duplicate subject lines in headers (again)

Mark Sapiro mark at msapiro.net
Mon Nov 14 06:36:41 UTC 2016 

On 11/13/2016 03:04 PM, Warwick Brown wrote:
> 
> I notice that in Exim.pm, from line 645 to line 854 there is some acknowledgement to the issue of trailing whitespace in relation to ISO encoded subject lines...I wonder if that 'fixup' may be more appropriate in a broader sense. I'm kicking myself for not being a perlmonger and while I can almost 'read' the code, I'm by no means competent to change it with any assurance. But from my 'spider-sense' I am wondering if all subjects should be treated in the same way?


Actually, it's much simpler than that. If you look further down
beginning at line 902 you'll see

sub ReplaceHeader {
  my($this, $message, $key, $newvalue) = @_;

  # DKIM: Don't do DeleteHeader if adding all headers at top
  $this->DeleteHeader($message, $key) unless $message->{dkimfriendly};
  $this->AddHeader($message, $key, $newvalue);

  return 1;
}

dkimfriendly is set in Message.pm if

Multiple Headers = add

and

Place New Headers At Top Of Message = yes

which is the way you are configured. I.e., this behavior is intentional
with your configuration.

So the question is do you care if you break DKIM signatures on incoming
mail. You need to consider your mail flow. If you don't relay mail
through your server, you don't care. If you care about validating DKIM
sigs on incoming mail, Spamassassin does that for MailScanner, I'm sure
before MailScanner adds any headers, and if you're DKIM signing outgoing
mail, you should be doing that in the outgoing Exim after MailScanner.

The only signatures you might care about breaking are ones in incoming
mail that you will relay to another server. There, it can be important
because of DMARC, and possibly you are caught between the proverbial
rock and hard place.

Even with

Place New Headers At Top Of Message = no

You probably won't actually break the sig unless the incoming message
has trailing spaces on the Subject:. So, If you consider an incoming
message with trailing spaces on the Subject: that originated From:
another domain (not yours) that publishes DMARC p=reject and is DKIM
signed by that domain, if you leave your MS config as is, you may not
break the DKIM sig so DMARC will pass, but Yahoo will reject the relayed
mail because of two Subject: headers. If you set

Place New Headers At Top Of Message = no

you won't wind up with two Subject: headers, but you'll break the From:
domain's DKIM sig so DMARC will fail and more than just Yahoo will
reject the mail for DMARC policy.

Now, for mail From: your domain, there's no issue. You just DKIM sign on
the way out and that sig is good.

I know this is complex and probably difficult for most people to grasp,
so if you have specific scenarios you want to ask about, please do.

Another possibility is to modify MailScanner itself to not strip
trailing space from the Subject: ever. I don't think that would be hard,
but I haven't looked at exactly how to do it.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list