Shad L. Lords wrote:
Filippo Carletti wrote:
Without the details and without an inline patch, I can't apply this.
Sorry for having been terse.
I don't have the details, I've been told that message signing fails if
headers are added at bottom. This patch move them on top:
Headers should always be added to the top of the message in the order
they are done. If you add headers below a signing line (and those
headers are included in the signature) then you mess up the signature
and the message won't pass.
Most signatures take into account the body of the message and all
headers received up to that point. By injecting headers at the bottom
you mess up the headers. This might not be the best place to fix this.
DKIM signing, for example, signs only the explicitly mentioned headers.
If you're adding more of the explicitly mentioned headers, you are
logically breaking the signature, whether the checking algorithm
disambiguates the duplication correctly (for some value of correctly) or
not.
Frankly, so much stuff adds headers on at the end (including Exchange,
Thunderbird et. al.), getting slavishly pedantic (if indeed it's right
in the first place) is pointless and irrelevant, because the next thing
in the way, MUA or MTA, is just going to muck it up again.
If DKIM or S/MIME _truly_ cared about this, neither would work often
enough to be at all useable.
The correct way would be to fix header->add to always stick the
headers at the top.
If you feel that strongly about this, I suggest having a global
configuration option to permit the admin to force header add to the top.
Meanwhile, most of the rest of us can continue working consistently
with the rest of the world.
