Erik Espinoza wrote:
Most (all?) isps should be adding received headers, which should break
the signature. This is because the DK implementation written for Qmail
ignores an optional part of the spec that can be used to sign only
certain headers and the message.
One correction: TTBOMK, even if "h=" tag wasn't specified in mail, the
only headers used when checking the signature are the ones located below
"DomainKey-Signature:" line. Here is part from DK-draft-02:
h = A colon separated list of header field names that identify the
headers presented to the signing algorithm. If present, the
value MUST contain the complete list of headers in the order
presented to the signing algorithm.
If present, this tag MUST include the header that was used to
identify the sending domain, ie, the "From:" or "Sender:"
header, thus this tag can never contain an empty value.
If this tag is not present, all headers subsequent to the
signature header are included in the order found in the email.
A verifier MUST support this tag. A signer MAY support this
tag. If a signer generates this tag it MUST include all email
headers in the original email as a verifier MAY remove or
render suspicious, lines that are not included in the
signature.
In the presence of duplicate headers, a signer may include
duplicate entries in the list of headers in this tag. If a
header is included in this list, a verifier must include all
occurrences of that header, subsequent to the
"DomainKey-Signature:" header in the verification.
If a header identified in this list is not found after the
"DomainKey-Signature:" header in the verification process, a
verifier may "look" for a matching header prior to the
"DomainKey-Signature:" header, however signers should not
rely on this as early experience suggests that most verifiers
do not try to "look" back before the "DomainKey-Signature:"
header.
Whitespace is ignored in this value.
========== cut ================
Because of this, even if ISP add it's header lines to a message, if they
get added prior to "DomainKey-Signature:" header, the signature will
survive. Unfortunately, this is the rare case, and currently I'm in
process of implementing the "h=" tag usage for qmail-dk.
--
Best regards,
Alexey Loukianov mailto:[EMAIL PROTECTED]
System Engineer,
IT Department,
Lavtech Corp.
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]