DKIM becomes more official

Gary Mills
Thu Oct 25 23:34:58 UTC 2007

On Mon, Oct 22, 2007 at 08:51:35PM +0000, Vernon Schryver wrote:
> > From: Gary Mills 
> > The DKIM milter runs before the dccm milter.  It does use macros to
> > communicate with the main sendmail process, but it doesn't appear to
> > set macros specifically for subsequent milters.  It does create one
> > header; here's an example for when verification succeeds:
> >
> >     Authentication-Results:; dkim=pass (1024-bit key)
> >
> > This was for e-mail from the domain with verification on
> > host setup01.  Can this be used directly by the dccm milter?  

> Does that header change depending on the sender?  If so, each sender
> would require distinct /var/dcc/whiteclnt or
> /var/dcc/user/local/$USER/whiteclnt whitelist lines of the form
>     ok substitute Authentication-Results setup01....

Yes, here's the one for

    Authentication-Results:; dkim=pass (1024-bit key)

> Depending on what you want to do, those distinct whiteclnt entries
> could be an advantage.

Yes, individual e-mail domains could be whitelisted or blacklisted.

> This does not answer the question of whether dccm sees the headers
> added by dkim-milter.  To answer that question, I would run dccm
> with -SAuthentication-Results, ensure that enough logging is on,
> and look in /var/dcc/log or per-user log files to see if there are
> checksums that say they are for Authentication-Results headers.

I finally got a message from a DKIM-enabled site for a test.  Sendmail
seems to be ignoring me.  I must have outworn my welcome.  I had to
get a Gmail user to send me a message.  I also tried, but
they don't use any sort of domain authentication.

Yes, the headers appear for dccm.  In fact, the added one is the
first one in the list.  Here's how they look for Gmail in a DCCM log:

  Authentication-Results:; dkim=pass (1024-bit key)
  Received: by with SMTP id f5so532965nfh
          for <>; Thu, 25 Oct 2007 13:07:06 -0700 (PDT)
  DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
; s=beta;
  DomainKey-Signature: a=rsa-sha1; c=nofws;
; s=beta;

There is indeed a checksum:

  X-DCC-UofM-Metrics: setup01 9003; Body=1 Fuz1=1 Fuz2=1
                              reported: 0               checksum  server
                         IP: d16ca6d7 d4556f6c 09e8d1cb 1f5e2b09
                   env_From: 9efb2027 207a4775 a610dc6f 537d5611
                       From: 0f4c46e2 945c0ed6 6b2d138f 78c1cd86
            substitute helo: 7080545d be28130d 92aa7b36 97fcc198
                 Message-ID: 908cb614 008ac387 ae50289e d9c43053
                   Received: 58d751fb e716c91b 431d7464 db4412fc
                       Body: 6475a98d 0bb3e55b feba43b6 0961cde4       1
                       Fuz1: a4043ed6 78c66397 8d116091 030d6656       1
                       Fuz2: a6aa4121 b5431d0f a7bcf81d 2f72fa9d       1
       substitute mail_host: 73808dcb 977f68c7 2db6ab6f 662ff2f4
  substitute authentication: 28484ba1 a006ad50 68a14e04 3605c390
          substitute sender: 8ecf28be 9a311660 3cd18e58 ac97fb2b

> >                                                               I'd
> > prefer something more automatic, with a spam reputation database
> > interposed.
> Could those individual entries in whiteclnt file(s) serve as your
> "spam reputation database"?

Yes, they could.  I know that the administrator can whitelist messages
that way.  Is there a way for the administrator to blacklist that
header but whitelist the envelope sender, for example?  I don't know
that I'd really want to do that, but it might be useful for sites
that have a reputation for spam.

> >              I haven't yet done any analysis on how this could be
> > accomplished, but it would be good for users (or the administrator)
> > to have a say in the matter.  I suppose that the RBL support in dccm
> > might be a suitable model.
> I don't see the connection to the RBL support, but those 
> "ok substitute Authentication-Results ..." lines can be in individual
> user whiteclnt files.  The proof-of-concept CGI scripts should do the
> right thing to support point-and-click on log files when dccm or dccifd
> is running with -SAuthentication-Results.

What I meant was that RBL listing seems to ensure that messages are
rejected.  Here's an example from a log:

  SMTP envelope sender DNSBL hit
  DCC-->spam  DNSBL-->spam  dccm  global
  X-DCC-UofM-Metrics: electra 1033; bulk Body=many Fuz1=many Fuz2=many
                              reported: 1 spam          checksum  server
                         IP: e843bef9 9c55fd4a 96b7d1b7 93b0c8eb
                   env_From: 37dca32e 393cabea b69cadfa f2706049
                       From: 6437828c 61ecf6ae b2c4e380 c7a7f845
            substitute helo: 04b2b9b7 ffcbe8e6 35b0c834 1b72a22c
                 Message-ID: 143b5a83 dc72cd37 ffcdca5a 41337464
                   Received: f8e95de1 3f1464d4 68fac5cb 299cdee6
                       Body: d0c01eac b44263d7 32fb4b53 fb0fda67       0
                       Fuz1: 7af7b948 5e087f2c 22dc0fd6 9ba24135       0
                       Fuz2: 970e1687 878ced70 21059be7 a9b2e7d8       0
       substitute mail_host: 6fa9a976 6914c067 b82fe6c4 5cbb4116

I don't understand the connection.  Do counts work for the new
authentication header?  I assume they don't for RBL listings.  For
e-mail from a bank that used DKIM, for example, I might want to
whitelist authenticated messages and reject everything else that
purported to come from them.  Otherwise, unique phishing messages
might get through to our users.  Is this possible now?

> Current versions of the DCC client code allow per-user control of
> checksum thresholds in whiteclnt files including through the CGI scripts,
> not to mention individual white- or blacklisting of checksums of headers.
> You cannot control the -SAuthentication-Results threshold separately
> from other substitute headers.

-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

More information about the DCC mailing list

Contact by mail or use the form.