You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/02/14 19:31:34 UTC
[Bug 5332] New: Misc enhancements and small fixes to DKIM plugin
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5332
Summary: Misc enhancements and small fixes to DKIM plugin
Product: Spamassassin
Version: 3.1.7
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: Plugins
AssignedTo: dev@spamassassin.apache.org
ReportedBy: Mark.Martinec@ijs.si
A couple of enhancements to Plugin::DKIM (in the attached patch), prompted
by recent enhancements to the underlying module Mail::DKIM, which now also
supports DomainKeys signatures in addition to DKIM signatures, and is being
actively maintained, unlike Mail::DomainKeys.
- separate a signature verification from fetching a policy, which makes it
possible to avoid one DNS lookups (by not fetching a policy) for each
unverified message by setting score to 0 for all policy-related rules
(DKIM_POLICY_SIGNALL, DKIM_POLICY_SIGNSOME, and DKIM_POLICY_TESTING).
I also suggest that default scores for these three rules becomes 0.
Currently the sender-provided policy is pretty much useless as it is
mostly missing, or when available everybody has a testing flag turned on.
This area of SSP is still pretty much in the clouds. Currently the
only practical use is verifying a signature and providing a hand-crafted
local equivalent of a policy and trust by rules and whitelist.
- let the check_dkim_testing() also take into account a testing flag
in a public key, not just the one in a policy record (still lacks
the final support in Mail::DKIM (missing a documented method),
but the plugin is now ready). This is an equivalent change that
was already made to Plugin::DomainKeys.
- skip fetching a policy (SSP) if a signature does verify, according
to draft-allman-dkim-ssp-02: If the message contains a valid Originator
Signature, no Sender Signing Practices check need be performed:
the Verifier SHOULD NOT look up the Sender Signing Practices
and the message SHOULD be considered non-Suspicious.
This is an equivalent change that was already made
to Plugin::DomainKeys.
- make some debugging messages more informative or concise;
- bug fix: protect fetching/parsing a policy record by eval { }
to prevent a syntax error in a policy record from invalidating
an already verified good signature;
- bug fix: if an identity tag (i=) is missing (this tag is optional),
it should default to an '@' prepended to a domain (d=),
according to draft-ietf-dkim-base-09; previously dkim whitelisting
check was skipped when identity was not explicit ('i' tag missing);
- squash code in _check_dkim_whitelist() in half by factoring out
duplicate code sections;
The patch does not introduce any incompatibilities with current use
or rules, nor does it depend on a particular version of Mail::DKIM.
It is just that DomainKeys checking is unavailable if the underlying
version of Mail::DKIM does not provide it.
Perhaps in the next major release of SA the use of Plugin::DomainKeys
should be discouraged in the docs, pointing out that Plugin::DKIM can
now cover for both.
Mark
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5332] Misc enhancements and small fixes to DKIM plugin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5332
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From jm@jmason.org 2007-03-06 12:56 -------
thanks Mark -- applied!
for now, DKIM_POLICY_SIGNSOME, SIGNALL and TESTING are scored at 0.001, just so
that their results still appear in mass-check, spamd, and X-Spam-Results logs.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5332] Misc enhancements and small fixes to DKIM plugin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5332
------- Additional Comments From Mark.Martinec@ijs.si 2007-02-14 10:34 -------
Created an attachment (id=3865)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3865&action=view)
the promised patch
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5332] Misc enhancements and small fixes to DKIM plugin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5332
Mark.Martinec@ijs.si changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3865 is|0 |1
obsolete| |
------- Additional Comments From Mark.Martinec@ijs.si 2007-03-06 12:46 -------
Created an attachment (id=3876)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3876&action=view)
Remake of the patch for v320
Remake of my previous patch, this time for SA v320.
Also fixes a whitelist_from_dk -> whitelist_from_dkim
copy/paste bug. And removes redundant calls to warn,
the dbg calls suffice.
Mark
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.