
--On 12 September 2005 08:11:22 -0600 Joe Peterson <joe@skyrush.com> wrote:
Ian Eiloart wrote:
No, the MTA should check the keys. That is; if you ever want to reject mail on the basis of them. Mailman can't reject mail without generating collateral SPAM. What would be nice would be a way that Mailman *could* refuse to accept mail from the MTA.
Yes, the MTA does check the keys when receiving mail. It then puts additional header lines in that tell the result of the check, so Mailman, if it wanted to do a spam check, could check those. But right, Mailman would not want to check the keys directly.
You could also configure your MTA to remove the keys. I presume it will want to do that when forwarding mail for any reason.
Well, with regular (not mail list) forwarding, the keys just get passed through anyway, and this works for DomainKeys (unlike SPF).
For mail list resending (like Mailman does), the keys become invalid due to changes in the header/body, and the milter used by the MTA does not add new keys if it sees keys already there (it thinks the keys can be used to validate the message). Since only Mailman knows it did the mods, it needs to remove the old keys; the message is now really a "new message" to be re distributed. The milter/MTA will then will add new keys before it's sent.
-Joe
Ah, so you're thinking of Sendmail, or something similar. I'm thinking of Exim, which can easily remove the specific headers for an email that it's delivering to Mailman. So, Exim doesn't know that Mailman is going to change the headers, but it can be told!
-- Ian Eiloart Servers Team Sussex University ITS