that sets that score. Is the
  scoring for the stock EPEL local.cf different from what we
  have? I assume not since you said you didn't tailor any of
  that in QMT. 



I think that's a good move to use the stock spamassassin from
  EPEL.


As DKIM seems to be more pervasive these days, I might be
  tempted to increase the score in spamassassin if I can find
  the local.cf setting.



Thanks, Gary 



On 6/2/2020 11:56 AM, Eric Broch
  wrote:


  
  Hi Gary,
  My intent, which I articulated in another email on the list
and instead of reinventing the wheel, was exactly as you
deduced in your email, that is, to allow spamassassin to
score DKIM which it does; however, I have not done anything
as far as a tailoring configuration for QMT and was content
to allow users that scoring decision. My goal is to drop the
specially created QMT spamassassin (and clamav) rpm, which
I've done in CentOS 8, and use the stock rpm from EPEL.
  I think you can override default scoring for DKIM in
/etc/spamassassin/local.cf on COS7 and
/etc/mail/spamassassin/local.cf on COS8.
  Eric
  
  On 6/2/2020 8:09 AM, Gary Bowling
wrote:
  
  

What is everyone doing these days for DKIM verification,
  i.e. checking incoming mail for DKIM signatures?


Background
Many years ago, when DKIM was first introduced to the
  toaster (maybe it was even in the Shupp's toaster days), I
  installed and turned on incoming DKIM verification.
  Initially I set it to "reject" unsigned email and of
  course that was a disaster as it blocked most everything.


Back then, the choice was to have it verify emails, but
  not block them, or remove verification. I made the
  decision that checking without doing anything was a waste
  of resources, so I removed any DKIM verification. I don't
  remember how I did all this, as it was years ago.


Then at some point DKIM verification was added to
  spamassassin, or maybe it was always there but we didn't
  implement the plugin. At any rate, spamassassin DKIM

Re: [qmailtoaster] DKIM Verification Question

2020-06-02 Thread Eric Broch


Gary,

The stock scores for spamassassin are in /usr/share/spamassassin/*.cf.

# grep DKIM /usr/share/spamassassin/*.cf

For your local configuration you can override the scores in 
/etc/mail/spamassassin/local.cf on COS8 or /etc/spamassassin/local.cf on 
COS7. I know THAT one can manipulate scores to fit their needs with 
spamassassin, however, I have NEVER done it. This is me sloughing it 
off. ;-) The reason I like spamassassin DKIM verification is because it 
doesn't just reject bad DKIM which as you mentioned can have bad effects 
but scores it with other things for rejection.


If you find some configuration that suits you and your system I'd we 
willing to post in on the QMT web as a stock 'QMT' setting.


Eric

On 6/2/2020 10:11 AM, Gary Bowling wrote:



Thanks Eric. What is the config setting in local.cf to change the DKIM 
scoring? I don't find any setting in my /etc/spamassassin/ directories 
that sets that score. Is the scoring for the stock EPEL local.cf 
different from what we have? I assume not since you said you didn't 
tailor any of that in QMT.



I think that's a good move to use the stock spamassassin from EPEL.


As DKIM seems to be more pervasive these days, I might be tempted to 
increase the score in spamassassin if I can find the local.cf setting.



Thanks, Gary


On 6/2/2020 11:56 AM, Eric Broch wrote:


Hi Gary,

My intent, which I articulated in another email on the list and 
instead of reinventing the wheel, was exactly as you deduced in your 
email, that is, to allow spamassassin to score DKIM which it does; 
however, I have not done anything as far as a tailoring configuration 
for QMT and was content to allow users that scoring decision. My goal 
is to drop the specially created QMT spamassassin (and clamav) rpm, 
which I've done in CentOS 8, and use the stock rpm from EPEL.


I think you can override default scoring for DKIM in 
/etc/spamassassin/local.cf on COS7 and 
/etc/mail/spamassassin/local.cf on COS8.


Eric

On 6/2/2020 8:09 AM, Gary Bowling wrote:


What is everyone doing these days for DKIM verification, i.e. 
checking incoming mail for DKIM signatures?



Background

Many years ago, when DKIM was first introduced to the toaster (maybe 
it was even in the Shupp's toaster days), I installed and turned on 
incoming DKIM verification. Initially I set it to "reject" unsigned 
email and of course that was a disaster as it blocked most everything.



Back then, the choice was to have it verify emails, but not block 
them, or remove verification. I made the decision that checking 
without doing anything was a waste of resources, so I removed any 
DKIM verification. I don't remember how I did all this, as it was 
years ago.



Then at some point DKIM verification was added to spamassassin, or 
maybe it was always there but we didn't implement the plugin. At any 
rate, spamassassin DKIM verification was added to the toaster.



Which seems like a good thing as spamassassin can assign a score to 
DKIM verification which plays into whether a msg is marked as spam 
or not. The problem with it though, is the score for NOT being 
verified is very low, something like .01, which essentially does 
nothing. I can't find any "user" added parameter that would increase 
that score and don't really know if that's a good thing to try to 
do. If it were a good thing, I would think it would be a commonly 
used setting, which doesn't appear to be the case.



What to do in 2020?

So the question is, what to do about DKIM verification in 2020? From 
the way my server is configured it appears to be useless. But maybe 
that's because I don't know how to best configure it.



Side Note

On a side note, I do use outbound DKIM and have DNS set up, etc. I 
have no idea if this is useful or not, but I'll leave it, hoping 
that somehow this reduces my probability of being rejected by some 
server out there. But from what I can tell, it really does nothing. 
Seems to me DKIM is nothing more than an exercise in futility and 
extra work for postmasters :)



--

Gary Bowling
The Moderns on Spotify 



- 
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] DKIM Verification Question

2020-06-02 Thread Gary Bowling


  
  

  Thanks Eric. What is the config setting in local.cf to change the
  DKIM scoring? I don't find any setting in my /etc/spamassassin/
  directories that sets that score. Is the scoring for the stock
  EPEL local.cf different from what we have? I assume not since you
  said you didn't tailor any of that in QMT. 



I think that's a good move to use the stock spamassassin from
  EPEL.


As DKIM seems to be more pervasive these days, I might be tempted
  to increase the score in spamassassin if I can find the local.cf
  setting.



Thanks, Gary 



On 6/2/2020 11:56 AM, Eric Broch wrote:


  
  Hi Gary,
  My intent, which I articulated in another email on the list and
instead of reinventing the wheel, was exactly as you deduced in
your email, that is, to allow spamassassin to score DKIM which
it does; however, I have not done anything as far as a tailoring
configuration for QMT and was content to allow users that
scoring decision. My goal is to drop the specially created QMT
spamassassin (and clamav) rpm, which I've done in CentOS 8, and
use the stock rpm from EPEL.
  I think you can override default scoring for DKIM in
/etc/spamassassin/local.cf on COS7 and
/etc/mail/spamassassin/local.cf on COS8.
  Eric
  
  On 6/2/2020 8:09 AM, Gary Bowling
wrote:
  
  

What is everyone doing these days for DKIM verification, i.e.
  checking incoming mail for DKIM signatures?


Background
Many years ago, when DKIM was first introduced to the toaster
  (maybe it was even in the Shupp's toaster days), I installed
  and turned on incoming DKIM verification. Initially I set it
  to "reject" unsigned email and of course that was a disaster
  as it blocked most everything.


Back then, the choice was to have it verify emails, but not
  block them, or remove verification. I made the decision that
  checking without doing anything was a waste of resources, so I
  removed any DKIM verification. I don't remember how I did all
  this, as it was years ago.


Then at some point DKIM verification was added to
  spamassassin, or maybe it was always there but we didn't
  implement the plugin. At any rate, spamassassin DKIM
  verification was added to the toaster.


Which seems like a good thing as spamassassin can assign a
  score to DKIM verification which plays into whether a msg is
  marked as spam or not. The problem with it though, is the
  score for NOT being verified is very low, something like .01,
  which essentially does nothing. I can't find any "user" added
  parameter that would increase that score and don't really know
  if that's a good thing to try to do. If it were a good thing,
  I would think it would be a commonly used setting, which
  doesn't appear to be the case.


What to do in 2020?
So the question is, what to do about DKIM verification in
  2020? From the way my server is configured it appears to be
  useless. But maybe that's because I don't know how to best
  configure it.


Side Note
On a side note, I do use outbound DKIM and have DNS set up,
  etc. I have no idea if this is useful or not, but I'll leave
  it, hoping that somehow this reduces my probability of being
  rejected by some server out there. But from what I can tell,
  it really does nothing. Seems to me DKIM is nothing more than
  an exercise in futility and extra work for postmasters :)



-- 
  
  Gary Bowling
   The Moderns on Spotify 
  

- To
unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] DKIM Verification Question

2020-06-02 Thread Eric Broch


Hi Gary,

My intent, which I articulated in another email on the list and instead 
of reinventing the wheel, was exactly as you deduced in your email, that 
is, to allow spamassassin to score DKIM which it does; however, I have 
not done anything as far as a tailoring configuration for QMT and was 
content to allow users that scoring decision. My goal is to drop the 
specially created QMT spamassassin (and clamav) rpm, which I've done in 
CentOS 8, and use the stock rpm from EPEL.


I think you can override default scoring for DKIM in 
/etc/spamassassin/local.cf on COS7 and /etc/mail/spamassassin/local.cf 
on COS8.


Eric

On 6/2/2020 8:09 AM, Gary Bowling wrote:


What is everyone doing these days for DKIM verification, i.e. checking 
incoming mail for DKIM signatures?



Background

Many years ago, when DKIM was first introduced to the toaster (maybe 
it was even in the Shupp's toaster days), I installed and turned on 
incoming DKIM verification. Initially I set it to "reject" unsigned 
email and of course that was a disaster as it blocked most everything.



Back then, the choice was to have it verify emails, but not block 
them, or remove verification. I made the decision that checking 
without doing anything was a waste of resources, so I removed any DKIM 
verification. I don't remember how I did all this, as it was years ago.



Then at some point DKIM verification was added to spamassassin, or 
maybe it was always there but we didn't implement the plugin. At any 
rate, spamassassin DKIM verification was added to the toaster.



Which seems like a good thing as spamassassin can assign a score to 
DKIM verification which plays into whether a msg is marked as spam or 
not. The problem with it though, is the score for NOT being verified 
is very low, something like .01, which essentially does nothing. I 
can't find any "user" added parameter that would increase that score 
and don't really know if that's a good thing to try to do. If it were 
a good thing, I would think it would be a commonly used setting, which 
doesn't appear to be the case.



What to do in 2020?

So the question is, what to do about DKIM verification in 2020? From 
the way my server is configured it appears to be useless. But maybe 
that's because I don't know how to best configure it.



Side Note

On a side note, I do use outbound DKIM and have DNS set up, etc. I 
have no idea if this is useful or not, but I'll leave it, hoping that 
somehow this reduces my probability of being rejected by some server 
out there. But from what I can tell, it really does nothing. Seems to 
me DKIM is nothing more than an exercise in futility and extra work 
for postmasters :)



--

Gary Bowling
The Moderns on Spotify 

- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] DKIM Verification Question

2020-06-02 Thread Gary Bowling


  
  
What is everyone doing these days for DKIM verification, i.e.
  checking incoming mail for DKIM signatures?


Background
Many years ago, when DKIM was first introduced to the toaster
  (maybe it was even in the Shupp's toaster days), I installed and
  turned on incoming DKIM verification. Initially I set it to
  "reject" unsigned email and of course that was a disaster as it
  blocked most everything.


Back then, the choice was to have it verify emails, but not block
  them, or remove verification. I made the decision that checking
  without doing anything was a waste of resources, so I removed any
  DKIM verification. I don't remember how I did all this, as it was
  years ago.


Then at some point DKIM verification was added to spamassassin,
  or maybe it was always there but we didn't implement the plugin.
  At any rate, spamassassin DKIM verification was added to the
  toaster.


Which seems like a good thing as spamassassin can assign a score
  to DKIM verification which plays into whether a msg is marked as
  spam or not. The problem with it though, is the score for NOT
  being verified is very low, something like .01, which essentially
  does nothing. I can't find any "user" added parameter that would
  increase that score and don't really know if that's a good thing
  to try to do. If it were a good thing, I would think it would be a
  commonly used setting, which doesn't appear to be the case.


What to do in 2020?
So the question is, what to do about DKIM verification in 2020?
  From the way my server is configured it appears to be useless. But
  maybe that's because I don't know how to best configure it.


Side Note
On a side note, I do use outbound DKIM and have DNS set up, etc.
  I have no idea if this is useful or not, but I'll leave it, hoping
  that somehow this reduces my probability of being rejected by some
  server out there. But from what I can tell, it really does
  nothing. Seems to me DKIM is nothing more than an exercise in
  futility and extra work for postmasters :)



-- 
  
  Gary Bowling
   The
Moderns on Spotify 
  

  


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] DKIM Verification Question

Re: [qmailtoaster] DKIM Verification Question

Re: [qmailtoaster] DKIM Verification Question

Re: [qmailtoaster] DKIM Verification Question

Re: [qmailtoaster] DKIM Verification Question

Re: [qmailtoaster] DKIM Verification Question

Re: [qmailtoaster] DKIM Verification Question

[qmailtoaster] DKIM Verification Question

8 matches

Site Navigation

Mail list logo

Footer information