Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Qmail: users

Re: not recommended - DKIM Support for netqmail with ADSP

  

 
Qmail users RSS feed   Index | Next | Previous | View Threaded


johnl at iecc

Mar 27, 2009, 2:08 PM

Post #1 of 5 (1400 views)
Permalink
Re: not recommended - DKIM Support for netqmail with ADSP
>I have just managed to incorporate Author Domain Signing Practice (ADSP) for
>qmail/netqmail.

Hi. I'm the main author of the ADSP draft, and my advice is that people
NOT publish ADSP and NOT check ADSP.

There are a handful of domains that are so heavily phished that it
would be a good idea to drop unsigned mail purporting to be from them,
but the reasonable way to do that is with a small manual list
containing a few domains like paypal.com and ebay.com, not whatever
random domains wrongly think that ADSP will make their mail "more
secure".

R's,
John


kyle-qmail at memoryhole

Mar 27, 2009, 2:48 PM

Post #2 of 5 (1292 views)
Permalink
Re: not recommended - DKIM Support for netqmail with ADSP [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, March 27 at 09:08 PM, quoth John Levine:
>> I have just managed to incorporate Author Domain Signing Practice (ADSP) for
>> qmail/netqmail.
>
> Hi. I'm the main author of the ADSP draft, and my advice is that people
> NOT publish ADSP and NOT check ADSP.

Good to know.

For my own edification, how come? Too many people shooting themselves
in the foot?

~Kyle
- --
My definition of a free society is a society where it is safe to be
unpopular.
-- Adlai E. Stevenson Jr.
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iEYEARECAAYFAknNScIACgkQBkIOoMqOI15B3QCg5wu6Sn9Q2OYaT7u39AkSAMr4
ChEAn3Ub0QOGqVDo1TUSo67qDVugdcm8
=LBML
-----END PGP SIGNATURE-----


johnl at iecc

Mar 27, 2009, 3:25 PM

Post #3 of 5 (1305 views)
Permalink
Re: not recommended - DKIM Support for netqmail with ADSP [In reply to]
>> Hi. I'm the main author of the ADSP draft, and my advice is that people
>> NOT publish ADSP and NOT check ADSP.
>
>Good to know.
>
>For my own edification, how come? Too many people shooting themselves
>in the foot?

That's what I'd expect. The set of domains that are so heavily
phished that it's worth dumping all mail without a signature is really
quite small, while the number of ways that legitimate mail could
arrive without a signature is quite large.

It really would be a good idea to drop mail purporting to be from
Paypal that arrives without a signature, but the domains in that
category can be counted on your fingers and you should handle
them as exceptions to the normal mail handling.

R's,
John


mbhangui at gmail

Mar 27, 2009, 7:18 PM

Post #4 of 5 (1312 views)
Permalink
Re: not recommended - DKIM Support for netqmail with ADSP [In reply to]
On Sat, Mar 28, 2009 at 2:38 AM, John Levine <johnl [at] iecc> wrote:

> There are a handful of domains that are so heavily phished that it
> would be a good idea to drop unsigned mail purporting to be from them,
> but the reasonable way to do that is with a small manual list
> containing a few domains like paypal.com and ebay.com, not whatever
> random domains wrongly think that ADSP will make their mail "more
> secure".
>
Should I then add a control file 'signaturedomains' ?
If A domain is present in this control file and a mail arrives from that
domain without a valid signature, it will be dropped.


mbhangui at gmail

Mar 27, 2009, 8:57 PM

Post #5 of 5 (1294 views)
Permalink
Re: not recommended - DKIM Support for netqmail with ADSP [In reply to]
On Sat, Mar 28, 2009 at 2:38 AM, John Levine <johnl [at] iecc> wrote:

> There are a handful of domains that are so heavily phished that it
> would be a good idea to drop unsigned mail purporting to be from them,
> but the reasonable way to do that is with a small manual list
> containing a few domains like paypal.com and ebay.com, not whatever
> random domains wrongly think that ADSP will make their mail "more
> secure".
>

Have added the control file signaturedomains. ADSP/SSP checks will be
bypassed for domains
listed in this control file.
i.e If signature verification fails and the domain is listed in this control
file, qmail-dkim
will set the status as DKIM_FAIL.
IMHO having the control file is a good idea as it will avoid overhead of
additional dns lookups.

It is up to the implementer to accept or reject the message with permanent /
temporary error by setting
the DKIMVERIFY environment variable appropriately (See qmail-dkim(8))

The patch is dkim-netqmail-1.06.patch-1.4.gz available at
https://sourceforge.net/project/showfiles.php?group_id=230686&package_id=314675
I have updated the man page qmail-dkim.8 to reflect the new control file

Regards Manvendra

Qmail users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.