Re: OpenDKIM 2.3.0 Release = stable!

From: Steve Jenkins <>
Date: Wed, 2 Mar 2011 17:36:53 -0800

On Wed, Mar 2, 2011 at 4:15 PM, Murray S. Kucherawy <> wrote:
>> How about some integration with Amavis-new? That seems to be an
>> extremely popular "front-end" for mail processors, and I know they're
>> tinkering with DKIM stuff in there, although I didn't really look that
>> hard at exactly what it was doing DKIM-wise when I set it up.
> Did you have something specific in mind?

Hmm... I really didn't. Now I'll have to think about it. :) All I know
about Amavis-new is that it interacts with ClamAV and SpamAssassin to
"decide" what to do about incoming messages depending on what
SpamAssassin and ClamAV "think" about the message: 1) do nothing, 2)
tag it, 3) block it.

> Off the top of my head, and not knowing much about amavisd-new, I suspect the only integration would be to try to do correlation between signing domains and virus traffic, just like I'm using the OpenDKIM stats extensions locally to try to correlate signing domains with spam.  Apart from that they're two filters that analyze a message and report a verdict of sorts.
> But wouldn't amavisd-new reject messages it finds to be suspect or infected?  If that's the case, OpenDKIM wouldn't see them anyway.  The only real interaction they'll have is if amavisd-new runs first and adds a header field to suspect messages without rejecting them.

Not necessarily - it's VERY configurable. And, Amavis-new isn't
actually doing any of the "thinking" (as far as I know). If ClamAV
thinks it's a virus, then it tells Amavis-new "hey, this is a virus!"
and then Amavis-new is the policy enforcer of what to do about it.
Same thing with SpamAssassin. If SA says "this is SPAM!" then it's up
to Amavis-new to decide what to do about it. My Amavis-new is set up
to to add [SPAM] to the subject of things that are
slightly-to-moderatly spammy (SA score 4-10), and reject anything that
is crazy spammy (10.01+).

Maybe you could figure out how to let Amavis-new interact with
OpenDKIM (or even contact the lead developer to express interest in
having them play nice) so that OpenDKIM says to Amavis-new "Yep! It's
signed and valid! " or "Nope it's signed but not valid!" and/or a few
other variations of DKIM +/or ADSP results, and then Amavis-new
enforces the policy based on what OpenDKIM tells it. I know that SA
checks to see if a mail is DKIM signed (it actually adds +0.01 if it
is) and then checks to see if that DKIM-sig is valid (it deletes 0.01
if it is), but perhaps OpenDKIM could pass more info to Amavis-new
(again, based on DKIM and/or ADSP).

I'm just seeing a LOT of adoption of Amavis-new among *nix mail
admins, and it's now common to see Amavis-new, ClamAV, and SA
considered the baseline package to processing incoming email. It would
be cool to see OpenDKIM be a part of that, too. :)

>> When I first set up OpenDKIM, I was initially more interested in
>> making sure my outgoing mail got signed, but since that's happening so
>> reliably now that there's nothing for me to tinker with there, I'd
>> like to turn my attention toward verification, scoring (perhaps with
>> Amavis-new), and even possible rejection of incoming mail based on the
>> sending domain's DKIM policies (or lack thereof).
> What policy items do you find interesting for filtering?

Well, it's still way too early to straight up reject messages if
they're not DKIM signed, but I would like to be able to reject a mail
if the ADSP policy says mail from a domain SHOULD always have a valid
sig and it doesn't. I'm pretty sure there's already a way to do that
with /etc/opendkim.conf... I've just only cared about signing my own
mail until recently. :)

Received on Thu Mar 03 2011 - 01:37:06 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:16 PST