Florian,
> I currently work on implementing DKIM signing in my amavisd-new with
> Postfix. All key tests result in passed, and sending signed e-mail out
> of lists results in correct verification.
>
> However, I have problems with signing my hosted mailing lists -- as
> footers are added and subjects are modified, the DKIM signature is
> broken. As far as I understood, this does no harm, and is normal --
> signing only parts of the body has to be implemented on the sender's
> side, which I can't influence.
Well, yes, although 'signing only parts of the body' (tag 'l') is
not very useful, as it can too easily be abused. The sooner we
forget it exists, the better.
If these signatures are from the domain which also run a mailing list
(as opposed to a signature of an author of each post), then these signatures
should have been added on the fan-out side of their mailing list manager,
i.e. after all the mangling of a message has already been made.
> Therefore, I decided to sign all mailing lists myself with third-party
> signatures, so they get out with valid signatures.
Ok.
> It looks, however, as if amavisd-new only adds third-party signatures when
> the sender is not from one of my hosted domains.
It tries to add the best available signature, subject to overrides in
@dkim_signature_options_bysender_maps. A signing domain matching
an author domain (From) is considered better than other matches.
If a message already contains a *valid* signature from a domain
which we are just considering adding, then a duplicate will not be added
(which solves a case when a message pases (unchanged) through amavisd
multiple times for some reason).
Grep a log (level 2 or higher) and search for ' dkim: ' (space before and
after).
These log entries explain the choices made about signing.
> This results in broken signatures,
> when someone of my users sends to one of my mailing lists. When a
> third party, e.g. @gmail.com, sends to the lists, the third-party
> signature is added and valid.
>
> Here are the relevant configuration parts:
>
> dkim_key('second-domain.tld', '20110105',
> '/etc/amavis/second-domain.tld.key.pem');
> dkim_key('first-domain.tld', '20110105',
> '/etc/amavis/second-domain.tld.key.pem');
> dkim_key('lists.second-domain.tld', '20110105',
> '/etc/amavis/second-domain.tld.key.pem');
> dkim_key('lists.first-domain.tld', '20110105',
> '/etc/amavis/second-domain.tld.key.pem');
> dkim_signature_options_bysender_maps => [ {
> 'second-domain.tld' => { d => 'second-domain.tld', c => 'relaxed/simple' },
> 'first-domain.tld' => { d => 'first-domain.tld', c => 'relaxed/simple' },
> 'lists.second-domain.tld' => { d => 'lists.second-domain.tld', c =>
> 'relaxed/simple' },
> 'lists.first-domain.tld' => { d => 'lists.first-domain.tld', c =>
> 'relaxed/simple' },
> } ], };
>
> Did I miss a configuration?
Is the 'dkim_signature_options_bysender_maps => ...' syntactically part
of a policy bank hash (key/value pairs) ? If it is not but is a global setting,
then your syntax is wrong, you need a proper assignment to a variable
@dkim_signature_options_bysender_maps, not a key=>value pair.
In your case that would be:
@dkim_signature_options_bysender_maps = ( {
'second-domain.tld' => { d => 'second-domain.tld', c => 'relaxed/simple' },
'first-domain.tld' => { d => 'first-domain.tld', c => 'relaxed/simple' },
'lists.second-domain.tld' => { d => 'lists.second-domain.tld', c =>
'relaxed/simple' },
'lists.first-domain.tld' => { d => 'lists.first-domain.tld', c =>
'relaxed/simple' },
} );
> Is there an option to always enforce
> signing with third-party signatures?
The @dkim_signature_options_bysender_maps is such an option.
> I did another test with a list that resides at a domain I also use for
> regular e-mail, sent from gmail.com with DKIM, and the signature isn't
> third party either. Quick guess is that dkim_key has precedence over
> dkim_signature_options_bysender_maps and when the sender is covered by
> the former one, the latter one doesn't kick in.
The @dkim_signature_options_bysender_maps has precedence
over declared keys.
Mark
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot
org
