I've previously read the RFC's and I think I understand them. I've read
through the Mail::DKIM documentation, and paid especially close attention
to:
http://search.cpan.org/~mbradshaw/Mail-DKIM-0.42/lib/Mail/DKIM/Signature.pm#identity()_-_get_or_set_the_signing_identity_(i=)_field
I understand what you're validating.
Remember how last month you told me to stop asking about DKIMNP / DKIMWL
because it wasn't possible, but I kept asking, and you found a way and now
it benefits it all? Well, I think my persistence here could net the same
result, so I'll ask once more, with respect can you take a second and
explain your reasoning for not having ASSP look to the domain field?
You're the expert here, there has to be a reason, I just don't know what it
is, so please give me an explanation other than simply saying that ASSP
only uses DKIM.pm's identity function (which as I'm reading it does do
anything if there's no i=).
I understand that ASSP uses signature->identity, I've seen in the code and
you've said that is uses the signature's identity. I get it. But why
doesn't it also look at the signature's domain?
$signature->domain().
http://search.cpan.org/~mbradshaw/Mail-DKIM-0.42/lib/Mail/DKIM/Signature.pm#domain()_-_get_or_set_the_domain_(d=)_field
mail::dkim supports it. d= is required. i= is optional. 75% of signed
mail that I've seen inbound only has d=.
I hope I've made my reasoning for wanting this clear in the previous
messages, but I can give more examples if you need. I just don't see why
we wouldn't want at least the option to have ASSP also look to the
signature domain entry as a way of validating for that 75% of the time that
the signature identity (i= line) isn't there. Wouldn't what I'm proposing
give us a way to WL or NP this mail with reliability?
I could probably hack something together to consider this, but my ugly
coding has no place in your masterpiece. I'm at your mercy.
On Mon, Mar 26, 2018 at 10:44 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:
> again:
>
> ASSP uses the DKIM signature identity
>
> If you don't know, what a DKIM signature identity is, how it is build,
> which DKIM tags and MIME header lines are how used .....
>
> from the dkimconfig.txt
>
> ...
> Please read RFC 4871 or the documentation of the Perl module
> Mail::DKIM ....
>
>
> The latest RFC for DKIM is
>
>
> *RFC* 6376 *DKIM* Signatures September 2011
>
>
> And don't bother me again with this!
>
> Thomas
>
>
>
>
>
> Von: "K Post" <nntp.p...@gmail.com>
> An: "ASSP development mailing list" <assp-test@lists.sourceforge.
> net>
> Datum: 26.03.2018 16:31
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
> I understand that, and I sense your frustration, but I'm obviously not
> understanding something.
>
> Thanks for the changes in 18085. It looks like there's going to be some
> great enhancements to work with. Every little bit helps, and these are
> some pretty big bits! Thanks.
>
> Still, I don't understand why validating DKIM only when it has an i=
> record is what we'd want. Isn't d= signing without i= almost as useful?
> All the tests I've done with DKIM sent to other providers seems to indicate
> valid signatures even without the i=
>
> So why isn't ASSP coded to also consider the domain? Why wouldn't we want
> it to? Is d= not also a good way of showing that a message is really
> coming from the domain it claims to be? Yes, i= identifies the specific
> address and is more granular, but as I understand it d= validates the
> domain generally which is useful.
>
> Please hear me out by listening to this specific example. There's lots
> more where this is a real world problem that could be solved as I see it by
> d= dkim validation.
> Take authentication emails from microsoft for example, where they are
> signed only with d=*accountprotection.microsoft.com*
> <http://accountprotection.microsoft.com/> without an i= line. To be
> able to automatically NP these when we know the DKIM is valid would be
> invaluable. It's exactly these type of emails that have a tendency to be
> erroneously tagged as spam. Their body sounds a lot like the scam versions
> that are regularly intercepted. It comes from the Office365 service, so we
> can't senderbase allow that. Scammers often send mail from the same
> *account-security-nore...@accountprotection.microsoft.com*
> <account-security-nore...@accountprotection.microsoft.com> address, so we
> can't whitelist that. Even if we could magically pass it based on a SPF
> match alone, that wouldn't work because scammers could also send spoofed
> through the same set of 0ffice365 public servers.
>
> A d= DKIM signature shows that someone who controls the DKIM record
> provided a signing key to the server that sent this mail. We know that
> these are always DKIM signed, but because ASSP ignores the valid d= (only)
> signature and only looks for i=, the signature in this example isn't
> validated. I don't understand why validating d= as well wouldn't be the
> desired functionality.
>
> DKIM i= records are gold, but d= only records are pretty close to perfect
> too, so will you please reconsider changing ASSP to do so?
>
>
>
> On Mon, Mar 26, 2018 at 2:18 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> again:
>
> ASSP uses the DKIM signature identity
>
> Thomas
>
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 25.03.2018 19:04
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
> Is there a particular reason that ASSP can't also look to the d= tag?
>
> 2 thoughts here:
> 1) Unless I have something misconfigured, when ASSP sends DKIM signed mail
> it doesn't use an i= tag. Shouldn't ASSP be accepting of that for incoming
> mail?
>
> 2) Doing an very unscientific review of various inbound messages, of those
> that are DKIM signed, less than 25% seem to have the identity tag. They
> all obviously have the d= tag. Sure, i= is great, but if most have only
> the d- tag, why aren't we taking that into account? The perl module seems
> to support it. If the signature validates using the d=, shouldn't we treat
> this as validated? I must not be understanding something.
>
>
>
> On Sun, Mar 25, 2018 at 4:57 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> ASSP uses the DKIM signature identity, which is mostly the i= tag. DKIM
> signatures without an identity are invalid. The i= tag is only one way (of
> multiple) to define a DKIM identiy
>
> Thomas
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 24.03.2018 15:26
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
> The gui says that these 2 new features check the i= line. Lots of
> messages I'm seeing only has the d= entry (including mail sent through
> other ASSP servers). Could we check that as well?
>
> On Tue, Mar 20, 2018 at 2:48 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >let people know that senderbase matches will be put in okay mail (not in
> notspam)
>
> Collecting HAM is done flag (no flag, whitelisted, noprocessing) based and
> like configured.
>
> Thomas
>
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 19.03.2018 14:55
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
> Sorry for the multiple messages on this, but thanks as always for the
> update!
>
> When I read "the mail will be *processed as *whitelisted" I got worried
> that it would be treated exactly as whitelisted, which could mean added to
> the whitelist itself. So, based on your note, I'd suggest changing the
> description of DKIMWLAddresses from
> If a valid DKIM or DomainKey signature is found and the signature identity
> tag (i=u...@domain.tld) matches any of these addresses, the mail will be
> processed as Whitelisted.
> to
> If a valid DKIM or DomainKey signature is found and the signature identity
> tag (i=u...@domain.tld) matches any of these addresses, the mail will be
> passed and saved as if it were Whitelisted. The message will pass all
> filters and will be added to the notspam corpus just like mail from a
> whitelisted sender would be. Unlike a true whitelisted sender, no
> whitelist address additions will be made
>
> Also, maybe put something in the SenderBase section to let people know
> that senderbase matches will be put in okay mail (not in notspam) and that
> people might also consider the DKIMWLAddresses to add to the notpspam
> corpus if there's a DKIM match?
>
>
>
>
>
> On Mon, Mar 19, 2018 at 3:24 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >will this actually add the other non-local addresses to the whitelist
> itself based on the NotGreedyWhitelist setting?
>
> No.
>
> Thomas
>
>
>
>
>
> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: "ASSP development mailing list" <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 18.03.2018 20:34
> Betreff: Re: [Assp-test] New DKIM Whilelisted Addresses Feature
> ------------------------------
>
>
>
>
> SORRY, - I meant to kill the last message and start over, but hit send
> inadvertently.
>
> Thanks again for implementing this.
>
> If there's a match in the DKIM Whitelisted Addresses file will this
> actually add the other non-local addresses to the whitelist itself based on
> the NotGreedyWhitelist setting? I hope not. If so, can we get another
> file option like DKIMTreatAsNotSpamAddresses which would treat the message
> as if it were whitelisted in terms of letting the message through and
> storing it in notspam, but not actually whitelisting the from and other
> addresses?
>
>
>
> On Sun, Mar 18, 2018 at 2:22 PM, K Post <*nntp.p...@gmail.com*
> <nntp.p...@gmail.com>> wrote:
>
> Thanks again for implementing this.
>
> Question, if I have something like
> u...@domain.tld
> in the DKIMWLAddresses file
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
