Re: [exim] Experiences with RFC 8301 (DKIM)

Inizio della pagina
Delete this message
Reply to this message
Autore: Bill Cole
Data:  
To: Yves Goergen via Exim-users
CC: nospam.list
Oggetto: Re: [exim] Experiences with RFC 8301 (DKIM)
On 2021-06-22 at 07:45:35 UTC-0400 (Tue, 22 Jun 2021 13:45:35 +0200)
Yves Goergen via Exim-users <nospam.list@???>
is rumored to have said:

> Hello,
>
> I've set up my mail server with Exim so that it obeys the restrictions
> in RFC 8301. That means that DKIM signatures with SHA-1 hashing or
> keys shorter than 1024 bit are rejected. Also, other messages with
> invalid or mismatching signatures are rejected.


RFC 8301 does NOT say that messages with invalid, mismatching, or
cryptographically obsolete signatures should be rejected. RFC 6376,
which 8301 is an addendum for, also does not say that non-conformant
messages should be rejected. To the contrary, RFC 6376 says that a bad
or missing signature SHOULD NOT be the sole basis for rejecting a
message. See https://datatracker.ietf.org/doc/html/rfc6376#section-6.3

Doing so guarantees that you will reject legitimate email.

> That causes a bit of trouble because many mail servers out there seem
> to be sending out messages with outdated, invalid or broken DKIM
> signatures. That leads to those messages being rejected when they
> should actually be delivered.


You should fix this by following the recommendations of the relevant
RFCs.

If you have your heart set on rejecting non-compliant messages, you may
find it helpful to also deploy DMARC, which provides a reasonable
framework for selectively rejecting messages with bad/broken/faked
signatures based on the domains of the putative signers and senders.

> Is DKIM usage so broken beyond repair that I should instead completely
> ignore it?


That is not your only option.

DKIM is useful for definitively identifying non-forgeries, for an
unintuitive definition of non-forgery. Because it is inherently fragile,
it cannot definitively identify forgeries. In conjunction with DMARC, it
can do a bit better with a more sensible delineation of verified and
non-verified messages and of how they should be handled.

> Among those broken servers are eBay (none of their messages appears
> here), several mailing lists (not sure if it's also this one) and
> other companies who should be serious about digital security (but may
> not have digital expertise themselves).
>
> What are your experiences with DKIM validation and especially that RFC
> 8301? I'd like to know how to proceed with this. Currently I'm
> explaining my mailbox users that the senders' mail server
> configuration is broken and needs repair. But not everybody accepts
> that.


Rejecting mail simply because it does not comply with RFC 8301 and
RFC6376 is itself an indication of a broken mail server and that needs
repair.

> -Yves (please CC me when replying)


I am doing so, however in return I ask that you respect my Reply-To
header and DO NOT send me duplicates of messages sent to this (or any
other) mailing list.

--
Bill Cole
bill@??? or billcole@???
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire