DKIM verification on large messages is broken in SA by MS truncation
adam at electricembers.net
Thu Dec 23 23:41:36 GMT 2010
I'm reporting a problem we just ran into while getting up to speed on DKIM,
as it looks a lot like a bug but actually indicates a fundamental
limitation to our MS/SA/DKIM configuration that might impact others. I
don't think there's anything for MS to do about it, but I have a fantasy
that there's something I'm missing....
Mailscanner has the "Max SpamAssassin Size" parameter, to truncate messages
before handing them off to SA. It defaults to 90KB (we have it set much
smaller, but this changes only the extent of the effects, not the basic
problem). But if you want to take advantage of DKIM verification to
contribute to the spam score, then it's SA that calls on Mail::DKIM to
evaluate the signature. And if it's a large message, it's been truncated
by MS before handing off to SA, so it no longer matches the signature. So
even with a valid signature, DKIM verification fails for large messages.
The solution? Well, all I can imagine is either:
1. don't truncate at all in Mailscanner, because after all, DKIM is
designed to disapprove of message modification
2. do the DKIM verification separately, before the message gets
submitted to MS at all, via the milter or proxy tools
But #2 is a great deal more work than just enabling the DKIM plugin in SA,
right? So that leaves us with #1. I guess if we were running just bare SA
with no MS, truncation wouldn't even be an option and we would always scan
the full message, so this isn't really a loss. But it would sure be nice
to take advantage of the MS layer to reduce unnecessary cycles.
I think what's really needed is a "Max Scan Bytes" setting in SA, so it can
impose the limit on all its other tests while internally exempting DKIM
verification, but I don't see that happening.
Have I missed anything? Or is this just a basic feature of our setup that
we'll have to accept?
More information about the MailScanner