Re: [exim] Rejecting based on domain keys

Pàgina inicial
Delete this message
Reply to this message
Autor: Ian Eiloart
Data:  
A: Magnus Holmgren, exim-users
Assumpte: Re: [exim] Rejecting based on domain keys


--On 30 March 2007 00:04:52 +0200 Magnus Holmgren <holmgren@???>
wrote:

> On Thursday 29 March 2007 23:27, Marc Perkel wrote:
>> If a domain has a policy of signsall=1 and there is no signature - is
>> that good enough to reject the email?
>
> That's up to you if you think that every domain that declares that policy
> actually follows it. Maybe the probability is greater than for domains
> with SPF records ending in "-all".


Actually, it's not a question of "following" the policy, but of enforcing
it. If a domain published that policy, they'd also want to pursuade their
users to use their MSA hosts to send mail (instead of the users ISPs, etc).
The thing is, the domain owner can't enforce anything on email that doesn't
flow through their hosts. That's where they require you to do their
enforcement for them.

If a site says "signsall=1", then you should reject anything that breaks
the policy, and refer complainants to the domain owner.

>> If a message is signed but result is badsig - can I reject it?
>
> That's up to you, but it's not generally recommended, I believe, as the
> chance is too great that some relay alters the message in a way that
> breaks the signature.




--
Ian Eiloart
IT Services, University of Sussex
x3148