Mailing List Archive: exim: users

Experimental Domainkeys

Index | Next | Previous | View Threaded

peter at bowyer

Nov 15, 2006, 8:14 AM

Post #1 of 5 (1448 views)
Permalink

Experimental Domainkeys

I'm experimenting with the DK ACL support, and seeing interesting
results. I'm not (yet) signing any outgoing mail, but I want to use DK
verification to support whitelisting of known problematic sending
domains - notably yahoogroups.com, which reacts badly to greylisting
and false positives.

I'm verifying DK on most incoming messages that get past the header
checks - that part is working OK. I'm logging DK verification results
so that I can see what is signed, what isn't, what verifies OK, what
doesn't. I'm seeing a good mix, all seems to be functioning.

However my initial desire to use this to whitelist yahoogroups.com is
failing because a good proportion of mail from them is reported as
'bad' - the DK verification fails. I'm wondering if this is dodgy
signing from Yahoo, or something going awry in the DK support in Exim,
or in libdomainkeys.

Before I head down the dragon-infested route elswhere - is anyone else
using DK verification in Exim with any success, for this or any other
use case? (Oh, and 'domainkeys yahoogroups' is very difficult to
Google for... try it....)

Exim 4.63, libdomainkeys 0.68, all on Linux FC6.

An extract from the DATA ACL:

warn !dk_status = no signature
message = DomainKey-Status: $dk_status
log_message = DOMAINKEYS: $dk_status for $dk_sender_domain

accept dk_status = good
dk_sender_domains = +dk_whitelist_domains
logwrite = DOMAINKEYS: Whitelisted for $dk_sender_domain

warn dk_status = good
logwrite = DOMAINKEYS: Good sig but no whitelist for $dk_sender_domain

warn !dk_status = good
dk_sender_domains = +dk_whitelist_domains
logwrite = DOMAINKEYS: Whitelisted domain but status $dk_status for
$dk_sender_domain

Peter

--
Peter Bowyer
Email: peter[at]bowyer.org

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

david at ols

Nov 15, 2006, 9:16 AM

Post #2 of 5 (1369 views)
Permalink

Re: Experimental Domainkeys [In reply to]

Hi !!

> Before I head down the dragon-infested route elswhere - is anyone else
> using DK verification in Exim with any success, for this or any other
> use case? (Oh, and 'domainkeys yahoogroups' is very difficult to
> Google for... try it....)

we use it for signing and checking without any problem.

--
Best regards ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. e-mail david[at]ols.es
Pintor Vayreda 1 telf +34 902 50 29 75
08184 Palau-Solita i Plegamans movil +34 670 35 27 53
----------------------------------------------------------------

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

exim-users at spodhuis

Nov 15, 2006, 6:20 PM

Post #3 of 5 (1355 views)
Permalink

Re: Experimental Domainkeys [In reply to]

On 2006-11-15 at 16:14 +0000, Peter Bowyer wrote:
> However my initial desire to use this to whitelist yahoogroups.com is
> failing because a good proportion of mail from them is reported as
> 'bad' - the DK verification fails. I'm wondering if this is dodgy
> signing from Yahoo, or something going awry in the DK support in Exim,
> or in libdomainkeys.

DomainKeys requires that any mailing-list manager which messes "too
much" with headers resign the mail.

I've only just turned on domainkeys, experimental status, policy t=y.
So far, every mail sent directly succeeds. Mail sent via mailman fails
verification, but with "bad format" not "bad".

Using the Perl Mail::DomainKeys and a copy of the failed message which
has been through mailman, there are _two_ things required to get
verification to succeed: remove the Sender: header added by mailman and
move the Subject: header back into the position it had when it was sent.

perl <DK-sample-m2 -MMail::DomainKeys::Message \
-e '$mail = load Mail::DomainKeys::Message(File => \*STDIN) or die "foo1";
$mail->senderdomain or die "foo2, no sender domain";
$mail->signed or die "foo3, unsigned";
if ($mail->verify) { print "DK: signature valid\n" }
else { print "DK: verification failure\n" }'

and change the redirection to be from whichever sample file you have.

I need to do more investigation to see which fixes are needed to get it
past Exim with libdomainkeys as opposed to Mail::DomainKeys.

So, adding the Sender: header with a new mail-domain, whilst leaving the
DomainKey-Signature header present for the other domain, causes
verification to fail, even though it's really "no relevant signature".

This looks to me like a logic flaw in the DK draft, in that if the
Sender: domain does not match the any DK header but the From: domain
does, then the From: domain should be tried. That doesn't appear to be
in the spec. What am I missing? The people who wrote DK are
intelligent and must've thought of this.

Is DK really incompatible with mailman as generally deployed? Googling
suggests so, but that newer releases have patches in to work around it.

<URL:http://www.mail-archive.com/mailman-coders[at]python.org/msg00588.html>

Anyone have any pointers to further information, or reeducation for me?

-Phil

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

peter at bowyer

Nov 15, 2006, 10:23 PM

Post #4 of 5 (1365 views)
Permalink

Re: Experimental Domainkeys [In reply to]

On 16/11/06, Phil Pennock <exim-users[at]spodhuis.org> wrote:
> On 2006-11-15 at 16:14 +0000, Peter Bowyer wrote:
> > However my initial desire to use this to whitelist yahoogroups.com is
> > failing because a good proportion of mail from them is reported as
> > 'bad' - the DK verification fails. I'm wondering if this is dodgy
> > signing from Yahoo, or something going awry in the DK support in Exim,
> > or in libdomainkeys.
>
> DomainKeys requires that any mailing-list manager which messes "too
> much" with headers resign the mail.

Agreed - in the case of yahoogroups though, the signature is theirs.
I'm not considering them as a mailing list manager, but as a mail
originator. And I'd have thought (perhaps naively) that they of all
people would get it right....

Peter

--
Peter Bowyer
Email: peter[at]bowyer.org

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

tom at duncanthrax

Nov 16, 2006, 4:10 AM

Post #5 of 5 (1362 views)
Permalink

Re: Experimental Domainkeys [In reply to]

Phil Pennock wrote:

> Is DK really incompatible with mailman as generally deployed?

Unfortunately yes. Also with any other header-appending,
attachment-scrubbing, charset-converting, useless-footer-glueing and
otherwise mail-sanitizing software ... :)

(At least for the header mess there's the h= option that can specify the
headers that are to be included in the signature calculation).

If I remember correctly (have not read the spec in a while), the
"Sender:" header domain overrides the "From:" header domain. This means
that if your software adds a "Sender:" header, it should either sign the
message too OR remove any existing DK headers. You should not do both,
however.

/tom

Attachments:

smime.p7s (3.26 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com