[Mailman-Developers] Dealing with DomainKeys and DKIM
Joe Peterson
joe at skyrush.com
Mon Sep 12 16:11:22 CEST 2005
Ian Eiloart wrote:
> No, the MTA should check the keys. That is; if you ever want to reject mail
> on the basis of them. Mailman can't reject mail without generating
> collateral SPAM. What would be nice would be a way that Mailman *could*
> refuse to accept mail from the MTA.
Yes, the MTA does check the keys when receiving mail. It then puts
additional header lines in that tell the result of the check, so
Mailman, if it wanted to do a spam check, could check those. But right,
Mailman would not want to check the keys directly.
> You could also configure your MTA to remove the keys. I presume it will
> want to do that when forwarding mail for any reason.
Well, with regular (not mail list) forwarding, the keys just get passed
through anyway, and this works for DomainKeys (unlike SPF).
For mail list resending (like Mailman does), the keys become invalid due
to changes in the header/body, and the milter used by the MTA does not
add new keys if it sees keys already there (it thinks the keys can be
used to validate the message). Since only Mailman knows it did the
mods, it needs to remove the old keys; the message is now really a "new
message" to be re distributed. The milter/MTA will then will add new
keys before it's sent.
-Joe
More information about the Mailman-Developers
mailing list