Jerry,
It is easy to verify messages, because verification instructions are
essentially built in to the message. Signing messages, however, is a
little more complex. You can read the spec
(http://www.ietf.org/rfc/rfc4870.txt), or check my descriptions below:
To verify a signed message:
After the DomainKeyVerifier mailet has processed a message, a
"DomainKey-Status" header is added to the message. This header
contains the results of the verification, and will be one of the
following values:
good
bad
revoked
bad format
internal error
no key
no signature
non participant
Most of these only hint at the legitimacy of the email and are not a
conclusive sign that the message may be valid or spam. However, you
should be able to whitelist "good" ones, and immediately mark, "bad",
or "revoked" ones as spam. You can check the official spec if you want
the official definition of the status header.
To sign a message:
The DK verification process is done using public/private key
encryption. This means that the message signature is created using a
private key (that only you know), and can be verified by a public key
(which is made available to anyone in the world).
Each domain that will be sending signed email must have a DNS entry
that contains a public key. Since organizations may not want to be
limited to a single key, a "selector" must also be determined. The
"selector" can be any arbitrary alphanumeric string of your choosing.
The "selector" is combined with the domain name to determine the DNS
name under which the public key is published. You must setup the DNS
record at "_domainkey.SELECTORNAME.yourdomainname.com".
After a DNS record is setup for each domain you wish to sign, you can
configure the DomainKeySigner mailet. You mentioned that your server
sends mail for over 50 different domains. As currently coded, you will
need 50 different DomainKeySigner mailet instances in your
configuration. However, if you're willing to change the source code
yourself, you can save yourself some entries in the config.xml.
If possible, I suggest that you use the same key to sign all the
different domains. You still have to publish a DomainKey DNS record
for each different domain, but the contents of the entries can be
roughly the same. You will have to change the source code to use the
domain specified by the "FROM" when signing the message, rather than
by using the hard-coded configuration entry.
Here is a more explicit definition of the DomainKeySigner mailet parameters:
privateKeyFile - Required. The name of a file that contains the
private key that will be used to sign this message.
domain - Required. The domain name from which the message is sent.
selector - Required. The name of the selector to be associated
with the signature.
canonicalization - Required. Accepted value are currently "simple"
or "nofws". You should "nofws" if you're unsure.
hashType - Required. Accepted values are currently "SHA1 or SHA256".
signableHeaders - Optional. A comma-separated list of header names
that will be signed. See the spec for details..
I'm sorry a simple turn-key solution is not available, but in the
interest of stopping SPAM on the internet, I'll be happy to help you
get this up and running. Please ask any more questions as they arise.
Tom Brown
On Fri, Oct 3, 2008 at 10:35 AM, Jerry M <[EMAIL PROTECTED]> wrote:
> Tom,
>
> Thanks for the pointer to the source. Is there any documentation (i.e.
> cookbook) on how to install and use this other than the info in this current
> thread on the forum? I understand the basic concept. But your sample
> config.xml entry in the post a couple of days ago was very generic, and I
> still can't find the precise syntax for including the other mailet in
> config.xml.
>
> A few questions... you list some syntax of
>
> <signableHeaders>comma,separated,list,of,headers,that,should,be,signed</signableHeaders>
>
> I'm completely new to this. How do I KNOW what headers need to be signed?
> What is the default? Why would I have the choice of randomly selecting
> headers for signing?
>
> Also, you show:
> <domain>my.domain.here.com</domain>
>
> I host over 50 independent domains on my server. Do I need a mailet entry
> in config.xml for EVERY domain name that I want to use this for?
>
> What I would really like is an example of a working config file entry as
> well as the syntax.
>
> I appreciate the work you have done for implementing this. And I'm sure
> there are many people who understand domainKeys that would have no problem
> picking up your code and running with it, given their previous knowledge.
> But there are those of us out here who can barely spell 'domainKey', but
> need desperately to get this implemented. Any basic step by step examples
> would be greatly appreciated.
>
> Thanks.
>
> Jerry
>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
