Milter-greylist

On Mon, Sep 29, 2008 at 11:57:28AM +0200, Ondrej Valousek wrote:
> Hi List,
> 
> I was thinking about the DKIM support recently, and I must say I am not
> sure about its usefulness.
> Why?
> 1. DACL only. Even worse, at rcpt stage you can not even say whether the
> message is going to be DKIM signed or not. Is there any list of domains
> *always* using DKIM? I am not aware of it.
> 2. Even if we had a list of DKIM-friendly domains, what would we do if
> we received a mail without a DKIM signature (and it should have one)?
> Are we entitled to trash it?
> 3. My feeling is that we would probably never receive a mail with a
> false DKIM identification. Why? A common spammer would probably never
> sign his mail and if he does, the identification would be positive.
> 
> I would like to have the following construction:
> 
> racl whitelist from /.*@yahoo\.com/
> racl greylist default delay 15m
> dacl whitelist from dkim pass
> dacl blacklist from /.*@yahoo\.com/ dkim none
> dacl blacklist dkim [fail, unknown,error]
> 
> 
> 
> (note I am not sure whether I can use the construction in the last case,
> but it is quite obvious what I was after...)
> Now, if the above worked and was SAFE, it would be absolutely perfect.
> But.... is it safe?
> 
> And if it was, is there any DNSRWL of all domains using DKIM so I do not
> have to type them one by one?

draft-ietf-dkim-ssp-03 should cover this, but it's still draft:

	This document describes the records that authors' domains can
	use to advertise their practices for signing their outgoing
	mail, and how other hosts can access those records.

http://tools.ietf.org/html/draft-ietf-dkim-ssp-03