At 4:49 PM 2/17/07, Geoff Sweet wrote:
Any ideas on where to start with all this?
It sounds vaguely familiar. When I first started playing with
domainkeys, I had some problems with inbound mail, and debugging it
was tough.
I don't remember whether I ever figured out what was wrong. My final
solution was not to use qmail-dk to verify inbound email. I still
use it (with modification) to sign outbound mail. But using it for
inbound mail is tricky, even when it works.
As you saw, when a message gets rejected, there's no explanation of
why. In your case, it may have been erroneous. But even if it had
been a "legitimate" rejection, the sender wouldn't have known why?
And what is a "legitimate" reason for rejecting? A signature that
doesn't verify is probably a good reason, but you probably won't see
many of those. A spammer isn't likely to put an invalid signature on
a message. He's more likely to either not sign it at all, or maybe
get his domain and sign his messages with signatures that do verify.
Are you going to reject any message that doesn't have a signature?
You'll lose a lot of good mail that way. How about just rejecting
any unsigned message from a domain that says it signs all messages?
Maybe a reasonable policy, but no way to do it with qmail-dk.
Domainkey signature can be useful as part of a larger spam control
system, where it's just part of the decision process. For example,
spamassassin has options to use domainkeys as part of its processing
(which is what I'm currently using). But I don't think it's feasible
to use domainkeys to make a yes/no decision about accepting mail,
which is about all you can do with qmail-dk.
|