Re: [exim] DKIM ADSP (Author Domain Signing Practices) ACL

Pàgina inicial
Delete this message
Reply to this message
Autor: Murray S. Kucherawy
Data:  
A: Bryan Rawlins, exim-users@exim.org
Assumpte: Re: [exim] DKIM ADSP (Author Domain Signing Practices) ACL
> -----Original Message-----
> From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org]
> On Behalf Of Bryan Rawlins
> Sent: Friday, January 07, 2011 12:45 PM
> To: exim-users@???
> Subject: [exim] DKIM ADSP (Author Domain Signing Practices) ACL
>
> I've created an ACL to check DKIM ADSP policies and act accordingly.
> The relevent RFC is 5617
> http://tools.ietf.org/html/rfc5617
>
> ADSP is certainly not use much currently, and I fear it'll be about as
> accurate as SPF if it ever does become more widely used, but here's what
> I came up with.


A few things about the protocol in particular and not about your ACL work:

First, it's very easy for this to produce false negatives. If a sender posts an ADSP "all" or "discardable" policy and then signs its mail but the mail transits an MTA that alters it in a way that the signature will no longer validate, then on delivery the ADSP check will fail and you will get these warnings, even though both you and the sender did things by-the-book.

Second, it's very easy for a sending site to get this wrong. Without a full audit, it's possible that there's a vector for unsigned mail to depart a domain that advertises a strict policy, resulting in unintentional false positives. For example, one popular open source MTA generates bounces without passing them through any of the configured filters (such as, say, a filter that does DKIM signing) so they go out unsigned, which might contradict that domain's published ADSP statement.

Third, it's very easy for use of ADSP to be unintentionally disruptive. If X sends DKIM-signed mail to list Y, and X posts a strict ADSP policy, and then the list modifies the Subject: field (which breaks the signature) before relaying it to Z, then when Z does an ADSP evaluation, the posting from X will appear to have failed ADSP, causing a false negative. Where Z then generates a bounce (not because of your ACL necessarily, but just in general) that goes to the list manager at Y, Y might then unsubscribe Z from the list because mail to Z is bouncing even though everyone involved can argue that he/she is behaving according to spec. So you're right in the sense that it has an SPF-like false negative capacity with potentially dangerous results.

Caveat emptor.

-MSK