[Mailman-Developers] Dealing with DomainKeys and DKIM

Ian Eiloart iane at sussex.ac.uk
Mon Sep 12 16:24:12 CEST 2005



--On 12 September 2005 08:11:22 -0600 Joe Peterson <joe at skyrush.com> wrote:

> Ian Eiloart wrote:
>> No, the MTA should check the keys. That is; if you ever want to reject
>> mail  on the basis of them. Mailman can't reject mail without generating
>> collateral SPAM. What would be nice would be a way that Mailman *could*
>> refuse to accept mail from the MTA.
>
> Yes, the MTA does check the keys when receiving mail.  It then puts
> additional header lines in that tell the result of the check, so
> Mailman, if it wanted to do a spam check, could check those.  But right,
> Mailman would not want to check the keys directly.
>
>> You could also configure your MTA to remove the keys. I presume it will
>> want to do that when forwarding mail for any reason.
>
> Well, with regular (not mail list) forwarding, the keys just get passed
> through anyway, and this works for DomainKeys (unlike SPF).
>
> For mail list resending (like Mailman does), the keys become invalid due
> to changes in the header/body, and the milter used by the MTA does not
> add new keys if it sees keys already there (it thinks the keys can be
> used to validate the message).  Since only Mailman knows it did the
> mods, it needs to remove the old keys; the message is now really a "new
> message" to be re distributed.  The milter/MTA will then will add new
> keys before it's sent.
>
> 	-Joe

Ah, so you're thinking of Sendmail, or something similar. I'm thinking of 
Exim, which can easily remove the specific headers for an email that it's 
delivering to Mailman. So, Exim doesn't know that Mailman is going to 
change the headers, but it can be told!




-- 
Ian Eiloart
Servers Team
Sussex University ITS



More information about the Mailman-Developers mailing list