Re: Broken DomainKey Implementation

["Erik A. Espinoza" <erik.espinoza@gmail.com>]

Hi Russ,

>  > 1) No reporting at all. Mail gets dropped without notice to the admin
>
> Nope.  If you have so configured it, email gets a qmail-queue permfail
> response.  Whatever the calling program does with that is its
> responsibility.
Nothing shows up in the log when mail is dropped. All other patches
write info into the log when mail is rejected. This makes
troubleshooting your broken code incredibly hard.

>  > 2) Doesn't honor disabling. If you disable it, qmail-dk can still drop mail.
>
> What do you mean by "disabling"?  If qmail-dk is disabled, then you're
> no longer running it, so how can software which isn't running drop mail?
Disable was the wrong word. If you set qmail-dk to not permanently
reject mail (IE soft errors), qmail-dk can still hard reject mail.

>  > 3) Doesn't honor testing flag in DNS
>
> Errr, it's supposed to.  Do you have a test case for which it fails?
Probably not a big deal

>  > 4) Doesn't set "h=" flag which states what is covered by the sig
>  > (causes forwards and backup mx mail to fail)
>
> Nope.  If you have software which is munging the message ... fix it.
> But forwards and backup mx mail don't cause it to fail.
Adding Received headers is not message munging. The fact that qmail-dk
doesn't set the h= flag means outgoing mail can be hard rejected by
mail servers doing the right thing.

The fact that qmail-dk doesn't honor the h= flag for incoming mail
means that qmail-dk will set DomainKey status as bad when the mail is
good (verifies via dktest).

Look Russ, I'm not here to flame you or your contributions. All I'm
saying is that this doesn't work properly for most people. The fact
that so many people jumped in as soon as I brought it up should be a
sign of that, rather than trying to defend broken code.

Thanks,
Erik