Amavisd-new DKIM verification spec testing needed

Scott Kitterman ubuntu at kitterman.com
Thu Jul 3 13:27:52 UTC 2008 

On Wednesday 02 July 2008 17:11, Mathias Gug wrote:
> Hi,
>
> Here are the minutes of the meeting. They can also be found online with
> the irc logs here: https://wiki.ubuntu.com/MeetingLogs/Server/20080701.
...
> ==== Spec status ====
>
> Most of the MIR related to amavisd-dkim have been done.

To follow up on this, all the MIR were approved and I have uploaded a new 
version of amavisd-new to Intrepid that enables DKIM verification by default.  
Now it needs testing and documentation.

Additional background:

DomainKeys Identified Mail (DKIM) is a new email identitiy authorization 
technology.  That and Sender Policy Framework (SPF) are the two major domain 
level technologies currently being used.  DKIM is designed to operate on the 
identities in the body of the message (RFC 2822) and SPF is designed to 
operate on the identities in the message envelope (RFC 821/2821).  

With the new DKIM policy-bank support in amavisd-new, messages with valid DKIM 
signatures can safely be whitelisted based on the body From address.  This is 
described in the spec use case:

https://wiki.ubuntu.com/ServerAmavisdDKIMSpec

In addition to enabling verification, the default configuration whitelists 
mail from known good domains that are known to sign mail with DKIM:

ebay.com, ebay.co.uk, ebay.at, ebay.ca, ebay.de, ebay.fr, paypal.co.uk, 
paypal.com, alert.bankofamerica.com, amazon.com, cisco.com, cnn.com, 
skype.net, welcome.skype.com, and cc.yahoo-inc.com

Be default then, these domains will have their messages that have a valid DKIM 
signature skip amavisd-new content filtering.

Now it is time to test all this.  I need someone who can temporarily install 
the new versions of amavisd-new and libmail-dkim-perl  and ideally run them 
against a mail stream of some volume.  To that end, I have uploaded these 
packages to my PPA for Hardy, so it is not necessary to be running Intrepid 
to help:

https://launchpad.net/~kitterman/+archive

NOTE: There are Intrepid packages in there for another reason.  Unless you 
want to do Intrepid SE Linux testing, install from Hardy and not Intrepid.

The packages there are identical to the ones uploaded to Intrepid, with one 
exception, I've added kitterman.com to the default whitelist to facilitate 
testing.  Since libmail-dkim-perl is a recommends and not a depends and the 
Hardy apt does not install recommends by default, you will need to explicitly 
install both packages.

If you try this, please let me know.  

Scott K

More information about the ubuntu-server mailing list