Re: [exim] Exim Snapshot - DomainKeys support - Testers want…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: David Woodhouse
Date:  
À: Tom Kistner
CC: exim-users, exiscanusers
Sujet: Re: [exim] Exim Snapshot - DomainKeys support - Testers wanted
On Thu, 2005-02-03 at 11:44 +0100, Tom Kistner wrote:
>
> > Which identity are you using for checking the signature? If a message
> > has different addresses in From:, Sender: and Resent-From: headers,
> > which of those will you use for the purpose of checking DK?
>
> The underlying reference implementation does that. It uses the value of
> the d= parameter from the DomainKey-Signature header.
>
> draft-delany-domainkeys-base-01.txt says:
>
>      d = The domain name of the signing domain. This tag MUST be
>          present. In conjunction with the selector tag, this domain
>          forms the basis of the public-key query. The value in this tag
>          MUST match the domain of the sending email address or MUST be
>          one of the parent domains of the sending email address.


What is the 'sending email address' in this context? Your use of
$sender_address_domain in the example ACL seems to imply that you're
using the reverse-path.

That seems to be the _sensible_ thing to do -- the reverse-path is
almost always going to be changed when the message may suffer mangling
due to being resent by a user or mailing list. But is that what the
draft says you're _supposed_ to do?

People seem to have been resistant to the idea that we should be using
the reverse-path instead of grubbing around the headers for a 'Purported
Responsible Address', or just pretending we think that a signature from
the domain in the From: header will survive.

Thanks a lot for doing this, btw.

--
dwmw2