You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Magnus Holmgren <ho...@lysator.liu.se> on 2006/06/12 16:07:40 UTC
Re: SA tags above header info
On Monday 03 October 2005 18:14, Nix took the opportunity to write:
> On Sat, 1 Oct 2005, jdow@earthlink.net stated:
> > Which begs the question I don't remember anybody asking: "What the
> > <censored> is "DomainKeys" and why should it experience a special
> > exception to sane ordering if header information with time of
> > application ordered message tags?
>
> It's a scheme whereby the headers get cryptographically signed, as a
> body, with a key derived from a DNS lookup; another anti-forgery
> scheme, like SPF, only hopefully more forwarding-friendly.
>
> The idea is that relays sign the headers from a given Received: line on
> down, thus validating the path a mail has taken without breaking the
> ability for further relays to add Received lines. So adding things
> above Received lines is safe: adding them below invalidates the DK
> signature.
One remark I haven't seen yet is that the "DomainKey-Signature:" field can
include an "h" tag, which specifies which header fields are included in the
signature. If that tag is included (and I think it usually is(?)) and there
aren't already any X-Spam-* fields that have been signed, then it should be
safe to add SA's header lines below, just like before. If the "h" tag isn't
present, adding it shouldn't change the verfication status, but I don't think
it's allowed.
Always prepending SA's header lines clearly is the easiest thing to do.
> (Yes, I think it looks ugly, too.)
Me too, but it's probably just because I'm used to it. Always adding new
headers to the top has the additional benefit that it's easier to see which
relay added what.
--
Magnus Holmgren holmgren@lysator.liu.se
(No Cc of list mail needed, thanks)
Re: SA tags above header info
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Magnus Holmgren wrote:
> One remark I haven't seen yet is that the "DomainKey-Signature:" field can
> include an "h" tag, which specifies which header fields are included in the
> signature. If that tag is included (and I think it usually is(?)) and there
> aren't already any X-Spam-* fields that have been signed, then it should be
> safe to add SA's header lines below, just like before. If the "h" tag isn't
> present, adding it shouldn't change the verfication status, but I don't think
> it's allowed.
You can't alter the signature. The signature tags are all used in
calculation of the key.
> Always prepending SA's header lines clearly is the easiest thing to do.
>
>> (Yes, I think it looks ugly, too.)
>
> Me too, but it's probably just because I'm used to it. Always adding new
> headers to the top has the additional benefit that it's easier to see which
> relay added what.
Personally, I now prefer the headers being prepended over them being
appended. There was about a week or two where I wasn't sure about it
though.
Daryl