#37 Per-domain verification settings

v2.6.0
closed-accepted
5
2008-07-30
2008-07-15
Bruno
No

This is request to implement a stop-gap measure until ADSP is widely available and used by the big players.

It would be nice to be able to set up different verification settings depending on the domain the e-mail originated from. For instance, if I know all e-mail coming from GMail and Yahoo are signed, I'd like to use action configuration "badsignature=reject,nosignature=reject" with them.

For all other domains (the default case) I want to use "badsignature=accept,nosignature=accept".

Discussion

  • Anonymous - 2008-07-15
    • assigned_to: nobody --> sm-msk
     
  • Anonymous - 2008-07-16

    Logged In: YES
    user_id=1048957
    Originator: NO

    This is basically going to amount to manual ADSP.

    Should a hit be treated like "dkim=all" or "dkim=discardable"? Or should that be configurable?

    I'll try to get this in for 2.7.0, which I'm hoping to put into Beta late this week.

     
  • Bruno

    Bruno - 2008-07-16

    Logged In: YES
    user_id=411196
    Originator: YES

    If you allow me, when I first thought of this feature, I imagined a file with verification settings so the -C switch would point to it (e.g.: -C /etc/dkim/verify.conf). The file would contain lines with verification settings on a per-domain basis. A special domain entry (default) would replace what -C does today. For instance:

    gmail.com:badsignature=reject,nosignature=reject,dnserror=tempfail,security=tempfail
    yahoo.com:badsignature=reject,nosignature=reject,dnserror=tempfail,security=tempfail
    default:badsignature=accept,nosignature=accept,dnserror=tempfail,security=tempfail

    One could even imagine wildcard support being used as well. For instance, the line:

    *nova.com:...

    Would match all domains that ended with "nova.com".

    I hope this makes sense.

     
  • Anonymous - 2008-07-16

    Logged In: YES
    user_id=1048957
    Originator: NO

    I think I'd opt for a simpler solution. I can't see any reason why you would treat security or dnserror cases differently on a per-domain basis, so the really interesting cases are badsignature and nosignature.

    In effect though what we're doing is substituting (or adding) an ADSP policy in place of the one the sending domain posts (or doesn't post). Thus, a simpler approach might be a file that looks like this:

    gmail.com:discardable
    yahoo.com:all

    Here we're asserting that mail from gmail.com should be treated as though that domain is advertising a "dkim=discardable" policy via ADSP, and yahoo.com mail should assume "dkim=all". Then you can govern the rejection behaviour using the ADSPDiscard feature.

    Does that make sense, and does it cover your needs?

     
  • Bruno

    Bruno - 2008-07-16

    Logged In: YES
    user_id=411196
    Originator: YES

    I see what you're saying. I kinda like your idea to tie the feature closer to how ADSP will work. Yeah, security and dnserror should indeed be dealt with at the global level, not on a per-domain basis. Don't know what I was thinking there.

    Sounds like you would still need a default entry though, no? Or would that be covered somewhere else (I'm not familiar with the ADSPDiscard feature)?

    I like it. Simpler is better. And yes, it does make sense and it would cover my needs.

    Thanks for taking this idea into consideration.

     
  • Anonymous - 2008-07-16

    Logged In: YES
    user_id=1048957
    Originator: NO

    The default would be to do the ADSP query from DNS. This feature would just replace the DNS part for domains that are listed in the file. So continuing with my example:

    gmail.com:discardable
    yahoo.com:all

    Mail from those domains would use those ADSP policies without checking DNS. Any other domain would follow the normal DNS lookup method for ADSP.

    Wildcards would be allowed.

     
  • Bruno

    Bruno - 2008-07-16

    Logged In: YES
    user_id=411196
    Originator: YES

    Ok, so suppose a domain is not in the verification settings file (say, example.com). We would fall back to regular ADSP behavior and perform a DNS lookup in this case. Now assume the admin for domain example.com didn't add an ADSP record in their DNS. What would dkim-milter do in this case?

     
  • Anonymous - 2008-07-16

    Logged In: YES
    user_id=1048957
    Originator: NO

    No conclusion can be made in that case about what the sending domain does with respect to signing its mail. Therefore, unsigned mail or mail which was signed but failed to verify will still pass on to delivery (though it will obviously be tagged as having failed to verify in the latter case).

    The only interesting ADSP cases are when "all" or "discardable" are advertised. "all" just causes an ADSP failure to be noted; "discardable" can actually cause mail to be filtered.

     
  • Bruno

    Bruno - 2008-07-16

    Logged In: YES
    user_id=411196
    Originator: YES

    Ok, I'm sorry if I'm still insisting on this -- I'm not arguing, I'm just trying to under how this whole thing works a little bit better.

    Today, with version 2.6.0 I'm able to say "reject all e-mail that it's either not signed or has a bad signature". From what I gatehered so far, it sounds like I won't be able to do this once this feature is implemented (I'm assuming this feature would replace the current behavior for the -C switch -- I'm not sure you're assuming the same thing). Am I missing anything?

     
  • Anonymous - 2008-07-16

    Logged In: YES
    user_id=1048957
    Originator: NO

    You can still do those things, just not in precisely the same way.

    "nosignature" and "badsignature" are global settings. If you set "nosignature=reject" then any unsigned mail from anywhere gets bounced. This test is done before any ADSP checking is done and will not be removed as a result of this patch.

    Under my proposal, you also get the following: If you set ADSPDiscard and then either (a) unsigned mail arrives from a domain which advertises an ADSP of "dkim=discardable", OR (b) unsigned mail arrives from a domain for which you have set "<domain>:discardable" in the file we're talking about, THEN the message will get rejected. Otherwise it will get delivered (though possibly tagged as having failed an ADSP check). This is the equivalent of being able to say "nosignature=X,badsignature=X" in a domain-specific way.

     
  • Anonymous - 2008-07-17

    Logged In: YES
    user_id=1048957
    Originator: NO

    This feature will appear in dkim-milter 2.7.0 which begins betas shortly. If you'd like to be notified when it's available for testing, please subscribe to the dkim-milter-beta list or have SourceForge notify you of activity on that package.

     
  • Anonymous - 2008-07-30

    Logged In: YES
    user_id=1048957
    Originator: NO

    v2.7.0 released (last week) containing this feature.

     
  • Anonymous - 2008-07-30
    • status: open --> closed-accepted
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks