Authentication-Results headers from the DKIM milter

Gary Mills mills@cc.umanitoba.ca
Mon Apr 12 19:04:14 UTC 2010


On Mon, Apr 12, 2010 at 05:45:22PM +0000, Vernon Schryver wrote:
> > From: Gary Mills <mills@cc.umanitoba.ca>
> 
> >                                      With the `--with-domainkeys'
> > configure option, it too produces the two headers:
> >
> >     Authentication-Results: setup01.cc.umanitoba.ca; dkim=pass (1024-bit key)
> >             header.i=@sendmail.net; dkim-adsp=pass
> >     Authentication-Results: setup01.cc.umanitoba.ca; domainkeys=pass (testing) header.from=sa-test@sendmail.net
> 
> I'm uncertain what "work" means in this case.  However, 
>   - if neither of the two separate headers nor the combined DK and DKIM header
>       change for a given SMTP client (mail sender),
>   - and if no mail from any other SMTP client has any or all of the
>       same headers,
>   -and if all three (two individuals and one combined) are in
>       /var/dcc/whiteclnt,
> 
> then all mail from that SMTP client will be whitelisted by dccm and dccifd,
> and no mail from any other SMTP client will be affected by those
> whiteclnt entries.

I suppose I meant which would be the most convenient and manageable
way to whitelist messages.  The milter will ensure that only it can
add those headers, and that they contain a unique domain name or
e-mail address.  Having two individual headers would be a problem
because it would require me to list both of them in the client
whitelist file.  Otherwise, my existing whitelist entries for DKIM
only would stop working.  I'd prefer to be able to tell the milter to
add only the DKIM header if that signing was used, or add only the DK
header if DK signing was used.  Putting them both in one header seems
peculiar to me.  What happens if one succeeds and the other fails?

It's really a matter of communication between the sendmail milter and
the DCC client.  I'd like to see this kept as simple as possible.  If
the milter could state ``this message is authenticated for this
sender'' in a reliable way, wouldn't that be sufficient for
whitelisting?

-- 
-Gary Mills-        -Unix Group-        -Computer and Network Services-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.