On 13 Oct 2011, at 16:30, Barry Warsaw wrote: > > For Mailman, I think we'd like to, and would generally be able to be more > DKIM-friendly, if we actually knew what to do. Short of not modifying the > incoming message at all, and absent clear guidelines in this or any other RFC, > we're just flailing in the dark. I think the RFC makes it clear though that > there really are no good answers. It's a minor point that has no practical > effect, but I think it states our project's general policy of wanting to be as > RFC-compliant as possible.
Not modifying the message would work just fine. Other than that: Don't modify the body, unless the DKIM signature specifies that it's signed only part of the body. In this case, it's OK to append to the body. Don't modify any headers that are signed. Adding headers is usually OK, but one should be careful not to add headers that already exist. For example, don't add a second "Subject" line. Generally, there are three things that a list might do to break a signature: a. Append text to the message. In the UK, though, this is essential for most mailing lists, since they're usually promoting something (Eg, this list is promoting Mailman), and therefore required to include an easy to use opt-out address. If only more mail clients would present List-Unsubscribe headers usefully, this might be avoided. b. Prepend text to the subject line. This isn't really necessary at all, but would be easier to avoid if mail filtering systems offered better access to the List-ID headers. c. Alter the "From:" header. Again, lists don't have to do this. However, this can get tricky with ADSP. If a domain publishes ADSP "discardable", then the list should probably reject messages with From: header addresses in that domain, if it's about to break the DKIM signature. Of course, if there's no good DKIM signature on the message, then the list should discard the message. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
