> -----Original Message----- > From: Steve Fatula [mailto:compconsult...@yahoo.com] > Sent: Tuesday, August 09, 2011 1:15 PM > To: Murray S. Kucherawy; Postfix Users > Subject: Re: Postscreen, SPF and DKIM? > > Care to elaborate? Clearly, this is not possible to do in postscreen > sort of making this moot, but, SPF spec says to reject messages that > have status fail. DKIM says you MAY, and, several pieces of software > such as dkim-milter allow you to do so. Also, ADSP records seem to have > the capability to say please discard this message under various > conditions, why shouldn't that be respected? > > Gmail (at least) already REJECTS mail based on dkim, at least for some > domains like ebay.com I suppose to prevent phishing from reaching inbox > or spam folders. > > I am not as familiar with DKIM as I am SPF. It would be helpful to know > what specifically is wrong with the premise, and more importantly, why > rejecting would be wrong. I realize there are some issues such as > modified headers that can cause signature verification errors, however, > the dkim-milter at least accounts for this by using the relaxed mode.
I realize this is off-topic but it might be of interest to the Postfix community so I'll reply here until someone tells me to stop. A DKIM signature can fail to verify for perfectly legitimate reasons. The list of possible reasons is large, not the least of which is a signed message that traverses a mailing list that makes major header or body changes, or an MTA that rewrites important header fields like From:. If you treat such messages as suspicious, then you will begin to think DKIM has a huge false negative problem. That's why we wrote the DKIM specifications to be very clear about warning people not to treat a message with a broken signature any differently than one would treat an unsigned message. ADSP is dangerous. We've seen many cases in the wild that back up this claim. Three examples: - a certain open source MTA (not postfix) doesn't pass DSNs/MDNs it generates through its signing filters (if enabled), which means if you advertise an ADSP policy other than "unknown", you're immediately violating your own policy - several sites that use ADSP then let their users post mail to lists, many of which invalidate signatures, so legitimate list postings get discarded or (worse) rejected on delivery - in this latter case, the rejection hits the MLM, which decides the recipient's mail is bouncing and unsubscribes the user even though its mail is otherwise just fine Gmail does NOT reject mail based on DKIM, unless Gmail has a prior non-protocol arrangement with a sender to do so, one that involves contracts signed by both parties, such as ebay.com or paypal.com. Gmail has said publicly they will never honour something like ADSP because it is a legal exposure. The dkim-milter (you should switch to opendkim, by the way; dkim-milter is unmaintained), use of "relaxed" header canonicalization is not a way around the signature invalidation problem overall. It does not account for the header changes that most commonly invalidate signatures. There is (currently) no solution for that other than to get lists to quit modifying messages and get clients to generate legal email so the MTAs don't have to fix it for them post-signing. To understand how to use all of these things properly, try to break the deeply-engrained mindset that we're trying to identify bad stuff to keep out. Rather, start thinking about how to identify the good stuff to let in. That's when DKIM is most useful. -MSK
