Qmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Broken DomainKey Implementation

from [Russ Nelson] [Permanent Link][Original]
To: "Erik A. Espinoza" <erik.espinoza@gmail.com>
Subject: Re: Broken DomainKey Implementation
From: Russ Nelson <nelson@crynwr.com>
Date: Fri, 6 Apr 2007 22:43:21 -0400
Cc: "Russ Nelson" <nelson@crynwr.com>, qmail@list.cr.yp.to
Delivered-to: sp-com-lists@consult.net
Delivered-to: gmail-qmail@securepoint.com
Delivered-to: sp.com.list@gmail.com
Delivered-to: mailing list qmail@list.cr.yp.to
In-reply-to: <b86db13f0704061231s22747496q5e6aa9aee1283d22@mail.gmail.com>
Mailing-list: contact qmail-help@list.cr.yp.to; run by ezmlm
References: <b86db13f0704011331m4135c427vc934ced0d8b64120@mail.gmail.com> <20070401205313.GA5988@discworld.dyndns.org> <b86db13f0704011429x17f3e0b1w903861f725380af5@mail.gmail.com> <17941.57540.536844.183887@desk.crynwr.com> <b86db13f0704061231s22747496q5e6aa9aee1283d22@mail.gmail.com> 
Erik A. Espinoza writes:
 > Nothing shows up in the log when mail is dropped. All other patches
 > write info into the log when mail is rejected. This makes
 > troubleshooting your broken code incredibly hard.

The code may have bugs.  Logging may be useful.  Don't confuse those
two issues.

 > >  > 2) Doesn't honor disabling. If you disable it, qmail-dk can still drop 
 > > mail.
 > >
 > > What do you mean by "disabling"?  If qmail-dk is disabled, then you're
 > > no longer running it, so how can software which isn't running drop mail?
 > 
 > Disable was the wrong word. If you set qmail-dk to not permanently
 > reject mail (IE soft errors), qmail-dk can still hard reject mail.

If so, that's a bug.  Do you have a test case that reproduces it?

 > >  > 3) Doesn't honor testing flag in DNS
 > >
 > > Errr, it's supposed to.  Do you have a test case for which it fails?
 > 
 > Probably not a big deal

If you're going to malign my code, let's see the proof!  Otherwise,
I'll just dismiss you as a wanker.

 > >  > 4) Doesn't set "h=" flag which states what is covered by the sig
 > >  > (causes forwards and backup mx mail to fail)
 > >
 > > Nope.  If you have software which is munging the message ... fix it.
 > > But forwards and backup mx mail don't cause it to fail.
 > 
 > Adding Received headers is not message munging. The fact that qmail-dk
 > doesn't set the h= flag means outgoing mail can be hard rejected by
 > mail servers doing the right thing.

Again, I see no proof that this isn't just the product of your fevered
imagination.  My email path prepends several Received headers and the
signatures still verify.

 > The fact that qmail-dk doesn't honor the h= flag for incoming mail
 > means that qmail-dk will set DomainKey status as bad when the mail is
 > good (verifies via dktest).

Bullshit on a stick without test cases, sorry.  h= is actuallly
completely useless, and anyway, if there's a problem, it's in
libdomainkeys, for which I no longer bear responsibility.

 > Look Russ, I'm not here to flame you or your contributions. All I'm
 > saying is that this doesn't work properly for most people. 
But you don't bother to provide a usable bug report.

As for people having trouble with it, I explicitly said in the release
email that the UI sucks, and I asked for suggestions.  Still haven't
gotten any.

-- 
--my blog is at    http://blog.russnelson.com   | You can do any damn thing
Crynwr sells support for free software  | PGPok | you want, as long as you
521 Pleasant Valley Rd. | +1 315-323-1241       | don't expect somebody else
Potsdam, NY 13676-3213  |     Sheepdog          | to pick up the pieces.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Broken DomainKey Implementation, Erik A. Espinoza
Next by Date:  Re: Broken DomainKey Implementation, Erik A. Espinoza
Previous by Thread:  Re: Broken DomainKey Implementation, Erik A. Espinoza
Next by Thread:  Re: Broken DomainKey Implementation, Erik A. Espinoza
Indexes:  [Date] [Thread] [Top] [All Lists]