amavisd-new 2.7.1 , dkim-adsp=pass

Steve steeeeeveee at gmx.net
Fri May 25 22:05:12 CEST 2012


-------- Original-Nachricht --------
> Datum: Fri, 25 May 2012 18:27:25 +0200
> Von: Mark Martinec <Mark.Martinec+amavis at ijs.si>
> An: amavis-users at amavis.org
> Betreff: Re: amavisd-new 2.7.1 , dkim-adsp=pass

> Steve,
> 
Hello Mark,


> > > > Result is that DKIM is broken after the subject has been tagged.
> Right?
> > > 
> > > Yes, but nobody should be re-checking the signature once the message
> > > is in the mailbox (there are other manglings done by MUA, for example
> > > kmail is notorious for such). The amavisd, and SpamAssassin, and some
> > > potential pre-queue milter like OpenDKIM will see the original message
> > > *before* it is being re-written.
> > 
> > Aha. This is the real point. The check must be done BEFORE the
> rewriting.
> > Which is what I wanted to hear. However... I don't think that others
> think
> > about that. For me this is a potential source for trouble.
> 
> A potential source of trouble only for setups which chain spam
> filters in unusual ways. Such setups must take care to verify DKIM
> signatures as early as possible in the chain, then do any mangling
> and modifications to mail they see necessary, and sign as late
> as possible in the chain. For a common installation setup, what
> comes out of the box is fine.
> 
Agree.


> Btw, tagging of Subject in amavisd is configurable, even on a
> per-recipient or per-recipient-domain basis, so it can be disabled
> when it is known that some recipients or some further processing
> will be re-checking signatures.
> 
This is the tricky part. If you allow end users to change those settings then I am so bold to claim that most users have no clue what that signing is all about. IMHO this is an potential option to allow the end user to shoot in their feet them self.


> > If a MUA is going to check DKIM then the MUA must do the whole check.
> > I mean everything that amavisd-new would do as well. I mean: The
> > authentification-result header is fine and dandy but it can not be
> > really trusted.
> 
> Checking of the Authentification-Results header field by a MUA *can*
> be reliable if the whole setup is done properly. Either a MUA needs
> to know the trust span of its site and ignore any Authentification-Results
> beyond the range of 'home' Received header fields, or the filtering
> mailer must ensure to be removing any foreign Authentification-Results
> header fields and there would be no other path for a MUA to fetch
> its mail from third parties. Tricky, I agree, but doable.
> 
Yeah, yeah. Doable is almost everything. It is just a question of resources (money, time, knowledge, manpower, etc)


> > To be honest: I don't know any MUA that is doing DKIM checks.
> > But this still does not mean that one day it might exist one.
> > So modifying signed fields can be a bad idea.
> 
> It is configurable, along with some other settings which might
> affect a signature (like defanging, $allow_fixing_improper_header).
> 
Yeah. I know. The point why I asked is because I never really have thunk bout that whole signing stuff in combination with subject tagging. I just applied the technology in that order that I was thinking it is logic. But now I have to take care that I don't destroy the signing chain. This is something that I usually have not thunk about when working with postfix, dovecot, amavisd-new, etc... Off course this whole signing/encrypting stuff is nothing new to me. I am specialised (amongst other things) in IBM Lotus Domino / Notes. Their messaging infrastructure is capable in signing since decades and there you usually can not shoot that easy into your foot (you can if you go way down on the API level and ignore warnings and force certain actions).

Anyway... I see how amavisd-new is handling that issue. Or better I should say that it is not handling it at all. It does not force the breaking of the signature nor is it especially build to make it hard for you to break the signature. It is just doing what you tell it to do. If you are 'brain dead' while configuring amavisd-new then the result (potentially) will be 'brain dead' too.

At least you can (with some knowledge) work around the issues or configure amavisd-new to make the right things.


>   Mark
> 
// Steve
-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de


More information about the amavis-users mailing list