Re: [dkim-milter-discuss] Postfix signing trouble

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Fri, 09 Nov 2007 11:20:12 -0800, SM wrote:

> You are signing the *.riseup.net domain.  Your From: address is
> @riseup.net.  I'm not sure that will match (Murray will correct me).

You mean in my -d parameter where I specify *.riseup.net. I thought that 
would catch all hosts in the domain, but I see that this would omit the 
case where there is no hostname. 

Are you saying I should use -d @riseup.net, or -d riseup.net? I think 
probably the latter, as the former is kind of strange, but please correct 
me if I am wrong. Additionally, if I specify that, will I omit any hosts 
within that domain?

On Fri, 09 Nov 2007 10:39:50 -0800, Murray S. Kucherawy wrote:
> OPERATION
>         A  message will be verified unless it conforms to the signing
>         criteria, which are: (1) the domain on the From: address or
>         Sender:  address  (if present)  must  be  listed  by the -d
>         command line switch or the Domain configuration file setting,
>         and (2) the client connecting  to  the  MTA must (a) have
>         authenticated, or (b) be listed in the file referenced by the -i
>         command line switch (or be in the default list for that option),
>         or  (c)  be  connected  to  a  daemon port named by the -m
>         command line switch.
> 
> Does your mailing list manager add a Sender: header containing an
> address in one of your signing domains?  If not, your unsigned mail from
> outside your domain is probably failing test (1) above so the filter
> goes to verify mode.

My mailing list manager (sympa) does not add a Sender: header at all, but 
there is a From: address contained in the first scenario (message 
originating via submission after SASL authentication) which I believe 
matches the -d switch (now that I've changed it to be -d riseup.net), 
which seems to satisfy criteria number 1.

I thought that the fact I had set the "Mode" to 's', only signing would 
happen and it wouldn't fall back to verify mode. I suppose what could be 
happening is if signing is the only mode set, and these criteria are not 
met, nothing happens instead of it falling back into verify mode.

> In fact the algorithm is a little better than what's documented.  The
> headers are searched for Resent-Sender:, Resent-From:, Sender: and
> From:, in that order.  The first one it finds is the one whose value is
> applied in test (1) above.  Thus, a re-mailer (e.g. your list manager)
> should add one of the former three headers to get external stuff (e.g.
> gmail.com) to be signed upon re-mailing.

I see what you are saying here, looking at my headers I do not see any of 
these in the second scenario.

> The other (dangerous) alternative is to set up your filter so it signs
> all domains (e.g. "-d '*'" or equivalent) and rely on the origin
> (internal list) only to make sign vs. verify decisions.

How would the origin make sign decisions? I'm not exactly clear on what 
you are suggesting here.

> The other thing I noticed is that you're allowing signing for traffic
> from 204.13.168.0/24 but one of the sources of mail was mx1.riseup.net
> [204.13.164.18] which doesn't match.  I'm not totally clear on where in
> that chain of Received: headers you expected signing to be done so that
> may not be important.

Good eye, this is a clear error that I could not see.

Thanks for all the eyes, this helps a lot,
Micah