Red Hat Bugzilla – Bug 485303
No messages are filtered
Last modified: 2009-02-19 21:31:11 EST
Description of problem:
Messages without signature are correctly detected as invalid but it is not reported to milter.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup dkim-milter to block messages without valid signatures.
2. Setup sendmail to use dkim-milter.
3. Send mail through telnet from the outside.
Mail is detected as mail with invalid signature, but it is delivered like correct mail.
Mail is blocked.
I tried to create rpm of 2.8.1 version. In that version messages are blocked. Except the situation when no headers identifying sender are filled. In that situation there is: no sender header found
; accepting. I think this should not happen also.
1) How did you set the blocking of messages without valid signatures?
If so, then according to dkim-filter.conf(5) for 2.7.2 they will only be discarded if the domain's ADSP record says they should be. What was the domain? What does its ADSP say?
2) If it doesn't say to discard, do you have a local override
with a line that says for example
3) You say that 2.8.1 blocks messages, does 2.7.2 (the version in Fedora 10) also? It might be easier to push 2.7.2 than the lastest 2.8.1.
Ad 1) I am currently not familiar with adsp. Now I tried ADSPDiscard yes - no luck.
My ADSP record looks like this:
_adsp._domainkey IN TXT "dkim=CLOSED"
I did not know it has something to do with that.
Ad 2) I tried also dkim=discardable in DNS. No luck.
Ad 3) There is no 2.7.2 in the fc10 repository. There is also 2.5.1.
You can try 2.8.1 built for fc10 here.
Let me know if that works for you. You can find 2.7.2 there as well (I had forgotten to push as an update).
I tried 2.7.2 and 2.8.1. They have the same behaviour.
When TXT record is dkim=all, forged mail is delivered.
When TXT record is dkim=discardable, forged mail with From: filled in is rejected but mail without header (only envelope) is delivered. The previous behavior when message was silently dropped I cannot repeat now. Probably when I disable ADSP in dkim-milter.conf.
So does it ignore a forged envelope sender when the headers are empty? If so, that seems like a bug that should be filed upstream (and referenced here).
Does the behavior of 2.7.2/2.8.1 differ from 2.5.1 when ADSP is enabled? If so, I'll push the update.
It seems the 2.5.1 has no support for ADSP at all.
It is a question whether it is bug of dkim-milter that it lets forged envelope senders to pass or should there be a mechanism to fulfill these data from envelope by sendmail if they are empty.
Ok, then it looks like the envelope sender / no other headers bug should be filed upstream. Please add a comment to this bug if you do so.
I'll push the update to 2.8.1 as an enhancement and we'll see if it makes it in. The current 2.5.1 version quite out of date, so support for ADSP is enough of a reason for me.
Version 2.8.1 is now available (in fc10), so I'm going to close this bug.
If you file the envelope sender / no header filtering bug upstream then please re-open this bug so we can track it.