Author: Tom Kistner Date: To: David Woodhouse CC: exim-users, exiscanusers Subject: Re: [exim] Exim Snapshot - DomainKeys support - Testers wanted
David Woodhouse wrote:
> What is the 'sending email address' in this context? Your use of
> $sender_address_domain in the example ACL seems to imply that you're
> using the reverse-path.
Which is or course wrong. I had already built in a $dk_domain expansion
variable that would point to the domain the lib used to verify the
signature. Unfortunately, the current header of the lib does not export
that variable. I chose not to tweak the header and removed $dk_domain.
Sorry for being inconsistent in my example. DK is completely out of the
scope of SMTP metadata.
> That seems to be the _sensible_ thing to do -- the reverse-path is
> almost always going to be changed when the message may suffer mangling
> due to being resent by a user or mailing list. But is that what the
> draft says you're _supposed_ to do?
When signing, the lib first uses the "Sender:" and then the "From:"
header to determine the "sending domain". This also gets written into
the DomainKey-Signature: header unless you override with the "dk_domain"
transport option.
> People seem to have been resistant to the idea that we should be using
> the reverse-path instead of grubbing around the headers for a 'Purported
> Responsible Address', or just pretending we think that a signature from
> the domain in the From: header will survive.
Concerning lists, DK will be pretty unuseable for quite a while anyway.
Just look at all the mangling going on here. A ton of extra headers in
the wrong place, a footer, MIME transformations ... I also don't know
how many mailers still do 8bit->QP autoconversions. This might also be a
PITA.
