Author: Peter Bowyer Date: To: exim users Subject: Re: [exim] Rejecting based on domain keys
On 29/03/07, Marc Perkel <marc@???> wrote: >
>
> Magnus Holmgren wrote:
> > On Thursday 29 March 2007 23:27, Marc Perkel wrote:
> >
> >> If a domain has a policy of signsall=1 and there is no signature - is
> >> that good enough to reject the email?
> >>
> >
> > That's up to you if you think that every domain that declares that policy
> > actually follows it. Maybe the probability is greater than for domains with
> > SPF records ending in "-all".
> >
> >
> >> If a message is signed but result is badsig - can I reject it?
> >>
> >
> > That's up to you, but it's not generally recommended, I believe, as the chance
> > is too great that some relay alters the message in a way that breaks the
> > signature.
> >
>
> I see - so altering the message in any way breaks the signature. I
> should probably ignore bad signatures then.
Altering the body certainly does, as I said earlier. What you should
probably do is start gathering stats for the domains of interest, and
take a view on what the percentages of messages are that 'badsig', and
try to do forensics on them.
What I find DK most useful for is whitelisting, not blacklisting - if
I get a good sig from (eg) PayPal, I skip all the other content
checks. Works well for Yahoo Groups, too, so you don't end up bouncing
them and triggering unsubscribes on FPs. (Except that not all YG mails
have good sigs... but that just reduces the coverage, not the
accuracy, in a whitlelist situation).
Moral of story: test and log first, then decide what reject policy to apply.
