amavisd-new 2.7.1 , dkim-adsp=pass

Steve steeeeeveee at
Wed May 23 21:37:14 CEST 2012

-------- Original-Nachricht --------
> Datum: Wed, 23 May 2012 20:44:20 +0200
> Von: Mark Martinec <Mark.Martinec+amavis at>
> An: amavis-users at
> Betreff: Re: amavisd-new 2.7.1 , dkim-adsp=pass

> Steve,
Hello Mark,

> > > If you have it configured to modify a Subject, it will do so
> regardless
> > > of whether this header field was signed or not. And yes, this will
> break
> > > subsequent DKIM tests, so it is prudent to tag a subject close to a
> final
> > > delivery, where no further sw components will be re-examining the
> > > signature.
> > 
> > this was not exactly my question.
> I think it was.
okay. I still am not thinking that I got what I was looking for. Anyway...

> > My question is more going in this direction:
> > 
> > * Domain A sings all their outbound mail with DKIM.
> > * User form domain A sends mail to Domain B.
> > * Mail server running at domain B uses amavisd-new to verify signatures
> and
> > uses SA within amavisd-new. * The SA code thinks that the message from
> > domain A is spam and the subject gets rewritten. * Domain A however
> sings
> > their subject.
> > 
> > Result is that DKIM is broken after the subject has been tagged. Right?
> Yes, but nobody should be re-checking the signature once the message
> is in the mailbox (there are other manglings done by MUA, for example
> kmail is notorious for such). The amavisd, and SpamAssassin, and some
> potential pre-queue milter like OpenDKIM will see the orginal message
> *before* it is being re-written.
Aha. This is the real point. The check must be done BEFORE the rewriting. Which is what I wanted to hear. However... I don't think that others think about that. For me this is a potential source for trouble.

> Also the Authentication-Results header
> field is being added at that point, and will properly reflect the
> validity of a signature. A MUA (if it wants to bother with DKIM)
> should only be checking the Authentication-Results from its MUA.
If a MUA is going to check DKIM then the MUA must do the whole check. I mean everything that amavisd-new would do as well. I mean: The authentification-result header is fine and dandy but it can not be really trusted. To be honest: I don't know any MUA that is doing DKIM checks. But this still does not mean that one day it might exist one. So modifying signed fields can be a bad idea.

>   Mark
Pozdrav iz Ciriha

Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro!

More information about the amavis-users mailing list