Victor Duchovni:
> There will at some point be interest in DNSWL support for verified DKIM
> "d=" domains. For now that's out of scope (milters, pre-queue filters, ...)
> I've recently starting using the OpenDKIM library, ... it is fairly easy
> to support. If there is ever interest in directly supporting DKIM in the
> Postfix SMTP server, I'm game to talk design.
>
> Due to the DNS lookup latency inherent in incoming DKIM checks, doing
> DKIM in post-queue content-filters is somewhat unattractive, as typically
> one wants low-latency, modest concurrency in a post-queue filter.
Another way to avoid post-queue filter DNS latency is to preload
the DNS cache before the message hits the queue, perhaps with a
header_checks rule (instead of switching to a before-queue filter).
There's already demand for DNS lookups for header substrings. This
resulted in a header_checks plugin by Sahil, if I recall correctly.
Native support for DNS lookups from header_checks fragments could
look like this:
# Block bad domains in the header (over-simplified)
/^(Resent-)?(From|Sender):.*@([-a-z0-9_.]+)/
REJECT_RHSBL $1
# Preload the DNS cache for the post-queue filter.
/^DKIM-Signature:.*d=([-a-z0-9_.]+).*?;s*s=([-a-z0-9_.]+)/
NOOP_RHSBL $2._domainkey.$1
/^DKIM-Signature:.*s=([-a-z0-9_.]+).*?;s*d=([-a-z0-9_.]+)/
NOOP_RHSBL $1._domainkey.$2
Novice-friendly it is not, but that can be said of most uses of
regular expressions.
I have another concern about usability; it should be easy to skip
these checks for local submissions. Such mail should flow even
while the network is down. I am reluctant to introduce features
that have non-obvious exceptions.
Wietse
