[Mimedefang] sendmail spf milter plugin for sendmail 8.13.0

Jeff Rife mimedefang at nabs.net
Thu Aug 19 02:16:26 EDT 2004


On 18 Aug 2004 at 12:05, Matthew.van.Eerde at hbinc.com wrote:

> >                        This *requires* that my signing MTA talk
> > directly to the final endpoint "checking" MTA.
> 
> To the "checking" MTA, sure - not necessarily the final endpoint.  If you
> have a pass-through MTA running MimeDefang in front of your Exchange server,
> just make sure to do the checking on the MimeDefang server.

I was thinking more of multiple MXs, or any other sort of thing that 
forwards e-mail in some way.

>                                                              Once
> your DomainKey checking is complete, you can add/change/delete any
> headers you like.  Maybe add a X-DomainKey-Result: Pass, for example.

If there is already a header, you either decide to ignore it and check 
again, or hope that the other guy didn't add anything *after* checking.

> > Their description of the workaround for "Received:" headers basically
> > means that you either trust that somebody else did the check correctly
> > or that you must jump through some hoops to do the check yourself.
> > There's also the issue of making it impossible for a mail server to
> > translate 7-bit to 8-bit or vice versa.
> 
> Translate at will - after you do the check.

Nope, because then the next guy that gets it can't just drop the 
headers you were supposed to add that don't impact the signature and 
get the same result.

> >                                      Well, gee, even if they don't
> > "participate", if the e-mail comes from a "participant", and ends up at
> > a "participant", end users may never get a say in whether to reject the
> > e-mail or not.
> 
> Or just check on the Sender: header rather than the From:...

You can't do that because nobody else is, plus the signature comes from 
the "From:" domain...it almost certainly won't match.

> Ehhh... DomainKeys can be trivially saved from this trivial defeat.
> Just have the sending MTA create separate envelopes for each recipient.
> Then add an X-Envelope-To: header.  Finally have the MTA sign each envelope
> independently before delivery.

If the DomainKeys system signed envelopes in the first place, we 
wouldn't be having a lot of this discussion.


--
Jeff Rife        |  
SPAM bait:       | 
http://www.nabs.net/Cartoons/Dilbert/StupidCoWorkers.gif 
AskDOJ at usdoj.gov |  
spam at ftc.gov     |  




More information about the MIMEDefang mailing list