On Fri 11/Apr/2014 01:40:13 +0200 Scott Kitterman wrote: > On April 10, 2014 7:24:54 PM EDT, LuKreme <krem...@kreme.com> wrote: >>On 10 Apr 2014, at 17:01 , Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
>>> On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: >>> >>>> Which, IM(ns)HO is what every list should not do. I actually >>>> have procmail recipes to untagged subject lines and remove >>>> footers on some lists. For a realistic workaround, see John Levine's post list mail with a From: address @yahoo.com is re written to @yahoo.com.INVALID. http://www.ietf.org/mail-archive/web/ietf/current/msg87176.html >>>> That said, I thought DKIM ignored everything after the signature >>>> delimiter, so if the lists attach the footer *properly* it shouldn't >>>> be an issue >>> >>> No, the DKIM spec makes no allowance for signature delimiters. If >>> the body is modified beyond adding removing whitespace (with relaxed >>> canonicalization) the DKIM check fails. >> >> That seems like a bug in the implementation of DKIM. > > It was a deliberate design choice. The signature wouldn't mean much > if adding arbitrary text to the message didn't invalidate the > signature. It would open the protocol up to replay attacks. > > There is a virtually unused L tag to embed the length of signed > content into the signature, but its use is strongly > disrecommended. In fact, HTML allows to append changes which will show up at the beginning of a message. >>>> the subject also don't matter in case of signed messages >>>> it is a HEADER and headers are added at every hop >>> >>> DKIM also signs message headers. >> >> Certain headers, not all of them. > > Yes, but subject is generally signed (I don't recall seeing a case > where it wasn't). Here is an example using both disrecommended options. That way, my DKIM signatures survive through most mailing lists. I don't recommend doing so; it is safer if a mailing list invalidates DKIM signatures, otherwise any recipient could replay those messages, as Scott pointed out. However, the only malfunction I experienced with my unusual setup is that Netease discards my signatures saying "DKIM-Signature could not parse or has bad tags/values". (The DKIM spec allows such kind of verifier's policies.) Ale