On 20 May 2016, at 21:22, Viktor Dukhovni wrote:
On May 20, 2016, at 3:54 PM, <list...@tutanota.com>
<list...@tutanota.com> wrote:
In the general case of ordering preqeue filtering is it the
recommendation to send mail through DKIM & DMARC checks before, or
after, checks for bad extensions & viruses?
When receiving email, do DKIM verification early, before you modify
the
content in any way.
Yes but that's orthogonal to the specific question, whose answer depends
on how one handles mail with unwanted files.
DKIM is a relatively expensive check because it depends on DNS and
cryptography, while unwanted filetypes by name extension or MIME type
are very cheap pattern matches. Virus scanning comes somewhere between
them. So if you reject mail that you deem to contain undesirable files,
it is cheaper to do the simple filetype checks ahead of anything else,
as long as whatever you use for those checks is certain to not modify a
valid message, particularly the headers, if you will later be doing DKIM
verification on messages that pass.
Of course this is to some degree a hypothetical question, since a choice
of tools for other reasons may dictate DKIM verification before scanning
for risky filetypes or specifically risky files.
