From: Micah A. <mi...@ri...> - 2007-11-10 02:07:51
|
On Fri, 09 Nov 2007 11:20:12 -0800, SM wrote: > You are signing the *.riseup.net domain. Your From: address is > @riseup.net. I'm not sure that will match (Murray will correct me). You mean in my -d parameter where I specify *.riseup.net. I thought that would catch all hosts in the domain, but I see that this would omit the case where there is no hostname. Are you saying I should use -d @riseup.net, or -d riseup.net? I think probably the latter, as the former is kind of strange, but please correct me if I am wrong. Additionally, if I specify that, will I omit any hosts within that domain? On Fri, 09 Nov 2007 10:39:50 -0800, Murray S. Kucherawy wrote: > OPERATION > A message will be verified unless it conforms to the signing > criteria, which are: (1) the domain on the From: address or > Sender: address (if present) must be listed by the -d > command line switch or the Domain configuration file setting, > and (2) the client connecting to the MTA must (a) have > authenticated, or (b) be listed in the file referenced by the -i > command line switch (or be in the default list for that option), > or (c) be connected to a daemon port named by the -m > command line switch. > > Does your mailing list manager add a Sender: header containing an > address in one of your signing domains? If not, your unsigned mail from > outside your domain is probably failing test (1) above so the filter > goes to verify mode. My mailing list manager (sympa) does not add a Sender: header at all, but there is a From: address contained in the first scenario (message originating via submission after SASL authentication) which I believe matches the -d switch (now that I've changed it to be -d riseup.net), which seems to satisfy criteria number 1. I thought that the fact I had set the "Mode" to 's', only signing would happen and it wouldn't fall back to verify mode. I suppose what could be happening is if signing is the only mode set, and these criteria are not met, nothing happens instead of it falling back into verify mode. > In fact the algorithm is a little better than what's documented. The > headers are searched for Resent-Sender:, Resent-From:, Sender: and > From:, in that order. The first one it finds is the one whose value is > applied in test (1) above. Thus, a re-mailer (e.g. your list manager) > should add one of the former three headers to get external stuff (e.g. > gmail.com) to be signed upon re-mailing. I see what you are saying here, looking at my headers I do not see any of these in the second scenario. > The other (dangerous) alternative is to set up your filter so it signs > all domains (e.g. "-d '*'" or equivalent) and rely on the origin > (internal list) only to make sign vs. verify decisions. How would the origin make sign decisions? I'm not exactly clear on what you are suggesting here. > The other thing I noticed is that you're allowing signing for traffic > from 204.13.168.0/24 but one of the sources of mail was mx1.riseup.net > [204.13.164.18] which doesn't match. I'm not totally clear on where in > that chain of Received: headers you expected signing to be done so that > may not be important. Good eye, this is a clear error that I could not see. Thanks for all the eyes, this helps a lot, Micah |