Re: Domainkeys and ISPs
Lionel Elie Mamane wrote:
> On Fri, Mar 14, 2008 at 07:02:58AM +0800, Thomas Goirand wrote:
>> Lionel Elie Mamane wrote:
>>> On Thu, Mar 13, 2008 at 11:43:49PM +0800, Thomas Goirand wrote:
>>>> I just had a test with dkimproxy. A very simple test with the
>>>> mailx package (eg: Mail from the command line).
>>>> So as you see, dkimproxy needs a list of domains for which it
>>>> signs email. If you are receiving a mail from another server, and
>>>> then forwards it, of course, it's not in the list, and then it's
>>>> not signed.
>>> That doesn't sound obvious to me. Let's assume you have two users,
>>> A and B, with email addresses A@example.org and B@example.org . B
>>> get his email forwarded to firstname.lastname@example.org, and A runs his own
>>> direct-to-MX delivery server (or relay server) (or contracts one
>>> from a third party; the point is not yours).
>>> That's a situation where your assumption of "If you are receiving a
>>> mail from another server, and then forwards it, of course, it's not
>>> in the list" does not hold: If A sends a mail to B@example.org with
>>> return path of A@example.org; should that mail get signed? Probably
>>> not. Because if you sign that mail, you'll also sign joe-job spam
>>> mail, and that's something you wouldn't want, I presume.
>> In that case, I believe that our normal postfix rules would detect it,
>> and reject the email, no?
> I'm not sure if "that case" refers to A's legit mail or to the joe-job
> If it refers to A's legit mail:
> Why would you want to reject the email? It is one of your users using
> his email address in your domain to send mail to another of your
> users. Totally legit, bona fide, all that.
> If it refers to the joe-job spam:
> How do you differentiate between A's legit mail and the joe-job?
>> Anyway, I don't think it's based on the return-path: field...
> I was refering to the return path in the SMTP envelope, obviously. If
> the "the list of domains for which it signs mail" is not a list of
> domains for the return path / sender in the SMTP envelope, then it is
> a list of domains for *what*?
Isn't DKIM supposed to be an auth for the From: field?