On Fri 11/Apr/2014 01:40:13 +0200 Scott Kitterman wrote:
> On April 10, 2014 7:24:54 PM EDT, LuKreme <krem...@kreme.com> wrote:
>>On 10 Apr 2014, at 17:01 , Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
>>> On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote:
>>>
>>>> Which, IM(ns)HO is what every list should not do. I actually
>>>> have procmail recipes to untagged subject lines and remove
>>>> footers on some lists.
For a realistic workaround, see John Levine's post
list mail with a From: address @yahoo.com is re written to
@yahoo.com.INVALID.
http://www.ietf.org/mail-archive/web/ietf/current/msg87176.html
>>>> That said, I thought DKIM ignored everything after the signature
>>>> delimiter, so if the lists attach the footer *properly* it shouldn't
>>>> be an issue
>>>
>>> No, the DKIM spec makes no allowance for signature delimiters. If
>>> the body is modified beyond adding removing whitespace (with relaxed
>>> canonicalization) the DKIM check fails.
>>
>> That seems like a bug in the implementation of DKIM.
>
> It was a deliberate design choice. The signature wouldn't mean much
> if adding arbitrary text to the message didn't invalidate the
> signature. It would open the protocol up to replay attacks.
>
> There is a virtually unused L tag to embed the length of signed
> content into the signature, but its use is strongly
> disrecommended.
In fact, HTML allows to append changes which will show up at the
beginning of a message.
>>>> the subject also don't matter in case of signed messages
>>>> it is a HEADER and headers are added at every hop
>>>
>>> DKIM also signs message headers.
>>
>> Certain headers, not all of them.
>
> Yes, but subject is generally signed (I don't recall seeing a case
> where it wasn't).
Here is an example using both disrecommended options. That way, my
DKIM signatures survive through most mailing lists. I don't recommend
doing so; it is safer if a mailing list invalidates DKIM signatures,
otherwise any recipient could replay those messages, as Scott pointed out.
However, the only malfunction I experienced with my unusual setup is
that Netease discards my signatures saying "DKIM-Signature could not
parse or has bad tags/values". (The DKIM spec allows such kind of
verifier's policies.)
Ale
