The misconfiguration is changing it after the message was signed. Once the message is signed and in the MTA-to-MTA relay system, no one should be altering the message body any more until final delivery.
Barry On Mon, Jun 12, 2023 at 6:02 PM Jim Fenton <fen...@bluepopcorn.net> wrote: > > On 9 Jun 2023, at 22:35, Murray S. Kucherawy wrote: > > > > > You were previously talking about inserting ">" before a line starting > > "From ", which is typically done on delivery when writing to an > > mbox-formatted mailbox file, because in that format, "From " at the front > > of a line has a specific meaning (i.e., "this is a new message"). If that > > insertion is happening in transport, then a local mailbox convention is > > leaking out into the transport environment, which means something is > > misconfigured, and all bets are off. > > > > In any case, it is not a transport conversion anticipated by the section > > you're quoting, so I've no idea why a DKIM signer might opt to handle it > > specially. > > I’m not as definite that this is a misconfiguration, but might be a > historical artifact. When we were editing RFC 4871, I remember discussing > with Eric Allman the problem with “from” at the beginning of a line. At the > time, we recognized that some messages would fail to verify because the > message would be modified in transit to add the >. IIRC this was particularly > a problem because message signing was done in a milter that operated on the > incoming leg of the message path (through sendmail, for example), when > ideally you would want signing to be done on the way out of the MTA. > > Your description of why the > was added is probably correct, but I think > there are circumstances where the > leaks out that aren’t just due to > misconfiguration. I have two messages in my bloated inbox that apparently > have had > added (many of you may have the “Communications of the ACM, May > 2023” message from April 24). They pass dkim verification, probably because > they were signed after modification. > > -Jim > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
