From: Jason M. <ja...@mo...> - 2007-08-23 16:53:02
|
Hello dkim-milter List, I am curious about one of the configuration options which I couldn't = find any more information about. The man pages describe = On-SignatureMissing: Selects the action to be taken when a message arrives unsigned from a domain which advertises a "we sign everything" policy. Possible values are the same as those for On-BadSignature. The default is accept. How does a domain advertise "we sign everything"? I tried looking for = this in the RFC's and googling for it, but couldn't find anything. This = seems like it could be a really usefull feature that could potential = help ramp up the use dkim email signing. Jason ps... thank you to the developers who have created a great tool. |
From: Murray S. K. <ms...@se...> - 2007-08-23 17:12:08
|
On Thu, 23 Aug 2007, Jason Molzen wrote: > How does a domain advertise "we sign everything"? I tried looking for > this in the RFC's and googling for it, but couldn't find anything. This > seems like it could be a really usefull feature that could potential > help ramp up the use dkim email signing. Read the DKIM sender signing practises draft, which is available in the open source tarball (draft-ietf-dkim-ssp-00.txt). |
From: Mark M. <Mar...@ij...> - 2007-08-23 17:23:56
|
> The man pages describe On-SignatureMissing: > Selects the action to be taken when a message arrives unsigned > from a domain which advertises a "we sign everything" policy. > Possible values are the same as those for On-BadSignature. > The default is accept. Missing signature is supposed to be indistinguishable from a signature which does not verify. Making a distinction opens up an opportunity for a malicious sender to choose the more favourable option for them, both are easy to fake. I think it is a bad idea to offer two separate settings. A less knowledgable mail administrator may be tempted to specify different settings. I suggest both settings to be merged. Mark |