Milter-greylist

Hi Emmanuel,

> Michael Mansour <mic@...> wrote:
> 
> > I'm glad I did this so looking at other email verification techniques (like
> > DKIM and digitally signing outgoing emails like Yahoo does) would it be a good
> > idea to implement support for this in milter-greylist?
> 
> DKIM works with e-mail headers, so you cannot filter with that at 
> RCPT stage (racl statements). We could do it at DATA stage, though (dacl
> statements)

I'm quite new to DKIM so since emailing here did the following:

* went to www.dkim.org to read up on DKIM

* downloaded the dkim-milter from sourceforge and started reading the
documentation there

Compiling the dkim-milter is quite fiddly so it's not a route I'd personally
like to take. Having support in milter-greylist similar to the SPF support
(ie. using the powerful ACL's that milter-greylist provides) would be much easier.

> Would you like to contribute support for that? 

I'd be happy to help where I can, yes.

> How would the config look like? We could mimic the SPF clauses in 
> ACL: what are possible DKIM status? valid, failed, something else?

A typical SPF entry I have is:

racl blacklist from /.*@domainname\.com*$/ spf softfail msg "Rejected (SPF
check failed), look at
http://www.openspf.org/why.html?sender=%f&ip=%i&receiver=%r"

Ideally, a DKIM entry should mimic this with:

dacl blacklist from /.*@domainname\.com*$/ dkim fail msg "Rejected (DKIM check
failed), look at http://www.blahblah.org/why.html"

In terms of the DKIM returned status, from looking at the www.dkim.org site,
it seems to me there's only two status, verified or unverified (pass or fail).

I've gone and taken a look at one of my spam messages which came from
yahoo.com (which signs everything with its own older DomainKeys system) and
the header looks like:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Message-ID;
b=z1PqxYrxvgjKQo9+hdIKPGamA/nglEtpEQXazNWRHXP3zRML3S5BLrOyA7eYJcqiYFfmUZgGLcVO3hAiGk91LCgvU2Y1P+P+oCyV1vQXx18FfP7FC+DUF1Ib3yJY7wP8ek6XKCe2eS31iJlJaxjsJ4kXS2OVf85hlNfWEaFJvzg=;

and my SA report looks like:

0.00	DKIM_SIGNED	Domain Keys Identified Mail: message has a signature
-0.00	DKIM_VERIFIED	Domain Keys Identified Mail: signature passes verification

I use the Mail::DKIM perl module under SA to do this check.

It's also worth noting the supporters list:

http://www.dkim.org/deploy/supporters.html

and End user organisations which use it:

http://www.dkim.org/deploy/users/index.htm

Regards,

Michael.

> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 
> ------------------------------------
> 
> Yahoo! Groups Links
> 
> 
>