Joe Horn 的啟示錄

現在許多廣告信件都是亂丟，配合來源位址的偽造，可能造成主機在發信上有所阻礙。
例如這種狀況：

廣告信偽造的寄件位址是 no-this-name@yahoo.com.tw，寄給 no-this-user@example-host.com。如果 example-host.com 沒有 no-this-user 這個使用者，那信件會被退到 no-this-name@yahoo.com.tw，久而久之，example-host.com 可能會被 yahoo.com.tw 擋掉。

之前的文章 只提過 exim 上面的擋法，最近是摸出了 Postfix 的設定方式。

1. 讓系統進行檢查，main.cf 要有這些片段：

   smtpd_restriction_classes =
           fakemail_yahoo
           fakemail_gmail
           ...
   #
   fakemail_yahoo = check_client_access pcre:/usr/local/etc/postfix/fake/yahoo
   fakemail_gmail = check_client_access pcre:/usr/local/etc/postfix/fake/gmail
   #
   smtpd_sender_restrictions =
           ...,
           check_sender_access hash:/usr/local/etc/postfix/fake/CHECK,
           ...

2. 製作規則對應檔（/usr/local/etc/postfix/fake/CHECK），內容大致如下（中間的大空格用 tab 隔開）：

   yahoo.com       fakemail_yahoo
   yahoo.com.tw    fakemail_yahoo
   gmail.com       fakemail_gmail
   ...

3. 製作規則檔（以 /usr/local/etc/postfix/fake/yahoo 為例），內容如下（中間的大空格用 tab 隔開）：

   /(^|\.)yahoo\.com$/     DUNNO
   /./                     REJECT Fake address

4. 用 postmap 產生規則對應檔的 hash map，接著讓 postfix 重新讀入設定檔。

對了，如果有 MX server 的話，都得一起上，不然沒用。
跑了一段時間後，效果還真的蠻顯著的。

Technorati Tags: anti spam, fake address, Postfix

這兩天在處理 RoundCube 的郵件中文夾檔問題。
原本覺得情況很詭異，因為 Firefox 都很正常，可是 IE 有這兩種狀況：

• 直接以左鍵點選，中文檔名的附帶夾檔無法下載。
• 以滑鼠中鍵（開新的 Tab），就正常了。

坦白說，RoundCube 的程式架構實在很難摸，所以追了蠻久的..

我幫忙追問題的 RoundCube 版本是 0.1-STABLE 。
最後追到的解法是去修改 program/steps/mail/get.inc ， diff -u 生出來的檔案內容是這樣：

--- program/steps/mail/get.inc.orig     2008-07-18 02:01:46.000000000 +0800
+++ program/steps/mail/get.inc  2008-07-18 15:45:37.000000000 +0800
@@ -106,9 +106,19 @@
       }
     else
       {
-      header(sprintf("Content-Disposition: %s; filename="%s";",
+       $HTTP_USER_AGENT = $_SERVER["HTTP_USER_AGENT"];
+
+       if (strstr($HTTP_USER_AGENT, "compatible; MSIE ") !== false &&
+            strstr($HTTP_USER_AGENT, "Opera") === false) {
+             header(sprintf("Content-Disposition: %s; filename="%s";",
+                     $_GET["_download"] ? "attachment" : "inline",
+                     $part->filename ? rawurlencode(abbreviate_string($part->filename, 55)) :
+                                       rawurlencode("roundcube.$ctype_secondary")));
+       } else {
+             header(sprintf("Content-Disposition: %s; filename="%s";",
                      $_GET["_download"] ? "attachment" : "inline",
                      $part->filename ? abbreviate_string($part->filename, 55) : "roundcube.$ctype_secondary"));
+       }

       // turn off output buffering and print part content
       $IMAP->get_message_part($MESSAGE["UID"], $part->mime_id, $part, true);

關鍵就在... 給 IE 吃的話，要先用 rawurlencode() 處理一遍。

Technorati Tags: IE, RoundCube

剛剛發現 anti-spam.org.cn 的 CBL 把 Xuite 的 smtp server 列進去了（IP 是 210.242.46.140）。

所以在 sendmail、Postfix、exim 的設定中把 anti-spam.org.cn 的 RBL 拿掉了。

另外，在 exim 中，把 前一篇 post 的 ACL 擴充成以下這樣：

check_hello:

deny message = HELO/EHLO with wrong IP address.
hosts = !+relay_hosts
log_message = HELO/EHLO my.ip
condition = ${if eq {$sender_helo_name}{###.###.###.###} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
hosts = !+relay_hosts
log_message = HELO/EHLO localhost
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
log_message = HELO/EHLO none
condition = ${if match {$sender_helo_name}{none} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
log_message = HELO/EHLO no dot
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
accept

check_mail:

deny message = $sender_host_address is listed in $dnslist_domain
hosts = !+relay_hosts
!authenticated = *
dnslists = bl.spamcop.net : \
sbl.spamhaus.org : \
list.dsbl.org
deny message = Invalid mail-from envelope header
hosts = !+relay_hosts
!authenticated = *
log_message = Invalid mail-from envelope header
condition = ${if match {$sender_address} {\\.} {no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Yahoo
senders = *@yahoo.com.tw
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake hotmail
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake MSN
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake AOL
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Gmail
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngoogle.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@msa.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@umail.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@cm1.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Xuite
senders = *@xuite.net
condition = ${if match {$sender_host_name}{\Nxuite.net$\N}{no}{yes}}
accept

check_data:

deny message = Message SHOULD have Message-ID.
hosts = !+relay_hosts
!authenticated = *
log_message = No Message-ID
condition = ${if !def:h_Message-ID: {1}}
deny message = Message SHOULD have Date.
hosts = !+relay_hosts
!authenticated = *
log_message = No Date
condition = ${if !def:h_Date: {1}}
accept

話說... 前一篇 post 的 ACL 加上去之後， reject log 的檔案大小爆跳成原本的三倍多。

Technorati Tags: DNSBL, exim, Postfix, RBL, sendmail

在網路上看了一堆網頁，也摸索了好一陣子，剛才弄出這些設定：

• 在 HELO 或 EHLO 指令時作檢查的 acl name 是 check_hello：
  

  check_hello:

  deny message = HELO/EHLO with my ip address. You are not me.
  log_message = HELO/EHLO my.ip
  condition = ${if eq {$sender_helo_name}{###.###.###.###} {yes}{no}}

  deny message = Fine, then the mail I accept is also none
  log_message = HELO/EHLO none
  condition = ${if match {$sender_helo_name}{none} {yes}{no}}

  accept

• MAIL 用的 acl name 是 check_mail ：
  

  check_mail:

  deny message = $sender_host_address is listed in $dnslist_domain
  hosts = !+relay_hosts
  !authenticated = *
  dnslists = bl.spamcop.net : \
  sbl.spamhaus.org : \
  list.dsbl.org : \
  cbl.anti-spam.org.cn

  deny message = Fake Yahoo, so you must be spam.
  log_message = Fake Yahoo
  senders = *@yahoo.com
  condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

  deny message = Fake hotmail, so you must be spam.
  log_message = Fake hotmail
  senders = *@hotmail.com
  condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

  deny message = Fake MSN, so you must be spam.
  log_message = Fake MSN
  senders = *@msn.com
  condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

  deny message = Fake AOL, so you must be spam.
  log_message = Fake AOL
  senders = *@aol.com
  condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}

  deny message = Fake Gmail, so you must be spam.
  log_message = Fake Gmail
  senders = *@gmail.com
  condition = ${if match {$sender_host_name}{\Ngoogle.com$\N}{no}{yes}}

  accept

• DATA 用的 acl name 是 check_data：
  

  check_data:

  deny message = Message SHOULD have Message-ID: but does not
  condition = ${if !def:h_Message-ID: {1}}

  deny message = Message SHOULD have Date: but does not
  condition = ${if !def:h_Date: {1}}

  accept

要讓 exim 在 HELO（或 EHLO）、MAIL 與 DATA 指令時作檢查，設定檔裡面要有這三行：

acl_smtp_mail = check_mail
acl_smtp_helo = check_hello
acl_smtp_data = check_data

目前在 log 看到的成效還不錯。

參考網址：

• Stopping Spam in the ACL
• Exim 4.20 Specification chapter 37 - Access control lists
• HOWTO - Using DNS Block Lists (DNSBLs)

Technorati Tags: anti spam, exim

在 上一篇文章 中，可以看到我習慣用的 DNSBL 列表：

reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client cblless.anti-spam.org.cn,

在 sendmail 中，我是用這些設定：

FEATURE(`dnsbl", `bl.spamcop.net", `"550 Spam blocked, see: http://spamcop.net/bl.shtml?"$&{client_addr}")dnl
FEATURE(`dnsbl", `sbl.spamhaus.org", `"550 Spam blocked, see: http://www.spamhaus.org/query/bl?ip="$&{client_addr}")dnl
FEATURE(`dnsbl", `list.dsbl.org", `"550 Spam blocked, see: http://dsbl.org/listing?"$&{client_addr}")dnl
FEATURE(`dnsbl", `cblless.anti-spam.org.cn", `"550 Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP="$&{client_addr}")dnl

剛剛收到一封信件，說 Hinet 的信箱被擋了。
查詢 mailog 之後看到這些：

Dec 12 15:27:45 #### sm-mta[56538]: lBC7RiVG056538: ruleset=check_rcpt, arg1=< ####@####.####>, relay=msr14.hinet.net [168.95.4.114], reject=550 5.7.1 < ####@####.####>... Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP=168.95.4.114

Dec 12 10:26:55 #### sm-mta[42224]: ruleset=check_relay, arg1=msr28.hinet.net, arg2=127.0.8.5, relay=msr28.hinet.net [168.95.4.128], reject=550 5.7.1 Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP=168.95.4.128

anti-spam.org.cn 有以下這幾種名單：

• CBL（中國垃圾郵件黑名單）：主要面向中國國內的垃圾郵件情況，所甄選的黑名單地址也以中國境內的垃圾郵件回應情況為主。
• CDL（中國動態地址列表）：中國國內與台灣省的動態分配的地址。
• BML（大型郵件運營商列表）
• TML（可信郵件伺服器地址）

可供應用的黑名單有這些（這些黑名單都已經把 BML 剔除了）：

• CBL
• CDL
• CBL+：內容是 CBL 加上 CDL。
• CBL-：內容是 CBL 加上 CDL，再減去 TML。

其中，CBL- 就是這篇文章上面的設定用到的。

在 anti-spam.org.cn 的首頁 中，把 Hinet 的這兩台 mail server 丟進去作黑名單查詢，可以發現，這兩台 mail server 被誤判，放進 CDL 名單。

我覺得， Hinet 的 mail server 應該被放進 BML ，不過 anti-spam.org.cn 並沒有這樣作。
目前，因應 Hinet 的 mail server 還存在於 CDL 中，我們大概只能委屈一點，單純地使用 CBL 名單了。

所以，剛剛把 Postfix 的設定調成這樣：

reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client cbl.anti-spam.org.cn,

sendmail 則是用這些：

FEATURE(`dnsbl", `bl.spamcop.net", `"550 Spam blocked, see: http://spamcop.net/bl.shtml?"$&{client_addr}")dnl
FEATURE(`dnsbl", `sbl.spamhaus.org", `"550 Spam blocked, see: http://www.spamhaus.org/query/bl?ip="$&{client_addr}")dnl
FEATURE(`dnsbl", `list.dsbl.org", `"550 Spam blocked, see: http://dsbl.org/listing?"$&{client_addr}")dnl
FEATURE(`dnsbl", `cbl.anti-spam.org.cn", `"550 Spam blocked, see: http://anti-spam.org.cn/")dnl

話說，有沒有哪位大大用過其他的 DNSBL ，覺得還不錯的呀？
麻煩推薦一下吧～

Technorati Tags: DNSBL, Postfix, RBL, sendmail

收到回信了...

Hello,

Thank you for writing to Yahoo! Mail.

We appreciate your report as your input helps us to identify ways to
constantly maintain and improve our service. We apologize for any
inconvenience this has caused you. If you notice any further
difficulties when delivering to Yahoo! Mail accounts, after waiting a
reasonable amount of time, please let us know by replying directly to
this email. However please note the following:

If you are receiving the error code "421 Message from x.x.x.x
temporarily deferred" or "451 Message temporarily deferred - 4.16.50" in
your SMTP logs, this indicates that the message you attempted to send
was not accepted by Yahoo! Mail servers. It is not a permanent error;
your system will automatically re-try later. If, after attempting to
deliver to Yahoo! and receive the 4.16.50 error repeatedly and conform
to the best sending practices outlined in the following page, we
encourage you to apply for prioritized sending at the link below.

Recommended Best Practices:

http://help.yahoo.com/help/us/mail/defer/defer-01.html

Prioritized Delivery (Please note that this form can also be used by
senders whose mailings are being directed to the Bulk Folder):

http://help.yahoo.com/l/us/yahoo/mail/yahoomail/postmaster/bulk.html

If you are receiving a separate error than that above, please provide
the text of any error messages you may have received. Also, providing
the specific IP address of the mail server that experienced the delivery
issue will help us to troubleshoot the issue more efficiently.

For assistance with delivery issues to Yahoo! Mail, please visit:

http://postmaster.yahoo.com/

We appreciate your patience while we work to improve and maintain our
service.

Thank you again for contacting Yahoo! Mail.

Regards,

Samuel Cyprian

Yahoo! Customer Care

42488450

Original Message Follows:
-------------------------

Mail-Id: w1.help.tpc.yahoo.com-/l/us/yahoo/mail/postmaster/defer.html-1196670703-23
"Name:" : Joe Horn
"Email Address:" : ##我的Gmail信箱##
"Domains" : ###.com.tw
"Subject:" : Email not accepted for policy reasons
"IP Addresses:" : ###.###.###.1
###.###.###.2
"Error Codes:" :
host mx2.mail.tw.yahoo.com[203.188.197.10] refused to
talk to me: 421 Message from (###.###.###.1) temporarily deferred -
4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html

host mx2.mail.tw.yahoo.com[203.188.197.10] refused to talk to me: 421
Message from (###.###.###.2) temporarily deferred - 4.16.50.
"Contents:" :
"Additional Info:" : Our company provide web hosting service for EC site owner.
Recently, we receive complaint from our customer.
They said that their customer who using Yahoo! mailbox couldn't
receive product order notification, but Gmail is okay.

Could you please help us to solve this problem?
Thanks.

"Information Passed In":
------------------------
"from_url" : http://help.yahoo.com/l/us/yahoo/mail/original/abuse/abuse-60.html
------------------------

While Viewing: http://help.yahoo.com/l/us/yahoo/mail/original/abuse/abuse-60.html

Form Name: http://help.yahoo.com/l/us/yahoo/mail/postmaster/defer.html

Yahoo ID:

Other ID:

Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11

REMOTE_ADDR: 59.113.162.14

REMOTE_HOST: 59.113.162.14

Date Originated: Monday December 3, 2007 - 00:31:43

-------

一看就知道，又是在打官腔...

我把 ###.###.###.1 跟 ###.###.###.2 這兩個 IP 丟到 DNSBL 測試網站測試過，通通都是正常的。
而且，這兩台機器的網域都有 SPF 設定。

Yahoo 不使用開放架構，自行建置黑名單，回報後又沒給理由，著實令人頭疼。

我的研判，原因可能是「spammer 使用偽造的 Yahoo 信箱位址當作 From，丟信到 mail server，mail server 查不到收件人，嘗試退信，就回彈到 Yahoo 去」，所以在 mail server 上面改了些設定。

###.###.###.1 跟 ###.###.###.2 這兩個 IP 分別使用 Exim 跟 Postfix 作 MTA 。

我對 Exim 不熟，所以只調整了 Postfix 的 rule ，在 main.cf 用了這些設定（大部分是原本就有的）：

#
bounce_queue_lifetime = 1h
maximal_queue_lifetime = 3d
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_auth_clients = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
#
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
permit_mx_backup,
check_recipient_access regexp:/usr/local/etc/postfix/access_regex,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unknown_reverse_client_hostname
#
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_client_access regexp:/usr/local/etc/postfix/access_regex,
reject_unknown_reverse_client_hostname,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client cblless.anti-spam.org.cn,
permit
#
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain

在 /usr/local/etc/postfix/access_regex 這個檔案裡面則是塞了這些：

/dsl\./ REJECT
/\.dsl/ REJECT
/dynamic\./ REJECT
/\.dynamic/ REJECT
/-dynamic/ REJECT
/dynamic-/ REJECT
/\.dynamicIP\./ REJECT
/\.dyn/ REJECT
/dyn\./ REJECT
/dyn-/ REJECT
/-dyn/ REJECT
/dynpool/ REJECT

另外，建議有相同困擾的人，運用 Gmail 信箱當作 mail 溝通管道。
PHP 的系統可以考慮導入 libgmailer 。

有人跟我說，要人家放棄 Yahoo 的信箱很難，因為Y拍的店主都得用 Yahoo 的信箱。
可是... 露天+搜尋引擎關鍵字廣告不好用嗎？ 而且，目前露天還不會向店長勒索！

Technorati Tags: service, Yahoo

之前是處理 server 發信到 Hotmail 被吞掉的問題，最近是在處理 server 無法把信件丟到 Yahoo 信箱的問題。

server 的 mailog 有這兩種訊息：

• host mx##.mail.tw.yahoo.com[###.###.###.###] refused to talk to me: 421 Message from (###.###.###.###) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
• host mx##.mail.tw.yahoo.com[###.###.###.###] refused to talk to me: 453 Mail from ###.###.###.### not allowed - [90]

前幾天循著訊息中的網址發訊息給 Yahoo，問題到現在依然無解。
Neo 也在約一週前貼出 這篇 Blog post。

拜託，行行好。
為了讓自己能接到訂單通知函、註冊認證信，別再用 Yahoo 跟 Hotmail 的信箱進行帳號註冊與購物啦。
Gmail 不是很好嗎？ 註冊一個 Gmail 上網註冊、購物用，省去你們的麻煩，也不會讓我們頭痛。
而且，Gmail 信箱裡面的垃圾信數量絕對比 Yahoo 跟 Hotmail 的還少啦。

Technorati Tags: Hotmail, Yahoo

這幾天又在處理 mail server 的問題。

合作廠商那邊有個客戶的 mail server 一直無法寄信到 Hotmail 的信箱。
經過檢查， SPF record 沒問題，可是信件就是一直進不了 Hotmail 。

更慘的是，Hotmail 不把信彈給寄件方，也不把信塞到收件方的垃圾郵件。
所以完全抓不出錯誤出在哪...

坦白說，這種信箱我不會想用，也不敢用...
誰知道哪天自己期望趕快收到的重要信件被亂吞？
就算是垃圾信，好歹塞到垃圾信件夾讓我們能把信件救回來吧！？

Technorati Tags: Hotmail

繼昨天的 這篇 .

我後來把 Domain Keys 搞定了, 從昨天到今天的 log 觀察, 我發現正在使用有 Yahoo! 跟 Gmail .
除了英文語系的網站, 大陸那邊也有人玩過, 而且有 這篇 對 Domain Keys 作簡略的說明.

不過, 就如我留的 comment 中所說的這段 :

不過 Domain Keys 仍然怪怪的, 我這邊遇到這種問題:

某廣告商偽造 From: 為 xxx@yahoo.com , 但是因為他並不屬於 Yahoo.com 這個單位, 所以沒有使用 Domain Keys ( 他的來信裡面沒有 DomainKey-Signature: ) .
於是, 收信方就算使用了 Domain Keys , 就沒有將此信進行 verify signature 的動作, 信也就繼續流入.

Yahoo! 跟 Gmail 的 address 就算被偽造, 放進 From: 裡面, 仍然無法被辨識出來.

剛剛重新看了一次 Domain Keys 的 draft .
我發現了這兩筆有趣的資訊 :

_domainkey.yahoo.com text = "t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys"

*** Can"t find _domainkey.gmail.com: No answer

在文件中的 3.6.2 Interim sending domain policy , 對 o 這個 tag 有這兩段說明 :

o = Outbound Signing policy ("-" means that this domain signs all email, "~" is the default and means that this domain may sign some email with DomainKeys).

There is an important implication when a domain states that it signs all email with the "o=-" setting. Namely that the sending domain prefers that the recipient system treat unsigned mail with a great deal of suspicion. Such suspicion could reasonably extend to rejecting
such email. A verifying system MAY reject unverified email if a domain policy indicates that it signs all email.

Of course nothing compels a recipient MTA to abide by the policy of the sender. In fact, during the trial a sending domain would want to be very certain about setting this policy, as processing by recipient MTAs may be unpredictable. Nonetheless, a domain that states that it signs all email MUST expect that unverified email may be rejected by some receiving MTAs.

也就是說, Yahoo! 跟 Gmail 的設定中, 並沒有強制要求使用 Domain Keys 的收件方對他們的信件進行 signature verify 的動作.
所以在目前的狀況下, 就算我們使用了這個機制, 也無法對他們的信件作出完全正確的判斷.

說好聽點的話, 叫做 Domain Keys 還在測試階段 .
講難聽點的話, 就是 目前的 Domain Keys 還沒啥鳥用 .

Technorati Tags: Domain Keys

剛剛在玩 Domain Keys .
不管我改用哪種模式 ( nofws, simple ) , 在驗證方那邊都會失敗.... orz

不過, 剛剛發現它用這些 header 跟 mail body 一起 sign .

h=from:to:subject:date:message-id:x-mailer:
x-originatingip:mime-version:content-type:x-virus-scanned:x-greylist;

因為兩台 ( signer 跟 verifier ) 都有作 virus-scan 跟 grey-listing , 所以問題好像出在兩邊的 header 會不一樣!?

晚點來把 x-virus-scanned 跟 x-greylist 這兩個 header 從 mail 裡面拿掉試試看好了...

Technorati Tags: Domain Keys