Hi, Mark,
On 12/23/10 7:44 PM, Mark Martinec wrote:
Rolf,
running (soon to be upgraded):
SpamAssassin Server version 3.2.5
running on Perl 5.8.8
I'm new to this list, although I'm not new to SpamAssassin. Looking at
http://spamassassin.apache.org/tests_3_3_x.html, and particularly at the
following DKIM tests:
DKIM_VERIFIED
DKIM_POLICY_TESTING
DKIM_POLICY_SIGNSOME
DKIM_POLICY_SIGNALL
I wonder what these tests exactly mean. The Wiki pages for them are not
yet written, hence my question here on the list.
3.2.5 - 25_dkim.cf:
describe DKIM_SIGNED Domain Keys Identified Mail: message has a
signature
describe DKIM_VERIFIED Domain Keys Identified Mail: signature passes
verification
describe DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain
signs some mails
describe DKIM_POLICY_SIGNALL Domain Keys Identified Mail: policy says domain
signs all mails
describe DKIM_POLICY_TESTING Domain Keys Identified Mail: policy says domain
is testing DK
3.3.1 - 25_dkim.cf:
describe DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
describe DKIM_VALID Message has at least one valid DKIM or DK
signature
describe DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
describe DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
describe DKIM_ADSP_DISCARD No valid author signature, domain signs all
mail
and suggests
discarding the rest
describe DKIM_ADSP_ALL No valid author signature, domain signs
all mail
describe DKIM_ADSP_CUSTOM_LOW No valid author signature, adsp_override is
CUSTOM_LOW
describe DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is
CUSTOM_MED
describe DKIM_ADSP_CUSTOM_HIGH No valid author signature, adsp_override is
CUSTOM_HIGH
60_whitelist_dkim.cf:
describe USER_IN_DKIM_WHITELIST From: address is in the user's DKIM
whitelist
describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM
white-list
Oops, I just forgot to have a look at the rules and scores themselves
within my SA configuration.
The are some differences in DKIM plugin and its rules between 3.2.5 and 3.3.1,
but the concept is the same.
DKIM_SIGNED just means there is a signature. Purely informative, no score.
DKIM_VERIFIED has been renamed DKIM_VALID with 3.3.0 (both names
are still there, aliases), and means that at least one signature is valid.
Since we have no information at this point on the reputation of a
signer, its score is very low too, but can serve in meta rules to contribute
good score to reputable signers (instead of hard-whitelisting them
with USER_IN_DKIM_WHITELIST).
The DKIM_POLICY_* are gone in 3.3.0, they are just there for compatibility,
with score 0.
Does it mean http://spamassassin.apache.org/tests_3_3_x.html needs a
correction of the score (1) for these tests?
New with 3.3.* is the ADSP support. See POD docs on the DKIM plugin.
I am pleased to see that the ADSP tests can be recognized by their name
and that DKIM itself and ADSP are not mixed up.
As the default scores of these tests are all one (1)
No, they are not at 1. Grep your 50_scores.cf file.
3.2.5:
score USER_IN_DKIM_WHITELIST -100.000
score USER_IN_DEF_DKIM_WL -7.500
score ENV_AND_HDR_DKIM_MATCH -7.500
score DKIM_POLICY_SIGNALL 0.001
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0.001
score DKIM_SIGNED 0.001
score DKIM_VERIFIED -0.001
3.3.1:
score USER_IN_DKIM_WHITELIST -100.000
score USER_IN_DEF_DKIM_WL -7.500
score DKIM_SIGNED 0.1
score DKIM_VALID -0.1
score DKIM_VALID_AU -0.1
score DKIM_VERIFIED 0
score DKIM_POLICY_SIGNALL 0
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0
score DKIM_ADSP_CUSTOM_LOW 0.001
score DKIM_ADSP_CUSTOM_MED 0.001
score DKIM_ADSP_CUSTOM_HIGH 0.001
score DKIM_ADSP_ALL 0 1.1 0 0.8
score DKIM_ADSP_DISCARD 0 1.8 0 1.8
score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9
I wonder what exactly these tests do. For
example, does the first test (DKIM_VERIFIED) means, that if a DKIM
signature could be verified, the score is increased by one (1)? And
what does 'verified' mean? A verification result can be positive and
negative but in both situations the DKIM signature may have been
verified correctly (i.e. no DNS problems, no ambiguous outcome etc.).
This is why DKIM_VERIFIED has been renamed to DKIM_VALID.
Furthermore, the name of the 3rd and 4th of these tests seems to hint
into the directory of ADSP, as policy mechanism added to DKIM? Is it
correct that these tests perform an ADSP DNS lookup?
Yes, with 3.3, if you allow them to do so (can be overruled by
adsp_override command).
Thanks very much!
/rolf
