You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Magnus Holmgren <ho...@lysator.liu.se> on 2006/06/12 16:07:40 UTC

Re: SA tags above header info

On Monday 03 October 2005 18:14, Nix took the opportunity to write:
> On Sat, 1 Oct 2005, jdow@earthlink.net stated:
> > Which begs the question I don't remember anybody asking: "What the
> > <censored> is "DomainKeys" and why should it experience a special
> > exception to sane ordering if header information with time of
> > application ordered message tags?
>
> It's a scheme whereby the headers get cryptographically signed, as a
> body, with a key derived from a DNS lookup; another anti-forgery
> scheme, like SPF, only hopefully more forwarding-friendly.
>
> The idea is that relays sign the headers from a given Received: line on
> down, thus validating the path a mail has taken without breaking the
> ability for further relays to add Received lines. So adding things
> above Received lines is safe: adding them below invalidates the DK
> signature.

One remark I haven't seen yet is that the "DomainKey-Signature:" field can 
include an "h" tag, which specifies which header fields are included in the 
signature. If that tag is included (and I think it usually is(?)) and there 
aren't already any X-Spam-* fields that have been signed, then it should be 
safe to add SA's header lines below, just like before. If the "h" tag isn't 
present, adding it shouldn't change the verfication status, but I don't think 
it's allowed.

Always prepending SA's header lines clearly is the easiest thing to do.

> (Yes, I think it looks ugly, too.)

Me too, but it's probably just because I'm used to it. Always adding new 
headers to the top has the additional benefit that it's easier to see which 
relay added what.

-- 
Magnus Holmgren        holmgren@lysator.liu.se
                       (No Cc of list mail needed, thanks)

Re: SA tags above header info

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Magnus Holmgren wrote:

> One remark I haven't seen yet is that the "DomainKey-Signature:" field can 
> include an "h" tag, which specifies which header fields are included in the 
> signature. If that tag is included (and I think it usually is(?)) and there 
> aren't already any X-Spam-* fields that have been signed, then it should be 
> safe to add SA's header lines below, just like before. If the "h" tag isn't 
> present, adding it shouldn't change the verfication status, but I don't think 
> it's allowed.

You can't alter the signature.  The signature tags are all used in 
calculation of the key.


> Always prepending SA's header lines clearly is the easiest thing to do.
> 
>> (Yes, I think it looks ugly, too.)
> 
> Me too, but it's probably just because I'm used to it. Always adding new 
> headers to the top has the additional benefit that it's easier to see which 
> relay added what.

Personally, I now prefer the headers being prepended over them being 
appended.  There was about a week or two where I wasn't sure about it 
though.


Daryl