Re: [exim-dev] [exim] DKIM vs DomainKeys

Top Page
Delete this message
Reply to this message
Author: Magnus Holmgren
Date:  
To: exim-dev
Old-Topics: Re: [exim] [exim-dev] DKIM vs DomainKeys
New-Topics: Re: [exim] [exim-dev] DKIM vs DomainKeys
Subject: Re: [exim-dev] [exim] DKIM vs DomainKeys
On Friday 17 November 2006 11:39, Magnus Holmgren wrote:
> On Friday 17 November 2006 09:31, Tom Kistner wrote:
> > David Saez Padros wrote:
> > > Looks like DKIM will replace DomainKeys, maybe it's time to
> > > do the same in Exim ?
> >
> > I'd be interested in starting this (my current employer may be
> > interested as well, so there'd be an additional incentive).
> >
> > Or did anyone here already start an implementation?
>
> I've been trying to modify dk.c into a dkim.c using libdkim instead of
> libdomainkeys. I'm not quite there yet though.


I've come to the conclusion that it's not possible to simply adapt the
existing dk.c to use libdkim instead of libdomainkeys - the interfaces are
too different, especially for verification.

First, libdomainkeys gives a single result (was the signature OK, who signed,
etc), while libdkim gives a list of all signatures and their respective
status. There is a good reason for this: DomainKeys required the signing
identity to be the address in the Sender: field if it exists, otherwise the
address in the From: field. That has the advantage that it is the identity
shown by the MUAs that will be authenticated. It has the drawback that
mailing list managers that add footers (like this one) will have to re-sign
all mail and change the Sender field.

In DKIM, however, the signing identity is found only in the signature field.
This means that there can be any number of valid (and invalid) signatures.

A reasonable way of handling that could be to let the ACL conditions succeed
if any valid signature matches:

  dkim_sender_domains = <domain list>: Succeeds if any valid signature is made
        by a domain in the list.
  dkim_senders = <address list>,
  dkim_local_parts = <local part list>: Analogous, but note that the local
        part may be empty if the signing server can't guarantee the exact
        identity of the sender.


A dkim_local_parts probably isn't very useful if it can match against any
signature identity.

The expansion variables could represent the earliest valid signature. It's of
course possible to have a $dkim_senders containing a comma-delimited list of
all valid signature identities, but Exim has no good built-in mechanism for
looping over comma-delimited lists of addresses, except in filters
(foranyaddress). The best option probably is ${perl ...}. So, probably some
new expansion conditions might be needed.

-- 
Magnus Holmgren        holmgren@???
                       (No Cc of list mail needed, thanks)


"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans