You can subscribe to this list here.
2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(18) |
Jul
(144) |
Aug
(11) |
Sep
(17) |
Oct
(72) |
Nov
(87) |
Dec
(31) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2005 |
Jan
(4) |
Feb
(12) |
Mar
(20) |
Apr
(50) |
May
(4) |
Jun
(6) |
Jul
(3) |
Aug
(56) |
Sep
|
Oct
(87) |
Nov
(3) |
Dec
(4) |
2006 |
Jan
(4) |
Feb
(34) |
Mar
(14) |
Apr
(8) |
May
(48) |
Jun
(49) |
Jul
(38) |
Aug
(2) |
Sep
(15) |
Oct
(11) |
Nov
(28) |
Dec
(20) |
2007 |
Jan
(2) |
Feb
(15) |
Mar
(33) |
Apr
(1) |
May
(31) |
Jun
(9) |
Jul
|
Aug
|
Sep
(6) |
Oct
(6) |
Nov
(12) |
Dec
|
2008 |
Jan
(4) |
Feb
(21) |
Mar
(21) |
Apr
(8) |
May
(20) |
Jun
(10) |
Jul
(10) |
Aug
(7) |
Sep
|
Oct
|
Nov
(6) |
Dec
(11) |
2009 |
Jan
(47) |
Feb
(3) |
Mar
(23) |
Apr
|
May
(10) |
Jun
(11) |
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Jose M. M. da C. <Jos...@en...> - 2004-06-30 15:51:20
|
Murray S. Kucherawy wrote: > On Wed, 30 Jun 2004, Jose Marcio Martins da Cruz wrote: > >>Is there a reason to decide to sign the message based on the >>content of the "From" header, and not the "From" enveloppe ? > > > I'm fairly certain the reason for this approach is that the envelope can > change when a message pases through forwarders or mailing list systems, > but the From: header (generally) does not. I'm just reading the draft. 8-) I found it there. But either way, the only place where the message shall be signed is at his source domain (his border mail server), before being modified by other things (mailing lists and so...). Am I wrong ? P.S. - I've just saw messages with two and more "From:" headers. These are or spams, or buggy MLMs. Joe -- --------------------------------------------------------------- Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41 Ecole des Mines de Paris http://j-chkmail.ensmp.fr 60, bd Saint Michel http://www.ensmp.fr/~martins 75272 - PARIS CEDEX 06 mailto:Jos...@en... |
From: Richard R. <ri...@se...> - 2004-06-30 15:50:17
|
Murray S. Kucherawy wrote: >On Wed, 30 Jun 2004, Jose Marcio Martins da Cruz wrote: > > >>Is there a reason to decide to sign the message based on the >>content of the "From" header, and not the "From" enveloppe ? >> >> > >I'm fairly certain the reason for this approach is that the envelope can >change when a message pases through forwarders or mailing list systems, >but the From: header (generally) does not. > > In addition, the From: header is end user visible. The envelope may or may not match that field, and is typically not shown to end users by the mail client software. |
From: Murray S. K. <ms...@se...> - 2004-06-30 15:29:20
|
On Wed, 30 Jun 2004, Jose Marcio Martins da Cruz wrote: > Is there a reason to decide to sign the message based on the > content of the "From" header, and not the "From" enveloppe ? I'm fairly certain the reason for this approach is that the envelope can change when a message pases through forwarders or mailing list systems, but the From: header (generally) does not. |
From: Jose M. M. da C. <Jos...@en...> - 2004-06-30 15:02:38
|
Hello, I'm beginning setting up a dk-filter at our domain. For the while it's working only at my workstation and for outgoing messages. Is there a reason to decide to sign the message based on the content of the "From" header, and not the "From" enveloppe ? Best Jose-Marcio -- --------------------------------------------------------------- Jose Marcio MARTINS DA CRUZ Tel. :(33) 01.40.51.93.41 Ecole des Mines de Paris http://j-chkmail.ensmp.fr 60, bd Saint Michel http://www.ensmp.fr/~martins 75272 - PARIS CEDEX 06 mailto:Jos...@en... |
From: Murray S. K. <ms...@se...> - 2004-06-25 16:54:28
|
On Thu, 24 Jun 2004, Jim Fenton wrote: > A related issue to the signing of subdomains is the signing of messages > whose "from" address includes the hostname, and not just the domain, of > the sender. I have sendmail configured using MASQUERADE_AS and related > stuff to rewrite my outgoing mail to strip off the hostname if it is > included in any message. Unfortunately, that happens after the milter > so the milter is seeing the hostname, and it refuses to sign the mail. There's a DK draft update pending (yes, it's a "when") that will allow for signing by superdomains. I was hoping it would be out by now but apparently our friends at Yahoo! are buried under other tasks. As soon as the update is posted we'll be amending dk-milter to do it. > But this also raises the question of whether the milter API is happening > at the appropriate place for a signing function. Any chance of a > milter-like thing happening after input rewriting? The real intent behind DK is that it would only sign and verify at border MTAs, where no rewriting of any kind is done. However, as you point out, for common-case open source sites with one server this doesn't really work. milter is intended to be an SMTP-level filter, so as designed it really belongs in a position where it gets the unmodified "over-the-wire" content. For now we have to work with that restriction. I've solved this problem (for now) by having my MUAs generate From: headers that don't need to be masqueraded by the MTA; they're already as they will be when sent over the wire. Unfortunately it might be necessary to teach dk-milter about the masquerading the MTA will do. |
From: Jim F. <jf...@bl...> - 2004-06-25 06:28:10
|
A related issue to the signing of subdomains is the signing of messages whose "from" address includes the hostname, and not just the domain, of the sender. I have sendmail configured using MASQUERADE_AS and related stuff to rewrite my outgoing mail to strip off the hostname if it is included in any message. Unfortunately, that happens after the milter so the milter is seeing the hostname, and it refuses to sign the mail. A lot of this will be solved when (I think it's a "when") DK officially supports signing by higher-level domains. But this also raises the question of whether the milter API is happening at the appropriate place for a signing function. Any chance of a milter-like thing happening after input rewriting? -Jim |
From: SM <sm...@re...> - 2004-06-03 18:45:40
|
Hi Murray, At 08:41 03-06-2004, Murray S. Kucherawy wrote: >That's not universally true though. Only a couple of MLMs add those. That's unfortunately the case. There is no fool proof formula to detect mail as coming from MLMs. I suggested using List-Id: as it is mentioned in RFC 2919 which discusses namespace for the identification of mailing lists. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2004-06-03 15:41:19
|
On Wed, 2 Jun 2004, SM wrote: > >How do you distinguish e-mail that came from a list vs. regular mail? Or > > You can look for List-Id: in the headers. If that header is present, we > can assume that the mail comes from a mailing list. That's not universally true though. Only a couple of MLMs add those. |
From: SM <sm...@re...> - 2004-06-03 02:45:11
|
Hi Murray, At 14:20 02-06-2004, Murray S. Kucherawy wrote: >How do you distinguish e-mail that came from a list vs. regular mail? Or You can look for List-Id: in the headers. If that header is present, we can assume that the mail comes from a mailing list. >more importantly, vs. mail from a spammer trying to get around DomainKeys? Good question. As I think of what you said, I see that it is best leave the flag as "bad" to avoid introducing room for abuse. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2004-06-02 21:20:21
|
On Wed, 2 Jun 2004, SM wrote: > The DomainKeys draft covers the case where the feature is implemented at > all points where headers may be modified. A mailing list is a special case > where the From: header is not rewritten. Headers are added and that causes > DK to return a bad status when the sender receives the posting. This > status has a negative connotation in this context. The "unverified" status > can be used by DK sites who wish to consider all email from mailing lists > as non-participants of DomainKeys. This would be like ignoring that there > is a "DomainKey-Signature" header. How do you distinguish e-mail that came from a list vs. regular mail? Or more importantly, vs. mail from a spammer trying to get around DomainKeys? |
From: SM <sm...@re...> - 2004-06-02 19:36:14
|
Hi Murray, At 08:12 02-06-2004, Murray S. Kucherawy wrote: >If you like, you can file that as a feature request. I'll file a feature request for signing subdomains. >This is present in 0.1.7 which I pushed out last night. I will test the new version. > > 3. Mail from mailing lists > > > > When an email is sent to a mailing list, it is signed. When the list sends > > a copy of the email back the sender, dk-milter does a verification and > > flags the email as bad. I suggest that a switch be added so that dk-milter > > can be set to flag such an email as unverified instead of bad. > >The current DomainKeys draft doesn't list "unverified" as a valid status. >Can you explain what the difference would be? The DomainKeys draft covers the case where the feature is implemented at all points where headers may be modified. A mailing list is a special case where the From: header is not rewritten. Headers are added and that causes DK to return a bad status when the sender receives the posting. This status has a negative connotation in this context. The "unverified" status can be used by DK sites who wish to consider all email from mailing lists as non-participants of DomainKeys. This would be like ignoring that there is a "DomainKey-Signature" header. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2004-06-02 15:12:59
|
On Wed, 2 Jun 2004, SM wrote: > Here are some scenarios under with dk-milter 0.15 was tested: > > 1. Dk-milter running on an outbound mail server > > Dk-milter signs mail for the specified domains correctly. It will not sign > any subdomains. Could a wildcard feature be added so that any mail being > sent from @example.com and its subdomains be signed if .example.com is > specified in the list of domains to be signed? At the moment, the DomainKeys draft says we only sign if the domain name part of the From: line matches the domain doing the signing; that is, us...@ex... can only be signed by example.com. The current version of dk-milter requires precise matching based on that. If you like, you can file that as a feature request. > 2. Dk-milter running on an outbound and inbound mail server > > If the From: header is spoofed, dk-milter signs the mail. dk-milter should > do a check for SMTP AUTH and use a list of signing hosts to determine which > emails should be signed. This will be useful for sites which do not run a > MTA dedicated for outbound mail only. This is present in 0.1.7 which I pushed out last night. > Sites accepting mail on the submission port may wish to consider these > emails as valid for signing. I suggest adding a switch for dk-milter to > sign emails handled by MSA. In future, dk-milter could do a db lookup for > sites using POP3 before SMTP authentication to check whether the email > should be signed. Those are two good feature requests. Feel free to file those as well. > 3. Mail from mailing lists > > When an email is sent to a mailing list, it is signed. When the list sends > a copy of the email back the sender, dk-milter does a verification and > flags the email as bad. I suggest that a switch be added so that dk-milter > can be set to flag such an email as unverified instead of bad. The current DomainKeys draft doesn't list "unverified" as a valid status. Can you explain what the difference would be? |
From: SM <sm...@re...> - 2004-06-02 08:55:39
|
Hello, Here are some scenarios under with dk-milter 0.15 was tested: 1. Dk-milter running on an outbound mail server Dk-milter signs mail for the specified domains correctly. It will not sign any subdomains. Could a wildcard feature be added so that any mail being sent from @example.com and its subdomains be signed if .example.com is specified in the list of domains to be signed? 2. Dk-milter running on an outbound and inbound mail server If the From: header is spoofed, dk-milter signs the mail. dk-milter should do a check for SMTP AUTH and use a list of signing hosts to determine which emails should be signed. This will be useful for sites which do not run a MTA dedicated for outbound mail only. Sites accepting mail on the submission port may wish to consider these emails as valid for signing. I suggest adding a switch for dk-milter to sign emails handled by MSA. In future, dk-milter could do a db lookup for sites using POP3 before SMTP authentication to check whether the email should be signed. 3. Mail from mailing lists When an email is sent to a mailing list, it is signed. When the list sends a copy of the email back the sender, dk-milter does a verification and flags the email as bad. I suggest that a switch be added so that dk-milter can be set to flag such an email as unverified instead of bad. Regards, -sm |