Re: OpenDKIM v2.7.0 released

From: Murray S. Kucherawy <>
Date: Sat, 27 Oct 2012 09:27:26 -0700 (PDT)

On Fri, 26 Oct 2012, Quanah Gibson-Mount wrote:
> What about this part of the CVE (<>)?
> Does OpenDKIM already correctly not verify testing mode messages? I'm going
> to guess yes, but I didn't see that explicitly stated in the docs.

The library returns a "pass" for such signatures (if they pass, of course;
full evaluation is done) but the caller can also determine if the "test"
flag was set for the key.

The filter relays the pass/fail/etc. result as-is, with the following

(a) a "fail" on a key in test is upgraded to "neutral", as if the message
was not signed
(b) a "testing" comment is added to the Authentication-Results field to
indicate that the key is in test regardless of the result
(c) if the reputation system is enabled, the reputation of the domain for
a passing signature with "test" mode enabled will not be queried; that is,
if the message bears a single passing signature referencing a test key, it
will be treated the same way as if it were unsigned with respect to

The premise of OpenDKIM's design is that the only interesting case is
"pass", as that is the only condition in which you have actually learned
something about the sender. The main point, then, is that only a passing
non-test signature will grant the message the benefit of any positive
reputation the signing domain has earned.

> Further, the documentation about:
> On-BadSignature (string)
> Selects the action to be taken when a signature fails to validate. Possible
> values (with abbreviated forms in parentheses): accept (a) accept the
> message; discard (d) discard the message; quarantine (q) quarantine the
> message; reject (r) reject the message; tempfail (t) temp-fail the message.
> The default is accept. Note that the "t" (testing) flag in a DKIM key does
> not alter this behaviour; even keys marked as test keys whose signatures fail
> will still be subjected to the selected action.
> seems to imply that perhaps OpenDKIM treats testing keys normally?

That documentation seems to be old. I'm glad you pointed it out. A check
of the source code (end of mlfi_eom() in particular) shows that a failed
test key will not be rejected regardless of how On-BadSignature is set.
I'll update it now.

Received on Sat Oct 27 2012 - 16:27:43 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:44 PST