DKIM verification on large messages is broken in SA by MS truncation

[Adam Bernstein]

I'm reporting a problem we just ran into while getting up to speed on DKIM, 
as it looks a lot like a bug but actually indicates a fundamental 
limitation to our MS/SA/DKIM configuration that might impact others.  I 
don't think there's anything for MS to do about it, but I have a fantasy 
that there's something I'm missing....

THE PROBLEM:

Mailscanner has the "Max SpamAssassin Size" parameter, to truncate messages 
before handing them off to SA.  It defaults to 90KB (we have it set much 
smaller, but this changes only the extent of the effects, not the basic 
problem).  But if you want to take advantage of DKIM verification to 
contribute to the spam score, then it's SA that calls on Mail::DKIM to 
evaluate the signature.  And if it's a large message, it's been truncated 
by MS before handing off to SA, so it no longer matches the signature.  So 
even with a valid signature, DKIM verification fails for large messages.

--------------------

The solution?  Well, all I can imagine is either:
    1. don't truncate at all in Mailscanner, because after all, DKIM is 
designed to disapprove of message modification
or
    2. do the DKIM verification separately, before the message gets 
submitted to MS at all, via the milter or proxy tools

But #2 is a great deal more work than just enabling the DKIM plugin in SA, 
right?  So that leaves us with #1.  I guess if we were running just bare SA 
with no MS, truncation wouldn't even be an option and we would always scan 
the full message, so this isn't really a loss.  But it would sure be nice 
to take advantage of the MS layer to reduce unnecessary cycles.

I think what's really needed is a "Max Scan Bytes" setting in SA, so it can 
impose the limit on all its other tests while internally exempting DKIM 
verification, but I don't see that happening.

Have I missed anything?  Or is this just a basic feature of our setup that 
we'll have to accept?

Thanks much!

       adam