On 2021-06-22 at 07:45:35 UTC-0400 (Tue, 22 Jun 2021 13:45:35 +0200)
Yves Goergen via Exim-users <[email protected]>
is rumored to have said:
Hello,
I've set up my mail server with Exim so that it obeys the restrictions
in RFC 8301. That means that DKIM signatures with SHA-1 hashing or
keys shorter than 1024 bit are rejected. Also, other messages with
invalid or mismatching signatures are rejected.
RFC 8301 does NOT say that messages with invalid, mismatching, or
cryptographically obsolete signatures should be rejected. RFC 6376,
which 8301 is an addendum for, also does not say that non-conformant
messages should be rejected. To the contrary, RFC 6376 says that a bad
or missing signature SHOULD NOT be the sole basis for rejecting a
message. See https://datatracker.ietf.org/doc/html/rfc6376#section-6.3
Doing so guarantees that you will reject legitimate email.
That causes a bit of trouble because many mail servers out there seem
to be sending out messages with outdated, invalid or broken DKIM
signatures. That leads to those messages being rejected when they
should actually be delivered.
You should fix this by following the recommendations of the relevant
RFCs.
If you have your heart set on rejecting non-compliant messages, you may
find it helpful to also deploy DMARC, which provides a reasonable
framework for selectively rejecting messages with bad/broken/faked
signatures based on the domains of the putative signers and senders.
Is DKIM usage so broken beyond repair that I should instead completely
ignore it?
That is not your only option.
DKIM is useful for definitively identifying non-forgeries, for an
unintuitive definition of non-forgery. Because it is inherently fragile,
it cannot definitively identify forgeries. In conjunction with DMARC, it
can do a bit better with a more sensible delineation of verified and
non-verified messages and of how they should be handled.
Among those broken servers are eBay (none of their messages appears
here), several mailing lists (not sure if it's also this one) and
other companies who should be serious about digital security (but may
not have digital expertise themselves).
What are your experiences with DKIM validation and especially that RFC
8301? I'd like to know how to proceed with this. Currently I'm
explaining my mailbox users that the senders' mail server
configuration is broken and needs repair. But not everybody accepts
that.
Rejecting mail simply because it does not comply with RFC 8301 and
RFC6376 is itself an indication of a broken mail server and that needs
repair.
-Yves (please CC me when replying)
I am doing so, however in return I ask that you respect my Reply-To
header and DO NOT send me duplicates of messages sent to this (or any
other) mailing list.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
