DKIM and MailScanner used in a mail forwarder

Julian Field MailScanner at ecs.soton.ac.uk
Sun Mar 8 23:02:38 GMT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But if you have a message from Paypal, for example, you can verify the 
signature on the way in, that's fine. But then if that user 
auto-forwards a copy of his mail to a Google or gmail account, won't 
MailScanner break Paypal's DKIM signature header by adding headers below 
it? I can't re-sign the message with Paypal's DKIM key of course. 
There's no point signing it with my own key as I wasn't the originator 
of the message, and so my domain doesn't appear in the From: header or 
even in the enveloper sender.
Then when the message arrives at Gmail, Paypal's DKIM signature will be 
broken and Gmail will throw away the message as being fake (due to the 
broken DKIM sig).

I can sign outgoing messages coming from my own users, that's no 
problem, but if I'm forwarding mail for a user then I break the 
originator's DKIM sig.

To try to avoid this problem, I have added this (from my Change Log)

To help stop MailScanner breaking DKIM signatures on messages, I have
   added a new configuration option "Place New Headers At Top Of Message".
   This is set to "no" by default, as I think the result looks a bit ugly.
   But if you have users forwarding mail from Ebay, Paypal or Yahoo! to 
Gmail
   or Googlemail accounts, you need to stop MailScanner breaking the DKIM
   signature, or Google will tend to drop the message as being fake. To 
avoid
   this happening, you must set three settings (at least):
   Place New Headers At Top Of Message = yes
   Multiple Headers = add
   Sign Clean Messages = no
   Then MailScanner will do its best not to alter the headers or body below
   the DKIM signature.

In the three settings mentioned above, you can of course use rulesets so 
you don't do this to messages more than necessary.
Do you think that will fix this problem?

Jules.

On 8/3/09 22:45, Brent Addis wrote:
> I use it, it's fine. Exim only signs when it actually sends the 
> message, so it includes the mailscanner headers.
>
> No idea about postfix/sendmail/whatever else
>
> Make sure you have separate sending and receiving systems (Sending 
> signs, receiving checks)
>
>
>
>
> On Sun, 2009-03-08 at 11:37 +0000, Julian Field wrote:
>> How badly does DKIM interact with MailScanner when MailScanner is used
>> in a mail forwarding system?
>> What could I do to improve the situation?
>>
>> Jules
>>
>> -- 
>> Julian Field MEng CITP CEng
>> www.MailScanner.info  <http://www.MailScanner.info>
>> Buy the MailScanner book atwww.MailScanner.info/store  <http://www.MailScanner.info/store>
>>
>> MailScanner customisation, or any advanced system administration help?
>> Contact me atJules at Jules.FM  <mailto:Jules at Jules.FM>
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> PGP public key:http://www.jules.fm/julesfm.asc
>>
>>
>> -- 
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>      

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Comment: Use PGP or Thunderbird Enigmail to verify this message
Charset: UTF-8

wj8DBQFJtE6hEfZZRxQVtlQRAgzLAKDRXAetFJMwgLC6sBWCPWvRIjctHQCgnCn+
+YKx3bhoq6Ha0hT8xqm9KJM=
=SHl0
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list