Steve, > > > Result is that DKIM is broken after the subject has been tagged. Right? > > > > Yes, but nobody should be re-checking the signature once the message > > is in the mailbox (there are other manglings done by MUA, for example > > kmail is notorious for such). The amavisd, and SpamAssassin, and some > > potential pre-queue milter like OpenDKIM will see the original message > > *before* it is being re-written. > > Aha. This is the real point. The check must be done BEFORE the rewriting. > Which is what I wanted to hear. However... I don't think that others think > about that. For me this is a potential source for trouble.
A potential source of trouble only for setups which chain spam filters in unusual ways. Such setups must take care to verify DKIM signatures as early as possible in the chain, then do any mangling and modifications to mail they see necessary, and sign as late as possible in the chain. For a common installation setup, what comes out of the box is fine. Btw, tagging of Subject in amavisd is configurable, even on a per-recipient or per-recipient-domain basis, so it can be disabled when it is known that some recipients or some further processing will be re-checking signatures. > If a MUA is going to check DKIM then the MUA must do the whole check. > I mean everything that amavisd-new would do as well. I mean: The > authentification-result header is fine and dandy but it can not be > really trusted. Checking of the Authentification-Results header field by a MUA *can* be reliable if the whole setup is done properly. Either a MUA needs to know the trust span of its site and ignore any Authentification-Results beyond the range of 'home' Received header fields, or the filtering mailer must ensure to be removing any foreign Authentification-Results header fields and there would be no other path for a MUA to fetch its mail from third parties. Tricky, I agree, but doable. > To be honest: I don't know any MUA that is doing DKIM checks. > But this still does not mean that one day it might exist one. > So modifying signed fields can be a bad idea. It is configurable, along with some other settings which might affect a signature (like defanging, $allow_fixing_improper_header). Mark
