https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6918
--- Comment #6 from Alessandro Vesely <ves...@tana.it> ---
For DKIM, Mail::DKIM::Verifier looks up keys as soon as it parses a signature,
like so:
my $signature = Mail::DKIM::Signature->parse($line);
$self->add_signature($signature);
$signature->fetch_public_key;
We need a parsed signature in order to understand if it was verified already,
so as to skip its verification. A domain can add multiple signatures which can
have different selectors or at least different hash (header.s is not yet part
of A-R; if header.b is missing, we must assume that this signature was the only
one the verifier saw by the given domain.)
Of course, a domain can add signatures after A-R fields were written. Those
should not be interesting if the A-Rs are trusted. However, A-Rs, albeit by a
trusted agent, might be stale, written before a message was further relayed.
In that case a careful MTA should invalidate them (Courier-MTA, for example,
renames them to Old-Authentication-Results on ingress.)
The quick solution is to have the admin tell if A-Rs are authoritative for
DKIM, which also entails that there is no valid DKIM signature unless we found
the result. Messages arriving from a different path, with no A-R, may still
require to load DKIM::Verifier.
Otherwise, the hard solution requires to learn more Mail::DKIM internals. BTW,
what's that "caller of SpamAssassin already supplied DKIM signature objects"
comment in SpamAssassin::DKIM?
--
You are receiving this mail because:
You are the assignee for the bug.
