Re: Rejected messages from the mailing list

From: Alessandro Vesely <>
Date: Mon, 02 Aug 2010 21:13:18 +0200

On 02/Aug/10 17:07, SM wrote:
> At 05:37 02-08-10, Alessandro Vesely wrote:
>> BTW, source now says "554 DKIM signature required by ADSP" --not
>> released yet.
> A 550 code would be better as it is a policy decision. But it isn't
> for me to decide on that.

554 is in Murray's draft...

>> It breaks most of the times, though. (About 3:1 in my current folder)
> It should not break for this mailing list except for one known case.

I've found that Courier-MTA rewrites messages more often than it's
strictly required, and posted a possible solution*. I'll let the list
know if that will sort an effect.


When rewriting, the odds that quotes around tokens in Content-Type may
be altered is 50%. Wouldn't it be more robust to avoid signing that
field, given current canonicalization capabilities?

>> Zdkimfilter has whitelisting options, and orders signatures
>> according to their domain being author, whitelisted, sender, helo,
>> using dkim_set_final. Then, the library delivers the first verified
>> signature. However, I had forgotten to whitelist :-/
> The quick fix is to whitelist


> I suggest returning all the verified signatures if you want to
> catch cases like this one.

That might be a good hint in general. When I saw that the library
returns just one signature, with various options for pre-sorting them,
I thought that checking all signatures had been limited in order to
avoid some kind of DoS attack, e.g. messages with inordinate amounts
of signatures --just guessing. Is that the reason the library has
been designed that way?
Received on Mon Aug 02 2010 - 19:13:28 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:48 PST