Re: [exim] DKIM

Top Page

Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] DKIM
david.robertson@??? wrote:
> The fault is with the rfc. Tis to vague on various points. Such as third party senders.
> To my mind DKIM will go the same way as SPF. There needs to be a better policy introduced for controlling spam.
> The death penalty comes to mind;-)
>
> David


+ rDNS fail (hard score)

+ dynamic-IP RBL hit (hard score)

+ HELO not matching to FQDN of connected IP (softer score)

+ 15s delay (zombots are impatient)

+ Local & remote BL of hte hard-core

- a relatively modest White List ..

*IS* near-as-dammit a 'death penalty' for spam.

How does an infected WinBox get itself past those?

Cheap, cheerful, no need for greylisting, light ClamAV, SA and similar
resource loads.

Enough of us do the basics, there is no need for SPF or DKIM, and sloppy
DNS's entries of legit MTA's will get cleaned up 'Real Soon Now'.

But it will *never* happen so long as we take the obsolete 'be generous
with what you accept' road.

Zombots rely on that ...

Starve 'em!

Bill


>
> On Mon, 30 Mar 2009 15:33:39 -0700, Phil Pennock <exim-users@???> wrote:
>> On 2009-03-30 at 16:56 +0100, Mike Cardwell wrote:
>>> Tom Kistner wrote:
>>>
>>>>> There are a number of known issues with Exim's current (experimental)
>>>>> DKIM support; Tom Kistner has been working on a complete overhaul,
>>>>> replacing the use of libdkim with self-contained DKIM support,
>> designed
>>>>> for Exim. I'm eagerly awaiting the results of his work. :)
>>>> I just finished wrapping the pure DKIM stuff into a library
>>>> (http://duncanthrax.net/pdkim/). Now I'll change the Exim
>>>> implementation. Verification will be done with a new ACL
>> (acl_smtp_dkim)
>>>> that is called once per present DKIM-Signature. Signing will be
>> unchanged.
>>>> I think when this is in we should finally release a 4.70 ...
>>> So acl_smtp_dkim wouldn't be called if there was no signature? But, you
>>> still might want to validate even if there is no signature. The DNS
>>> policy for the domain might state that the email *must* be signed. I
>>> don't see how this would work...?
>> At a guess: you set an ACL variable in the acl_smtp_dkim variable and
>> test for the variable in acl_smtp_data ? Sender signing policy is
>> independent of signature verification. (There have been enough holy
>> wars on this topic already though)
>>
>> -Phil
>>
>> --
>> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>