You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Per Jessen <pe...@computer.org> on 2009/09/08 10:04:21 UTC

whitelist_from_dkim

SA list,

I still don't seem to be getting more friendly with
whitelist_from_dkim - 

could someone please try feeding this email through your SA setup:

http://jessen.ch/files/community36.eml

with this enabled:

whitelist_from_dkim *@community36.net

The actual author is 'keine-antwort@community36.net'; I have run it
through SA with debug on and I see it being added to whitelist entries.
Still when it is checked by DIM, it reports "author
keine-antwort@community36.net, not in any dkim whitelist".


/Per Jessen, Zürich

Re: whitelist_from_dkim

Posted by "McDonald, Dan" <Da...@austinenergy.com>.

On Tue, 2009-09-08 at 18:24 +0100, Martin Gregorie wrote:
> On Tue, 2009-09-08 at 18:54 +0200, Benny Pedersen wrote:
> > On Tue 08 Sep 2009 06:25:49 PM CEST, Mark Martinec wrote
> > 
> > > Sure, if you want it to be be whitelisted.
> > 
> > tidy give me 95 warns on the html part :)
> > 
> That's normal. The HTML generated by word processors, etc is seldom
> clean but everything I've seen MS Office generate has been abominable:
> just a steaming heap of fetid dingo's kidneys.

Now wait just a second.  It would have to improve, greatly, to be a
steaming heap of fetid dingo kidneys.  Maybe rancid squirrel pancreases,
but in no way would it reach the level of dingo kidneys....



-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Re: whitelist_from_dkim

Posted by Martin Gregorie <ma...@gregorie.org>.

On Tue, 2009-09-08 at 18:54 +0200, Benny Pedersen wrote:
> On Tue 08 Sep 2009 06:25:49 PM CEST, Mark Martinec wrote
> 
> > Sure, if you want it to be be whitelisted.
> 
> tidy give me 95 warns on the html part :)
> 
That's normal. The HTML generated by word processors, etc is seldom
clean but everything I've seen MS Office generate has been abominable:
just a steaming heap of fetid dingo's kidneys.


Martin

Re: whitelist_from_dkim

Posted by Benny Pedersen <me...@junc.org>.

On Tue 08 Sep 2009 06:25:49 PM CEST, Mark Martinec wrote

> Sure, if you want it to be be whitelisted.

tidy give me 95 warns on the html part :)

> In absence of the second parameter, whitelist_from_dkim
> whitelists only on author signatures.

this makes it simple to dump address books from horde into  
whitelist_from_dkim, telling users to add senders there if thay want  
to whitelist senders, the signing identity makes it work only for some  
senders :/

[snip]

worse is when dkim and spf is not same domain, but this can be tested  
in sa with a meta so if whitelist_from_auth is used only one score  
will be added, whitelist_from_auth works both on spf and dkim, but  
problem comes when both is pass then sender would be giving ham scores  
from both

looking forward to see sa 3.3.x on gentoo

-- 
xpoint

Re: whitelist_from_dkim

Posted by Mark Martinec <Ma...@ijs.si>.

Benny,

> > Still when it is checked by DIM, it reports "author
> > keine-antwort@community36.net, not in any dkim whitelist".
> 
> correct it happends here aswell
> 
> [22718] dbg: dkim: VALID third-party signature
>   by id keine-antwort=3Dcommunity36.net@mcsv129.net,
>   author keine-antwort@community36.net,
>   no valid matches

> [22718] dbg: dkim: author keine-antwort@community36.net,
>   not in any dkim whitelist

> third party domain need to be whitelisted ? (Mail-DKIM 0.31, sa 3.2.5)

Sure, if you want it to be be whitelisted.

In absence of the second parameter, whitelist_from_dkim
whitelists only on author signatures.


$ man Mail::SpamAssassin::Plugin::DKIM

       whitelist_from_dkim author@example.com [signing-identity]
[...]
           If no signing identity parameter is specified, the only acceptable
           signature will be a first-party signature, i.e. the so called
           author signature, which is a signature where the signing identity
           of a signature matches the author address (i.e. the address in a
           From header field).


Mark

Re: whitelist_from_dkim

Posted by Benny Pedersen <me...@junc.org>.

On Tue 08 Sep 2009 10:04:21 AM CEST, Per Jessen wrote
> Still when it is checked by DIM, it reports "author
> keine-antwort@community36.net, not in any dkim whitelist".

correct it happends here aswell

[22718] dbg: dkim: performing public key lookup and signature verification
[22718] dbg: dkim: signing identity:  
keine-antwort=3Dcommunity36.net@mcsv129.net, d=mcsv129.net,  
a=rsa-sha1, c=relaxed/relaxed
[22718] dbg: dkim: signing identity:  
keine-antwort=community36.net@mcsv129.net, d=mcsv129.net, a=rsa-sha1,  
c=nofws
[22718] dbg: dkim: signature verification result: PASS
[22718] dbg: dkim: VALID third-party signature by id  
keine-antwort=3Dcommunity36.net@mcsv129.net, author  
keine-antwort@community36.net, no valid matches
[22718] dbg: dkim: VALID third-party signature by id  
keine-antwort=community36.net@mcsv129.net, author  
keine-antwort@community36.net, no valid matches
[22718] dbg: dkim: author keine-antwort@community36.net, not in any  
dkim whitelist
[22718] dbg: dkim: policy: performing lookup
[22718] dbg: dkim: policy result neutral: o=~
[22718] info: async: ignoring response, mismatched id  
62389/*.4e4546b0aaca3c9ec9cfbca060ff135c.al.dkim-reputation.org/TXT/IN,  
expected  
12688/*.4e4546b0aaca3c9ec9cfbca060ff135c.al.dkim-reputation.org/TXT/IN
[22718] info: dkimrep: id=community36.net$keine-antwort,  
mcsv129.net$community36.net, mcsv129.net rep=undef info=none

third party domain need to be whitelisted ?

Mail-DKIM 0.31
sa 3.2.5

-- 
xpoint

Re: whitelist_from_dkim

Posted by Per Jessen <pe...@computer.org>.

Mark Martinec wrote:

> Per,
> 
> Without the second argument to whitelist_from_dkim, it checks for
> author signatures, as documented. In your case the mail carries a
> signature by domain mcsv129.net, so you have a third-party signature
> there.
> 
> If you want to whitelist an author by some third party signature, you
> need to tell in the second argument which signing domain is
> acceptable.
> 
> whitelist_from_dkim  *@community36.net mcsv129.net
> 
>   Mark

Aha.  Thanks Marc!  Much appreciated. 


/Per Jessen, Zürich

Re: whitelist_from_dkim [solved]

Posted by Per Jessen <pe...@computer.org>.

Mark Martinec wrote:

> Per,
> 
[snip]
> whitelist_from_dkim  *@community36.net mcsv129.net
> 

Just to confirm that it works:

dkim: author keine-antwort@community36.net, WHITELISTED by
whitelist_from_dkim


/Per Jessen, Zürich

Re: whitelist_from_dkim

Posted by Mark Martinec <Ma...@ijs.si>.

Per,

> >> http://jessen.ch/files/community36.eml
> >> whitelist_from_dkim *@community36.net
> >>
> >> The actual author is 'keine-antwort@community36.net'; I have run it
> >> through SA with debug on and I see it being added to whitelist
> >> entries. Still when it is checked by DIM, it reports "author
> >> keine-antwort@community36.net, not in any dkim whitelist".
> >
> > I don't see DKIM record set for community36.net. If it's not set, it
> > can't match.
>
> Okay.  Well, SA still reports DKIM_VERIFIED, so the signature is fine,
> but maybe I'm whitelisting on the wrong thing?  I also tried this:

Without the second argument to whitelist_from_dkim, it checks for
author signatures, as documented. In your case the mail carries a signature
by domain mcsv129.net, so you have a third-party signature there.

If you want to whitelist an author by some third party signature, you
need to tell in the second argument which signing domain is acceptable.

whitelist_from_dkim  *@community36.net mcsv129.net


  Mark

Re: whitelist_from_dkim

Posted by Per Jessen <pe...@computer.org>.

Matus UHLAR - fantomas wrote:

> On 08.09.09 10:04, Per Jessen wrote:
>> I still don't seem to be getting more friendly with
>> whitelist_from_dkim -
>> 
>> could someone please try feeding this email through your SA setup:
>> 
>> http://jessen.ch/files/community36.eml
>> 
>> with this enabled:
>> 
>> whitelist_from_dkim *@community36.net
>> 
>> The actual author is 'keine-antwort@community36.net'; I have run it
>> through SA with debug on and I see it being added to whitelist
>> entries. Still when it is checked by DIM, it reports "author
>> keine-antwort@community36.net, not in any dkim whitelist".
> 
> I don't see DKIM record set for community36.net. If it's not set, it
> can't match.

Okay.  Well, SA still reports DKIM_VERIFIED, so the signature is fine,
but maybe I'm whitelisting on the wrong thing?  I also tried this:

whitelist_from_dkim *=community36.net@mcsv129.net

same result, i.e. not whitelisted.


/Per Jessen, Zürich
PS: the email is now available again, sorry about the HTTP 500 that some
people got.

Re: whitelist_from_dkim

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 08.09.09 10:04, Per Jessen wrote:
> I still don't seem to be getting more friendly with
> whitelist_from_dkim - 
> 
> could someone please try feeding this email through your SA setup:
> 
> http://jessen.ch/files/community36.eml
> 
> with this enabled:
> 
> whitelist_from_dkim *@community36.net
> 
> The actual author is 'keine-antwort@community36.net'; I have run it
> through SA with debug on and I see it being added to whitelist entries.
> Still when it is checked by DIM, it reports "author
> keine-antwort@community36.net, not in any dkim whitelist".

I don't see DKIM record set for community36.net. If it's not set, it can't
match.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!