> From: Yuri D'Elia <wavexx@???>
> I would really love to reject invalid DKIM signatures outright,
What for - for spam filtering? Did you ever see a DKIM signature present
in a spam (not through a legitimate mailing list) but broken?
Spammers do make DKIM signatures, but for domains they control,
correct signatures.
> but many
> mailing lists simply don't strip the original signature while changing
> the body.
>
> I've come to the conclusion that the only thing that I can really do is
> check all signatures (for further steps in processing), but reject the
> message if the DKIM signature for the sender envelope is broken. This
> would fix mailing lists that re-sign the message (basically by checking
> just the last signature - if any), but I'm wondering about side effects.
>
> Let's take this (untested) snippet:
>
> deny
> condition = ${if eq{$sender_address_domain}{${domain:$return_path}}
> {1}{0}}
> sender_domains = ${domain:$return_path}
> dkim_signers = ${domain:$return_path}
> dkim_status = fail
The $return_path variable is for sending messages, not receiving.
deny dkim_signers = $sender_address_domain
dkim_status = fail
> so here we only consider signatures for the envelope sender's domain (if
> any). If there is one, and it's broken, we reject the message. If a DKIM
> signature was just appended by a mailing list which rewrote the message
> by properly using VERP, this should work. Or not?
If a mailing list of a forwarder doesn't alter envelope-from but
changes something then you'll reject legitimate mail. For example,
if a forwarder wrongly suspected that the forwarded letter is spam
and marked it in Subject.
I think that this check can cause only harm without any benefit.
