Incoming mail with faked sender domain is being DKIM signed

Robert Schetterer rs at
Fri Nov 24 19:11:14 CET 2017

Am 24.11.2017 um 17:16 schrieb Ralf Hildebrandt:
> * Ralf Hildebrandt <Ralf.Hildebrandt at>:
>> Incoming mail with faked sender domain is being DKIM signed
>> (config attached)
> I was testing this with 2.11.0 - went back to 2.10.1 and the expected
> behaviour was restored ( mail from !MYNETS is not being DKIM signed).
> So what has changed?

just a for dkim

- Policy bank names in a @client_ipaddr_policy setting can now accept
  a comma-separated list of policy names to be loaded on a match
  (for loading of policy banks based on an IP address of a SMTP client).
  Whitespace around each policy name is allowed and is stripped.
  Previously only a single policy bank name was allowed in each entry
  of @client_ipaddr_policy.

  This makes it consistent with loading of policy banks based on a
  DKIM-based setting @author_to_policy_bank_maps, and on virus checker
  results via the @virus_name_to_policy_bank_maps setting.

 'sanitize_nul' function is now enabled by default (this is currently
  not configurable). Null octets found in a message are replaced by a
  pair of octets \xC0 \x80, which is a "Modified UTF-8" encoding of a
  NUL. This is done to avoid a mailbox server (like Cyrus) or a mail
  client on choking on such mail. The downside is that such sanitation
  can invalidate a DKIM signature - but non-encoded NUL octets are not
  allowed in mail anyway, so not much harm is done;

Best Regards
MfG Robert Schetterer

[*] sys4 AG, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list