Rolf,
> running (soon to be upgraded):
> SpamAssassin Server version 3.2.5
> running on Perl 5.8.8
>
> I'm new to this list, although I'm not new to SpamAssassin. Looking at
> http://spamassassin.apache.org/tests_3_3_x.html, and particularly at the
> following DKIM tests:
>
> DKIM_VERIFIED
> DKIM_POLICY_TESTING
> DKIM_POLICY_SIGNSOME
> DKIM_POLICY_SIGNALL
>
> I wonder what these tests exactly mean. The Wiki pages for them are not
> yet written, hence my question here on the list.
3.2.5 - 25_dkim.cf:
describe DKIM_SIGNED Domain Keys Identified Mail: message has a signature
describe DKIM_VERIFIED Domain Keys Identified Mail: signature passes verification
describe DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain signs some
mails
describe DKIM_POLICY_SIGNALL Domain Keys Identified Mail: policy says domain signs all mails
describe DKIM_POLICY_TESTING Domain Keys Identified Mail: policy says domain is testing
DK
3.3.1 - 25_dkim.cf:
describe DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
describe DKIM_VALID Message has at least one valid DKIM or DK signature
describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
describe DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
describe DKIM_ADSP_DISCARD No valid author signature, domain signs all mail
and suggests discarding the rest
describe DKIM_ADSP_ALL No valid author signature, domain signs all mail
describe DKIM_ADSP_CUSTOM_LOW No valid author signature, adsp_override is CUSTOM_LOW
describe DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
describe DKIM_ADSP_CUSTOM_HIGH No valid author signature, adsp_override is CUSTOM_HIGH
60_whitelist_dkim.cf:
describe USER_IN_DKIM_WHITELIST From: address is in the user's DKIM whitelist
describe USER_IN_DEF_DKIM_WL From: address is in the default DKIM white-list
The are some differences in DKIM plugin and its rules between 3.2.5 and 3.3.1,
but the concept is the same.
DKIM_SIGNED just means there is a signature. Purely informative, no score.
DKIM_VERIFIED has been renamed DKIM_VALID with 3.3.0 (both names
are still there, aliases), and means that at least one signature is valid.
Since we have no information at this point on the reputation of a
signer, its score is very low too, but can serve in meta rules to contribute
good score to reputable signers (instead of hard-whitelisting them
with USER_IN_DKIM_WHITELIST).
The DKIM_POLICY_* are gone in 3.3.0, they are just there for compatibility,
with score 0.
New with 3.3.* is the ADSP support. See POD docs on the DKIM plugin.
> As the default scores of these tests are all one (1)
No, they are not at 1. Grep your 50_scores.cf file.
3.2.5:
score USER_IN_DKIM_WHITELIST -100.000
score USER_IN_DEF_DKIM_WL -7.500
score ENV_AND_HDR_DKIM_MATCH -7.500
score DKIM_POLICY_SIGNALL 0.001
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0.001
score DKIM_SIGNED 0.001
score DKIM_VERIFIED -0.001
3.3.1:
score USER_IN_DKIM_WHITELIST -100.000
score USER_IN_DEF_DKIM_WL -7.500
score DKIM_SIGNED 0.1
score DKIM_VALID -0.1
score DKIM_VALID_AU -0.1
score DKIM_VERIFIED 0
score DKIM_POLICY_SIGNALL 0
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0
score DKIM_ADSP_CUSTOM_LOW 0.001
score DKIM_ADSP_CUSTOM_MED 0.001
score DKIM_ADSP_CUSTOM_HIGH 0.001
score DKIM_ADSP_ALL 0 1.1 0 0.8
score DKIM_ADSP_DISCARD 0 1.8 0 1.8
score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9
> I wonder what exactly these tests do. For
> example, does the first test (DKIM_VERIFIED) means, that if a DKIM
> signature could be verified, the score is increased by one (1)? And
> what does 'verified' mean? A verification result can be positive and
> negative but in both situations the DKIM signature may have been
> verified correctly (i.e. no DNS problems, no ambiguous outcome etc.).
This is why DKIM_VERIFIED has been renamed to DKIM_VALID.
> Furthermore, the name of the 3rd and 4th of these tests seems to hint
> into the directory of ADSP, as policy mechanism added to DKIM? Is it
> correct that these tests perform an ADSP DNS lookup?
Yes, with 3.3, if you allow them to do so (can be overruled by
adsp_override command).
Mark
|