DKIM and MailScanner used in a mail forwarder

Brent Addis brent.addis at spit.gen.nz
Sun Mar 8 23:35:52 GMT 2009 

It really depends how its being forwarded.


Your average joe user will use outlook or some similar MUA which will be
using their/your domain, not paypals.

Do you mean redirect? (I haven't seen this used by an average joe MUA n
a LONG time)




On Sun, 2009-03-08 at 23:02 +0000, Julian Field wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> But if you have a message from Paypal, for example, you can verify the 
> signature on the way in, that's fine. But then if that user 
> auto-forwards a copy of his mail to a Google or gmail account, won't 
> MailScanner break Paypal's DKIM signature header by adding headers below 
> it? I can't re-sign the message with Paypal's DKIM key of course. 
> There's no point signing it with my own key as I wasn't the originator 
> of the message, and so my domain doesn't appear in the From: header or 
> even in the enveloper sender.
> Then when the message arrives at Gmail, Paypal's DKIM signature will be 
> broken and Gmail will throw away the message as being fake (due to the 
> broken DKIM sig).
> 
> I can sign outgoing messages coming from my own users, that's no 
> problem, but if I'm forwarding mail for a user then I break the 
> originator's DKIM sig.
> 
> To try to avoid this problem, I have added this (from my Change Log)
> 
> To help stop MailScanner breaking DKIM signatures on messages, I have
>    added a new configuration option "Place New Headers At Top Of Message".
>    This is set to "no" by default, as I think the result looks a bit ugly.
>    But if you have users forwarding mail from Ebay, Paypal or Yahoo! to 
> Gmail
>    or Googlemail accounts, you need to stop MailScanner breaking the DKIM
>    signature, or Google will tend to drop the message as being fake. To 
> avoid
>    this happening, you must set three settings (at least):
>    Place New Headers At Top Of Message = yes
>    Multiple Headers = add
>    Sign Clean Messages = no
>    Then MailScanner will do its best not to alter the headers or body below
>    the DKIM signature.
> 
> In the three settings mentioned above, you can of course use rulesets so 
> you don't do this to messages more than necessary.
> Do you think that will fix this problem?
> 
> Jules.
> 
> On 8/3/09 22:45, Brent Addis wrote:
> > I use it, it's fine. Exim only signs when it actually sends the 
> > message, so it includes the mailscanner headers.
> >
> > No idea about postfix/sendmail/whatever else
> >
> > Make sure you have separate sending and receiving systems (Sending 
> > signs, receiving checks)
> >
> >
> >
> >
> > On Sun, 2009-03-08 at 11:37 +0000, Julian Field wrote:
> >> How badly does DKIM interact with MailScanner when MailScanner is used
> >> in a mail forwarding system?
> >> What could I do to improve the situation?
> >>
> >> Jules
> >>
> >> -- 
> >> Julian Field MEng CITP CEng
> >> www.MailScanner.info  <http://www.MailScanner.info>
> >> Buy the MailScanner book atwww.MailScanner.info/store  <http://www.MailScanner.info/store>
> >>
> >> MailScanner customisation, or any advanced system administration help?
> >> Contact me atJules at Jules.FM  <mailto:Jules at Jules.FM>
> >>
> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >> PGP public key:http://www.jules.fm/julesfm.asc
> >>
> >>
> >> -- 
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >>      
> 
> Jules
> 
> - -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> PGP public key: http://www.jules.fm/julesfm.asc
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.9.1 (Build 287)
> Comment: Use PGP or Thunderbird Enigmail to verify this message
> Charset: UTF-8
> 
> wj8DBQFJtE6hEfZZRxQVtlQRAgzLAKDRXAetFJMwgLC6sBWCPWvRIjctHQCgnCn+
> +YKx3bhoq6Ha0hT8xqm9KJM=
> =SHl0
> -----END PGP SIGNATURE-----
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090309/4e55075f/attachment.html

More information about the MailScanner mailing list