Re: Signing problems with OpenDKIM on Ubuntu

From: Scott Kitterman <>
Date: Wed, 24 Apr 2013 14:13:28 -0400

On Wednesday, April 24, 2013 11:03:02 AM Murray S. Kucherawy wrote:
> On Wed, 24 Apr 2013, Scott Kitterman wrote:
> >> Yes indeed. This is fixed for 2.8.3, which I'll push out later this
> >> week (it was in the hopper already for some lesser things). I
> >> currently have the default action set to temp-fail when this happens;
> >> should it be "accept" (pass the message anyway)? Something is logged
> >> in either case.
> >
> > Since many verifiers won't accept keys << 1024 bits, I think it would be
> > a mistake to allow signing messages by default. It ought to fail hard
> > and permanently with (maybe) an option to disable the check.
> >
> > Why temp-fail? There's nothing temporary about it.
> It would be easy to replace a faulty key without loss of mail, only delay.
> The messages would then be signed and sent on the next queue run.

Yes, but the message would sit in the queue waiting to be sent and unless
someone notices while they are reviewing mail logs, the user thinks the mail
went out up until it bounces from the queue at whatever the queue life limit

I think it's better to hard reject it. Then the sender complains to their
mail admin, who then looks into it and fixes it. That leaves everyone clearer
about the state of things all along.

Scott K
Received on Wed Apr 24 2013 - 18:13:41 PST

This archive was generated by hypermail 2.3.0 : Wed Apr 24 2013 - 18:18:01 PST