Hi Todd, At 13:25 14-06-2007, Todd Lyons wrote: >A couple of us were discussing dkim in irc today and we kind of came to >the uneducated conclusion that dkim might best be served in a split >process setup, where the verifying process should run early on in the >milter list and the signing process should run last in the milter list. >This is based upon the (maybe) faulty logic that dkim-milter can see >some headers that get added/munged and cannot see others depending upon >its place in line.
The split process setup would be best practice if you are running other milters as well. >1) Is the split process logic sound? I saw one post in the archive >reference a verify process, but that's all. Yes. It does mean running two processes though. >2) Is the milter "order of operations" logic accurate? If no, then #1 >is probably moot as well. The first dkim process verifies (bv) and the last dkim process signs (bs) the message. >I know that the milter library has various stages of email processing >where communication and message passing occurs to/from the milters. My >logic is based upon the thought that if dkim-milter signing is before >spam assassin in the milter list, then spam assasin could munge X-Spam-* >headers after dkim has already inserted a signature header, thus >invalidating the signature. Now I've not seen this occur yet, and my >dkim-milter is in fact before clamav and spam assassin. If the milter calling spamassassin adds headers or content, then the headers could be munged or the message body modified. ClamAV milter generally only inserts a header. That should not affect the DKIM signature. >Note: if this is part of the purpose of the milter macro >_FFR_ANTICIPATE_SENDMAIL_MUNGE, then it makes a lot of sense. But I've >not seen anything that says it's more than a workaround for sendmail >8.13.x header management. It's a workaround for sendmail 8.13.x as the some spaces in the headers may be trimmed by sendmail. That would invalidate the DKIM signature unless dkim-milter takes this behavior into account when it generates the DKIM signature. Regards, -sm ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
