Michael,
> I saw my email comeing back from a listserver scored as dkim failed.
>
> (I tested my dkim signatures with sendmail and dkim.org, showed no
> problems)
>
> the suggestions on the list seem to indicate a different set of default
> headers be used during signing.
> (I noticed, at least, that the listserver stripped off x-virus-scanned
> header, but that seems to be included in the default set for 2.6.2)
> other suggestions include NOT signing the received headers
I have seen and analyzed lots of cases of DKIM signature breakage,
but I have yet to see a case where a change in a signed section of
a Received trace was a cause of a breakage. This is why I decided
it is usually alright to sign Received, despite the SHOULD NOT
suggestion in RFC. Paradoxically, the RFC suggests the 'To'
should be signed, but mangling of a (longish) To header fields
by some MTAs is one of the more common cases of signature failure.
It is easy to turn off signing of these header fields:
$signed_header_fields{'x-virus-scanned'} = 0;
$signed_header_fields{'received'} = 0;
> and using relaxed/relaxed instead of relaxed/simple.
The relaxed is useful for a header section,
but hardly ever helps in the body: neither late QP-encoding
nor appended disclaimer or advertising lines at the end
of a body are helped by a relaxed body canonicalization.
It is usually not worth the extra processing needed.
> any comments? I can see where in compliance issues you would want the
> dkim signature to fail if they 'add to the body'
> (but don't all mailling lists add to the body?
No, not all of them do. Neither the postfix-users nor
spamssassin users mailing lists cause DKIM breakage.
Mailman can be configured to be nice to signatures.
> and if they do 'mung or muck up' your email while passing it through,
> shouldn't they strip the dkim signatures??
No.
A failed signature is no different to no signature at all,
but may help troubleshooting or understanting what mail went through.
There is no point in removing it, except perhaps to save four lines
of a header section.
> (did this email get signed right? still using other defaults, but I am
> not signing x-virus-scanned anymore)
SourceForge mailing lists unfortunately break signatures.
Perhaps it's time to consider moving the mailing list elsewhere.
> You do not specify body length (l= in DKIM header). According to
> http://tools.ietf.org/html/rfc4871#section-3.4.5
> it could be a good idea to use it, especially when mailing lists are in
> question.
Yes, it is true that specifying a 'l' tag can help with mail
which gets stuff appended to body. It is also true that it offers
an easy way to turn a short 'l'-limited mail into a spam message
for wide re-distribution, while retaining a valid(!) original
signer's seal. Currently Mail::DKIM (and consequently amavisd)
does not support it. I don't consider it a great loss.
Mark
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
