DKIM and MailScanner used in a mail forwarder

Brent Addis brent.addis at spit.gen.nz
Sun Mar 8 23:37:32 GMT 2009 

oh. hang on. Fingers faster than brain.

You mean remote MTA's running DKIM after your scanner has redirected it.

Nne of our users run DKIM internally, they rely on us, so haven't
actually hit it yet.


On Sun, 2009-03-08 at 23:02 +0000, Julian Field wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> But if you have a message from Paypal, for example, you can verify the 
> signature on the way in, that's fine. But then if that user 
> auto-forwards a copy of his mail to a Google or gmail account, won't 
> MailScanner break Paypal's DKIM signature header by adding headers below 
> it? I can't re-sign the message with Paypal's DKIM key of course. 
> There's no point signing it with my own key as I wasn't the originator 
> of the message, and so my domain doesn't appear in the From: header or 
> even in the enveloper sender.
> Then when the message arrives at Gmail, Paypal's DKIM signature will be 
> broken and Gmail will throw away the message as being fake (due to the 
> broken DKIM sig).
> 
> I can sign outgoing messages coming from my own users, that's no 
> problem, but if I'm forwarding mail for a user then I break the 
> originator's DKIM sig.
> 
> To try to avoid this problem, I have added this (from my Change Log)
> 
> To help stop MailScanner breaking DKIM signatures on messages, I have
>    added a new configuration option "Place New Headers At Top Of Message".
>    This is set to "no" by default, as I think the result looks a bit ugly.
>    But if you have users forwarding mail from Ebay, Paypal or Yahoo! to 
> Gmail
>    or Googlemail accounts, you need to stop MailScanner breaking the DKIM
>    signature, or Google will tend to drop the message as being fake. To 
> avoid
>    this happening, you must set three settings (at least):
>    Place New Headers At Top Of Message = yes
>    Multiple Headers = add
>    Sign Clean Messages = no
>    Then MailScanner will do its best not to alter the headers or body below
>    the DKIM signature.
> 
> In the three settings mentioned above, you can of course use rulesets so 
> you don't do this to messages more than necessary.
> Do you think that will fix this problem?
> 
> Jules.
> 
> On 8/3/09 22:45, Brent Addis wrote:
> > I use it, it's fine. Exim only signs when it actually sends the 
> > message, so it includes the mailscanner headers.
> >
> > No idea about postfix/sendmail/whatever else
> >
> > Make sure you have separate sending and receiving systems (Sending 
> > signs, receiving checks)
> >
> >
> >
> >
> > On Sun, 2009-03-08 at 11:37 +0000, Julian Field wrote:
> >> How badly does DKIM interact with MailScanner when MailScanner is used
> >> in a mail forwarding system?
> >> What could I do to improve the situation?
> >>
> >> Jules
> >>
> >> -- 
> >> Julian Field MEng CITP CEng
> >> www.MailScanner.info  <http://www.MailScanner.info>
> >> Buy the MailScanner book atwww.MailScanner.info/store  <http://www.MailScanner.info/store>
> >>
> >> MailScanner customisation, or any advanced system administration help?
> >> Contact me atJules at Jules.FM  <mailto:Jules at Jules.FM>
> >>
> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >> PGP public key:http://www.jules.fm/julesfm.asc
> >>
> >>
> >> -- 
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >>      
> 
> Jules
> 
> - -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> PGP public key: http://www.jules.fm/julesfm.asc
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.9.1 (Build 287)
> Comment: Use PGP or Thunderbird Enigmail to verify this message
> Charset: UTF-8
> 
> wj8DBQFJtE6hEfZZRxQVtlQRAgzLAKDRXAetFJMwgLC6sBWCPWvRIjctHQCgnCn+
> +YKx3bhoq6Ha0hT8xqm9KJM=
> =SHl0
> -----END PGP SIGNATURE-----
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090309/94521c59/attachment.html

More information about the MailScanner mailing list