[Mailman-Developers] dkim-signature headers

Michael Thomas mat at cisco.com
Thu Feb 1 22:34:08 CET 2007 

Mark Sapiro wrote:
> Michael Thomas wrote:
>   
>> I'm not sure whether Murray's dkim milter allows you to sign with the l=
>> option or not, but setting the body length allows text to be appended to the
>> end of a message -- like a mailing list trailer. This combined with some 
>> heuristics
>> with subject line modification gets you to nearly 100% success rates. 
>>     
>
>
> Consider that while Mailman doesn't do all of these things to every
> message, it can do any of the following:
>
>  - Add text to the beginning of the message body (msg_header)
>  - Add text to the end of the message body (msg_footer)
>  - Remove text from the beginning of the message body (Approved: line)
>  - Add additional MIME parts to a multipart message (msg_header,
> msg_footer)
>  - Convert a single part message to multipart in order to add
> msg_header/msg_footer
>  - Remove parts from a multipart message (content filtering)
>  - Convert an HTML part to plain text (content filtering)
>  - Decode a base64 or quoted-printable encoded part and perhaps
> re-encode it with a different encoding.
>  - Change or delete various headers including Subject:, To:, From:
>  - Replace some MIME parts with URLs of where they were stored and
> flatten the entire message into a single plain text message (scrubber).
>  - Probably other things I'm overlooking.
>   

Yes, there's no question that mailman as well as lots of other software
can destroy signatures. In practice as people seem to actually use them,
it is more theoretical than real. We've been running DKIM signers/verifiers
for going on a year now and the 99% I quoted is across a 25000 user
population which probably uses mailing lists far more than most similarly
sized companies.

[note some of the things you mention can be worked around too]
>
>   
>> The only
>> other problem that I've had with mailman is that it sometimes reorders the
>> dkim-signature header field itself which causes the signature to break. I've
>> been trying to figure out where in the code it does that so that we could
>> either fix it or compensate for it when I'm creating the signature itself.
>>     
>
>
> Other than the code which removes these headers, Mailman doesn't touch
> them. If they get modified in Mailman processing, it would have to be
> in the Python email library in the process of parsing the raw message
> into an email message object and then ultimately converting the
> message object back into raw text to be sent, but I don't think the
> email library does anything to headers that aren't explicitly
> processed in some way.
>
>   
That's something to go on. I haven't been able to figure out what exactly
triggers this behavior because it doesn't appear to be very consistent.


       Mike

More information about the Mailman-Developers mailing list