-------- Original-Nachricht -------- > Datum: Wed, 23 May 2012 20:44:20 +0200 > Von: Mark Martinec <[email protected]> > An: [email protected] > Betreff: Re: amavisd-new 2.7.1 , dkim-adsp=pass
> Steve, > Hello Mark, > > > If you have it configured to modify a Subject, it will do so > regardless > > > of whether this header field was signed or not. And yes, this will > break > > > subsequent DKIM tests, so it is prudent to tag a subject close to a > final > > > delivery, where no further sw components will be re-examining the > > > signature. > > > > this was not exactly my question. > > I think it was. > okay. I still am not thinking that I got what I was looking for. Anyway... > > My question is more going in this direction: > > > > * Domain A sings all their outbound mail with DKIM. > > * User form domain A sends mail to Domain B. > > * Mail server running at domain B uses amavisd-new to verify signatures > and > > uses SA within amavisd-new. * The SA code thinks that the message from > > domain A is spam and the subject gets rewritten. * Domain A however > sings > > their subject. > > > > Result is that DKIM is broken after the subject has been tagged. Right? > > Yes, but nobody should be re-checking the signature once the message > is in the mailbox (there are other manglings done by MUA, for example > kmail is notorious for such). The amavisd, and SpamAssassin, and some > potential pre-queue milter like OpenDKIM will see the orginal message > *before* it is being re-written. > Aha. This is the real point. The check must be done BEFORE the rewriting. Which is what I wanted to hear. However... I don't think that others think about that. For me this is a potential source for trouble. > Also the Authentication-Results header > field is being added at that point, and will properly reflect the > validity of a signature. A MUA (if it wants to bother with DKIM) > should only be checking the Authentication-Results from its MUA. > If a MUA is going to check DKIM then the MUA must do the whole check. I mean everything that amavisd-new would do as well. I mean: The authentification-result header is fine and dandy but it can not be really trusted. To be honest: I don't know any MUA that is doing DKIM checks. But this still does not mean that one day it might exist one. So modifying signed fields can be a bad idea. > Mark > Pozdrav iz Ciriha Steve -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
