Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

DKIM and ACL syntax

2010-09-01 by John Wood

Greetings,

Of late I have been attempting to use the DKIM support in 
milter-greylist. Where at first I thought it was working, I am now 
convinced that I have either unintentionally broken it through my ACL 
syntax or through some compilation mistake.

After reading the fine documentation and sifting though the mailing 
lists archives, I've attempted to do something close to this:

racl whitelist list "my network"
racl whitelist auth /.*/
racl greylist spf softfail delay 5m
racl blacklist spf fail
racl whitelist default
dacl whitelist auth /.*/
dacl blacklist dkim fail
dacl whitelist dkim pass spf pass
dacl whitelist default

The idea was to be slightly more friendly to those who pass both SPF and 
DKIM. However, simple testing with the following combinations:

SPF + DKIM both pass (verified by other milters and methods)
SPF pass, no DKIM signature 

both result in:

Mail from=<xxxx@domain>, rcpt=(nil), 
addr=host.name.net[IP.AD.DR.ESS] is matched by entry dacl 38 whitelist 
dkim pass spf pass

I thought this strange and returned to update the dACLs to have

dacl whitelist auth /.*/
dacl blacklist dkim fail
* dacl greylist dkim none delay 1m
dacl whitelist dkim pass spf pass
dacl whitelist default

only to see the same results. It appears to me that no matter what ACL 
is set, the DKIM result is always PASS. Since dkimcheck.c lacks the 
debug logging that the spf code has, I was unable to verify what exactly 
milter-greylist thinks it is seeing. I ktraced it and can see 
milter-greylist calling the SPF library, but there does not ever seem to 
be a DKIM call made (DKIM signature header there or not).

I have tried linking milter-greylist against multiple versions of 
libDKIM and libOpenDKIM with the same results. I have also tried using 
both $current and $development versions to the same results.

On a side note, SPF is working just fine. So the ACL above: dacl 
whitelist dkim pass spf pass is not being misleading about the SPF 
status; racl entries also verify this.

Any insight would be helpful,

John

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.