Authentication-Results headers from the DKIM milter

Gary Mills mills@cc.umanitoba.ca
Tue Apr 13 15:09:54 UTC 2010


On Mon, Apr 12, 2010 at 07:24:17PM +0000, Vernon Schryver wrote:
> > From: Gary Mills <mills@cc.umanitoba.ca>
> 
> > It's really a matter of communication between the sendmail milter and
> > the DCC client.  I'd like to see this kept as simple as possible.  If
> > the milter could state ``this message is authenticated for this
> > sender'' in a reliable way, wouldn't that be sufficient for
> > whitelisting?
> 
> Perhaps the problem is looking at it as "communication."  Instead
> ignore the DKIM milter and think only about what dccm should do
> with each mail message as it is presented.
> 
> Dccm is given a message with envelope values, the SMTP headers, and
> the body, and must give one of 2 recommendations, "accept" or "reject".
> If the message has any of several envelope values (e.g. IP addresses) or
> familiar headers from /var/dcc/whiteclnt, with "OK" (or "many"),
> then dccm should say "accept" (or "reject").
> Other headers or envelope values (e.g. IP addresses) are irrelevant,
> whether they are unfamiliar DKIM headers or spammer forged Received headers.

Yes, that's the case that applies if I don't specify
`OK Authentication-Results' as a substitute header.

> Is the issue is knowing which headers to put in whiteclnt?  If so,
> why worry?  Why not copy headers from mail messages or dccm log files 
> of mail messages that you want to receive to /var/dcc/whiteclnt?
> Why worry about what is "communicating" with what after you've done
> whatever is needed to ensure that the right headers are in the mail
> messages when they reach dccm?

It's because the checksums need to be stable once I determine that a
message with a DKIM signature has an e-mail domain that I trust not to
send spam.  I can't just copy them indiscriminately because those
so-called e-mail marketing sites use signed messages too.  I want to
add them once to a file included in `whiteclnt' and not have to touch
them again.  If the header value changes in some minor way, the
checksums will no longer match.  We have an opportunity here to
determine the form of the `Authentication-Results' header so that it
can be most useful to DCC.  I'd like to do this right.

-- 
-Gary Mills-        -Unix Group-        -Computer and Network Services-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.