Re: [exim] Rejecting based on domain keys

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMPeter Bowyer at <-
MMMagnus Holmgren at ->
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Magnus Holmgren, exim-users
Subject: Re: [exim] Rejecting based on domain keys


--On 30 March 2007 00:04:52 +0200 Magnus Holmgren <holmgren@???>
wrote:

> On Thursday 29 March 2007 23:27, Marc Perkel wrote:
>> If a domain has a policy of signsall=1 and there is no signature - is
>> that good enough to reject the email?
>
> That's up to you if you think that every domain that declares that policy
> actually follows it. Maybe the probability is greater than for domains
> with SPF records ending in "-all".

Actually, it's not a question of "following" the policy, but of enforcing
it. If a domain published that policy, they'd also want to pursuade their
users to use their MSA hosts to send mail (instead of the users ISPs, etc).
The thing is, the domain owner can't enforce anything on email that doesn't
flow through their hosts. That's where they require you to do their
enforcement for them.

If a site says "signsall=1", then you should reject anything that breaks
the policy, and refer complainants to the domain owner.

>> If a message is signed but result is badsig - can I reject it?
>
> That's up to you, but it's not generally recommended, I believe, as the
> chance is too great that some relay alters the message in a way that
> breaks the signature.



--
Ian Eiloart
IT Services, University of Sussex
x3148


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Who is APEWS.ORGRe: [exim] Who is APEWS.ORG->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)