You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2007/07/19 21:57:08 UTC
DKIM vs DomainKeys plugins
SA 3.2.1 INSTALL seems to indicate that if I use Mail-DKIM .20 or
better, I don't need Mail-DomainKeys.
Because of this, I removed the Mail-DomainKeys dependency from the
FreeBsd SA port (I am the official maintainer)
I have seen a couple of issues that indicate that maybe, Mail-DKIM
isn't doing everything that Mail-DomainKeys should be:
Issue #1:
With a valid DomainKeys signature, I would have triggered these rules:
DomainKey-Signature: s=smtpout; d=dell.com; c=nofws; q=dns; b=F8HNbhd0584EduhfgHEXuE+EIUiaTS7NgLfQTpwRK6QGlULcYJ9tVOzZtMKQdlHks+PaJLwqa2wj14lfLyTcXPXAHPZKvq4vqxEZa3FvS1Flf8hjev2wPWAhUIP7Pgas;
X-IronPort-AV: E=Sophos;i="4.16,558,1175490000";
X-Spam-Status: No, score=-3.381 tagged_above=-999 required=5
tests=[AWL=2.216,
BAYES_00=-2.599, DK_POLICY_SIGNSOME=0, DK_SIGNED=0.001, DK_VERIFIED= -0.001
HTML_MESSAGE=0.001, NO_REAL_NAME=1, RCVD_IN_DNSWL_MED=-4,
SPF_PASS=-0.001]
but, with DKIM and no DomainKeys plugins, I get this: (note the missing
DKIM_VERIFIED).
I would almost expect that a test for DKIM_SIGNED && !DKIM_VERIFIED
might be used to doublecheck for forged domainkeys.
X-Spam-Status: No, score=-3.382 tagged_above=-999 required=5 tests=[AWL=2.216,
BAYES_00=-2.599, DKIM_POLICY_SIGNSOME=0, DKIM_SIGNED=0.001,
HTML_MESSAGE=0.001, NO_REAL_NAME=1, RCVD_IN_DNSWL_MED=-4,
SPF_PASS=-0.001]
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: DKIM vs DomainKeys plugins
Posted by Matt Kettler <mk...@verizon.net>.
Michael Scheidell wrote:
> SA 3.2.1 INSTALL seems to indicate that if I use Mail-DKIM .20 or
> better, I don't need Mail-DomainKeys.
>
> Because of this, I removed the Mail-DomainKeys dependency from the
> FreeBsd SA port (I am the official maintainer)
>
> I have seen a couple of issues that indicate that maybe, Mail-DKIM
> isn't doing everything that Mail-DomainKeys should be:
>
> Issue #1:
>
> With a valid DomainKeys signature, I would have triggered these rules:
>
> DomainKey-Signature: s=smtpout; d=dell.com; c=nofws; q=dns;
> b=F8HNbhd0584EduhfgHEXuE+EIUiaTS7NgLfQTpwRK6QGlULcYJ9tVOzZtMKQdlHks+PaJLwqa2wj14lfLyTcXPXAHPZKvq4vqxEZa3FvS1Flf8hjev2wPWAhUIP7Pgas;
>
>
> X-IronPort-AV: E=Sophos;i="4.16,558,1175490000";
> X-Spam-Status: No, score=-3.381 tagged_above=-999 required=5
> tests=[AWL=2.216,
>
> BAYES_00=-2.599, DK_POLICY_SIGNSOME=0, DK_SIGNED=0.001,
> DK_VERIFIED= -0.001
> HTML_MESSAGE=0.001, NO_REAL_NAME=1, RCVD_IN_DNSWL_MED=-4,
> SPF_PASS=-0.001]
>
>
> but, with DKIM and no DomainKeys plugins, I get this: (note the
> missing DKIM_VERIFIED).
> I would almost expect that a test for DKIM_SIGNED && !DKIM_VERIFIED
> might be used to doublecheck for forged domainkeys.
Interesting, have you tried running that message through spamassassin -D
and checked the debug output generated by the DKIM plugin?
In particular, the output of these debugs by dkim might be able to point
us in the right direction:
dbg("dkim: signature identity: ".$scan->{dkim_identity});
dbg("dkim: signature verification result: $detail");
dbg("dkim: invalid DKIM-Signature: $detail");
Re: DKIM vs DomainKeys plugins
Posted by Matt Kettler <mk...@verizon.net>.
Michael Scheidell wrote:
> Matt Kettler wrote:
>>
>> Michael Scheidell wrote:
>> > SA 3.2.1 INSTALL seems to indicate that if I use Mail-DKIM .20 or
>> > better, I don't need Mail-DomainKeys.
>> >
>>
>
> I loaded Mail-DomainKeys perl libraries and will be doing some testing
> to see if I can see what and why, and will post it later.
> ( have updated Freebsd port (3.2.1_1) to require both perl libraries
> for now till I find out what happened.
>
> either case, lots of rules behind 'ifplugin.*DomainKeys' arn't even
> loaded, since, well, DomainKeys plugin was disabled in *.pre.
> (and had to be if the libraries weren't available)
Yeah, they shouldn't be.. they won't work.
However, AFAIK, the DKIM versions of the rules should fire in the place
of the DK_* rules.
Re: DKIM vs DomainKeys plugins
Posted by Michael Scheidell <sc...@secnap.net>.
Matt Kettler wrote:
>
> Michael Scheidell wrote:
> > SA 3.2.1 INSTALL seems to indicate that if I use Mail-DKIM .20 or
> > better, I don't need Mail-DomainKeys.
> >
>
I loaded Mail-DomainKeys perl libraries and will be doing some testing
to see if I can see what and why, and will post it later.
( have updated Freebsd port (3.2.1_1) to require both perl libraries for
now till I find out what happened.
either case, lots of rules behind 'ifplugin.*DomainKeys' arn't even
loaded, since, well, DomainKeys plugin was disabled in *.pre.
(and had to be if the libraries weren't available)
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________