Re: Domainkeys and ISPs

To: debian-isp@lists.debian.org
Subject: Re: Domainkeys and ISPs
From: Thomas Goirand <thomas@goirand.fr>
Date: Fri, 14 Mar 2008 15:59:57 +0800
Message-id: <47DA307D.7000704@goirand.fr>
In-reply-to: <20080314065858.GA25311@capsaicin.mamane.lu>
References: <47D73995.30203@saneinc.net> <47D7ABB4.2060305@goirand.fr> <20080312132232.GB11516@saneinc.net> <47D7FFC9.4080101@goirand.fr> <008a01c8845e$38fd0f40$9e00a8c0@D9300> <7ff145960803121144j7b4e7c52u5eb22ff5ff9467b5@mail.gmail.com> <20080313112048.GB20883@fantomas.sk> <47D94BB5.1030204@goirand.fr> <20080313214300.GA17330@capsaicin.mamane.lu> <47D9B2A2.2030606@goirand.fr> <20080314065858.GA25311@capsaicin.mamane.lu>

Lionel Elie Mamane wrote:
> On Fri, Mar 14, 2008 at 07:02:58AM +0800, Thomas Goirand wrote:
>> Lionel Elie Mamane wrote:
>>> On Thu, Mar 13, 2008 at 11:43:49PM +0800, Thomas Goirand wrote:
> 
>>>> I just had a test with dkimproxy. A very simple test with the
>>>> mailx package (eg: Mail from the command line).
> 
>>>> So as you see, dkimproxy needs a list of domains for which it
>>>> signs email. If you are receiving a mail from another server, and
>>>> then forwards it, of course, it's not in the list, and then it's
>>>> not signed.
> 
>>> That doesn't sound obvious to me. Let's assume you have two users,
>>> A and B, with email addresses A@example.org and B@example.org . B
>>> get his email forwarded to b@vanity.domain, and A runs his own
>>> direct-to-MX delivery server (or relay server) (or contracts one
>>> from a third party; the point is not yours).
> 
>>> That's a situation where your assumption of "If you are receiving a
>>> mail from another server, and then forwards it, of course, it's not
>>> in the list" does not hold: If A sends a mail to B@example.org with
>>> return path of A@example.org; should that mail get signed? Probably
>>> not. Because if you sign that mail, you'll also sign joe-job spam
>>> mail, and that's something you wouldn't want, I presume.
> 
>> In that case, I believe that our normal postfix rules would detect it,
>> and reject the email, no?
> 
> I'm not sure if "that case" refers to A's legit mail or to the joe-job
> spam.
> 
> If it refers to A's legit mail:
> 
>  Why would you want to reject the email? It is one of your users using
>  his email address in your domain to send mail to another of your
>  users. Totally legit, bona fide, all that.
> 
> If it refers to the joe-job spam:
> 
>  How do you differentiate between A's legit mail and the joe-job?
> 
>> Anyway, I don't think it's based  on the return-path: field...
> 
> I was refering to the return path in the SMTP envelope, obviously. If
> the "the list of domains for which it signs mail" is not a list of
> domains for the return path / sender in the SMTP envelope, then it is
> a list of domains for *what*?

Isn't DKIM supposed to be an auth for the From: field?

Thomas

Reply to:

Follow-Ups:
- Re: Domainkeys and ISPs
  - From: Lionel Elie Mamane <lionel@mamane.lu>

References:
- Domainkeys and ISPs
  - From: Michael Sprague <mfs@saneinc.net>
- Re: Domainkeys and ISPs
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: Domainkeys and ISPs
  - From: Michael Sprague <mfs@saneinc.net>
- Re: Domainkeys and ISPs
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: Domainkeys and ISPs
  - From: "Andrew McGlashan" <andrew.mcglashan@affinityvision.com.au>
- Re: Domainkeys and ISPs
  - From: "Jim Popovitch" <yahoo@jimpop.com>
- Re: Domainkeys and ISPs
  - From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
- Re: Domainkeys and ISPs
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: Domainkeys and ISPs
  - From: Lionel Elie Mamane <lionel@mamane.lu>
- Re: Domainkeys and ISPs
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: Domainkeys and ISPs
  - From: Lionel Elie Mamane <lionel@mamane.lu>

Prev by Date: Re: Domainkeys and ISPs
Next by Date: Re: Domainkeys and ISPs
Previous by thread: Re: Domainkeys and ISPs
Next by thread: Re: Domainkeys and ISPs
Index(es):
- Date
- Thread