#15 add whitelist without dkim sig to domains cisco firewall bug

v1.2.0
closed-rejected
3
2007-08-03
2007-07-27
rschetterer
No

It would be nice to have a list feature in milter
not to sign mails with dkim to domains/ips
which have a buggy cisco firewall which has problems with long dkim headers, cause otherwise mails rest in postfix unless they get bounce cause they couldnt get delivered
this mustn be perfect ( i know it may lead to trouble with multi recipient mails ) but its better than arent able to send to such ips/domains with ignorant admins

Discussion

  • Anonymous - 2007-07-28
    • assigned_to: nobody --> sm-msk
     
  • Anonymous - 2007-07-30
    • priority: 5 --> 3
     
  • Anonymous - 2007-08-03

    Logged In: YES
    user_id=1048957
    Originator: NO

    It appears Cisco is already working on a fix for the PIX product. Even if they're not, Cisco is a supporter (in fact, a co-author) of DKIM so they have to fix their stuff regardless of what we do here.

    At the moment we're not sure a fix for this is a good idea. Maintaining a list of sites operating buggy mail filtering firewalls doesn't scale to Internet size, and there's no way to know in advance who's running such a firewall. Any hack we can add to this package will only serve a small percentage of the users out there, making it not a universally useful change to the package.

    Given those facts and the other concerns addressed about this on the discuss list, I don't believe we'll be dealing with this in the filter before Cisco gets a PIX fix out there anyway.

     
  • Anonymous - 2007-08-03
    • status: open --> closed-rejected
     
  • Anonymous - 2007-08-03

    Logged In: YES
    user_id=1048957
    Originator: NO

    Cisco's rep here says there's a patch to PIX firewalls available.

    The issue is not the size of the DKIM header field. The problem is PIX sees "Content-Type" twice in the message header, determines it must be an attack, and rejects the message.

    You can work around this already by omitting "Content-Type" headers from being signed. See the "-o" command line option or the "OmitHeaders" config file option in the current code to do this.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks