domainkeys and SPF

david20@alpha2.mdx.ac.uk · *nix forums Guru Wannabe Joined: 16 May 2005 Posts: 205

In article <4463B1DA.9010702@sonnection.nl>, "Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl> writes:

Rolf E. Sonneveld · *nix forums beginner Joined: 17 Jun 2005 Posts: 27

Hello, Hunter

I would like to extend the original question to include DKIM. Although
no official RFC yet (SPF and SenderID having experimental status) DKIM
has quite some potential.

I can't judge on how difficult a complete implementation of these is,
but I'd suggest to file RFE's for it (I do this by sending a BCc to
support at Process) and if others find support of these anti-spam
techniques important for a new version of PMDF, they add their vote to
the respective RFE numbers.

Kind regards,
/rolf

Hunter Goatley wrote:

Hunter Goatley · *nix forums Guru Wannabe Joined: 13 Jun 2005 Posts: 107

Joel M Snyder · *nix forums beginner Joined: 31 Oct 2005 Posts: 8

Signing mail with Domain Keys is easy, especially if you already have
PMDF TLS (meaning a good SSL library) in place. If you are having
trouble with that, give me a call. It's not hard.

Checking Domain Keys and SPF is also not difficult, but the hard part is
figuring out how to propagate that information UP into PMDF. That
seems to me to be the hard part---you don't want to simply refuse the
mail; that would make things useless. So you need to get the 'status'
of the DKIM/SPF check bubbled up into PMDF somewhere so that the system
manager can use that intelligently as part of their decision on how to
handle the message. It seems to me that you're going to have to
basically either overload an existing mapping (like one of the
MAIL_ACCESS or ORIG_MAIL_ACCESS) such that a callout is possible at that
stage, or add a new mapping.

Now, SPF is REALLY easy in that sense because if you do SPF classic, you
have an obvious place to do the check (in the mapping). If you do
"Sender ID" style SPF (check header instead of envelope), it's a bit
tougher because now all of a sudden the right place to do it might be in
the rewrite rules. Or a new mapping.

There are probably 3 different actions a manager might want for a
message that fails DKIM/SPF checks: reject the message (for all the
meaning of "reject" which should be at SMTP time, but could be
per-message or based on the sender), tag the message either in the
subject line or by adding a header, or redirecting the message. The
first two fit well within what PMDF supports, and that's what you might
want to focus on.

But could you guys get us to a this-century version of BIND first? That
would be really helpful, in kind of a major big huge way.

jms

Geoff Bryant wrote:

Geoff Bryant · *nix forums beginner Joined: 07 Jun 2005 Posts: 31

We are looking at how much effort these would be to implement.
Domainkey looks to be a significant effort.

info-pmdf@process.com wrote:

david20@alpha2.mdx.ac.uk · *nix forums Guru Wannabe Joined: 16 May 2005 Posts: 205

Although I'm not convinced how useful these technologies will be I am receiving
questions from some users as to whether PMDF will support Domainkeys and SPF.

What are the current plans in this area ?

David Webb
Security team leader
CCSS
Middlesex University

(Some people not using PMDF but using PMAS in proxy-mode may also need this
functionality in PMAS - however since it is really an anti-forgery rather than
anti-spam solution and not all mail is processed by PMAS it seems to me that it
better to have this supported directly in PMDF).

Google