On 2006-11-15 at 16:14 +0000, Peter Bowyer wrote:
> However my initial desire to use this to whitelist yahoogroups.com is
> failing because a good proportion of mail from them is reported as
> 'bad' - the DK verification fails. I'm wondering if this is dodgy
> signing from Yahoo, or something going awry in the DK support in Exim,
> or in libdomainkeys.
DomainKeys requires that any mailing-list manager which messes "too
much" with headers resign the mail.
I've only just turned on domainkeys, experimental status, policy t=y.
So far, every mail sent directly succeeds. Mail sent via mailman fails
verification, but with "bad format" not "bad".
Using the Perl Mail::DomainKeys and a copy of the failed message which
has been through mailman, there are _two_ things required to get
verification to succeed: remove the Sender: header added by mailman and
move the Subject: header back into the position it had when it was sent.
perl <DK-sample-m2 -MMail::DomainKeys::Message \
-e '$mail = load Mail::DomainKeys::Message(File => \*STDIN) or die "foo1";
$mail->senderdomain or die "foo2, no sender domain";
$mail->signed or die "foo3, unsigned";
if ($mail->verify) { print "DK: signature valid\n" }
else { print "DK: verification failure\n" }'
and change the redirection to be from whichever sample file you have.
I need to do more investigation to see which fixes are needed to get it
past Exim with libdomainkeys as opposed to Mail::DomainKeys.
So, adding the Sender: header with a new mail-domain, whilst leaving the
DomainKey-Signature header present for the other domain, causes
verification to fail, even though it's really "no relevant signature".
This looks to me like a logic flaw in the DK draft, in that if the
Sender: domain does not match the any DK header but the From: domain
does, then the From: domain should be tried. That doesn't appear to be
in the spec. What am I missing? The people who wrote DK are
intelligent and must've thought of this.
Is DK really incompatible with mailman as generally deployed? Googling
suggests so, but that newer releases have patches in to work around it.
<URL:
http://www.mail-archive.com/mailman-coders@python.org/msg00588.html>
Anyone have any pointers to further information, or reeducation for me?
-Phil
