amavisd-new 2.7.1 , dkim-adsp=pass

Mark Martinec Mark.Martinec+amavis at
Fri May 25 18:27:25 CEST 2012


> > > Result is that DKIM is broken after the subject has been tagged. Right?
> > 
> > Yes, but nobody should be re-checking the signature once the message
> > is in the mailbox (there are other manglings done by MUA, for example
> > kmail is notorious for such). The amavisd, and SpamAssassin, and some
> > potential pre-queue milter like OpenDKIM will see the original message
> > *before* it is being re-written.
> Aha. This is the real point. The check must be done BEFORE the rewriting.
> Which is what I wanted to hear. However... I don't think that others think
> about that. For me this is a potential source for trouble.

A potential source of trouble only for setups which chain spam
filters in unusual ways. Such setups must take care to verify DKIM
signatures as early as possible in the chain, then do any mangling
and modifications to mail they see necessary, and sign as late
as possible in the chain. For a common installation setup, what
comes out of the box is fine.

Btw, tagging of Subject in amavisd is configurable, even on a
per-recipient or per-recipient-domain basis, so it can be disabled
when it is known that some recipients or some further processing
will be re-checking signatures.

> If a MUA is going to check DKIM then the MUA must do the whole check.
> I mean everything that amavisd-new would do as well. I mean: The
> authentification-result header is fine and dandy but it can not be
> really trusted.

Checking of the Authentification-Results header field by a MUA *can*
be reliable if the whole setup is done properly. Either a MUA needs
to know the trust span of its site and ignore any Authentification-Results
beyond the range of 'home' Received header fields, or the filtering
mailer must ensure to be removing any foreign Authentification-Results
header fields and there would be no other path for a MUA to fetch
its mail from third parties. Tricky, I agree, but doable.

> To be honest: I don't know any MUA that is doing DKIM checks.
> But this still does not mean that one day it might exist one.
> So modifying signed fields can be a bad idea.

It is configurable, along with some other settings which might
affect a signature (like defanging, $allow_fixing_improper_header).


More information about the amavis-users mailing list