Installing DKIM
In looking for methods to install DKIM with postfix I am running into some old info and some new info. It looks like the best way to handle DKIM is using the plugin feature of postfix and use the sendmail milters. The other question is what do most people do with the check on the DKIM if a message fails, reject outright? Won't this mess up any forwarded mail? -- I can't die, I haven't seen The Jolson Story - Jetboy
Re: Installing DKIM
LuKreme a écrit : In looking for methods to install DKIM with postfix I am running into some old info and some new info. It looks like the best way to handle DKIM is using the plugin feature of postfix and use the sendmail milters. if you use amavisd-new, then it supports DKIM (assuming you have a recent version). otherwise, you can use the dkim milter. dkim proxy works as well. The other question is what do most people do with the check on the DKIM if a message fails, reject outright? Won't this mess up any forwarded mail? I wouldn't reject. I actually leave verification to spamassassin.
Re: Installing DKIM
On Mon, Dec 08, 2008 at 02:01:05AM +0100, mouss wrote: The other question is what do most people do with the check on the DKIM if a message fails, reject outright? Won't this mess up any forwarded mail? I wouldn't reject. I actually leave verification to spamassassin. It would sure help to read the DKIM RFC, mail with a failed signature must be treated as though the message is unsigned. DKIM is an authentication mechanism, that can be used for whitelisting (positive reputation), it is NOT to be used for detecting junk email. For now there are no worthy publically avaiable positive reputation databases where you can query the DKIM domain, so the whitelisting is done on a case-by-case basis at each receiving domain. The SSP (sender-signing-policy) RFC is AFAIK not yet published, and IMHO has serious design flaws, so I don't expect to see broad support for using SSP to reject mail from the few domains that will be in a position to make SSP assertions. The marketing departments of various technology shops that tell you that DKIM can help you fight phishing are I believe at misguided or guilty of wishful thinking. Do NOT use DKIM to reject unsigned mail or mail with a broken signature. If you don't intend to whitelist any DKIM senders, don't both validating DKIM signatuers, there is little point in doing so. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Installing DKIM
On 7-Dec-2008, at 18:50, Victor Duchovni wrote: Do NOT use DKIM to reject unsigned mail or mail with a broken signature. If you don't intend to whitelist any DKIM senders, don't both validating DKIM signatuers, there is little point in doing so. My main intent is to try to flag mails claiming to be from paypal that aren't, so I think maybe just DKIM support in SpamAssassin is the way to go. -- Heisenberg's only uncertainty was what pub to vomit in next and Jung fancied Freud's mother too. -- Jared Earle
Re: Installing DKIM
On Sun, Dec 07, 2008 at 08:14:17PM -0700, LuKreme wrote: My main intent is to try to flag mails claiming to be from paypal that aren't, so I think maybe just DKIM support in SpamAssassin is the way to go. http://archives.neohapsis.com/archives/postfix/2007-11/0495.html -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Installing DKIM
LuKreme wrote: [...] The other question is what do most people do with the check on the DKIM if a message fails, reject outright? Won't this mess up any forwarded mail? Because of DKIM and related specifications are in a time of transition stage, it is not good to reject directly if a message fails. Instead, most people recommend using with SpamAssassin. pass: +some fail: -some Or it is also good using amavisd-new. See http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim ;; byunghee
