DKIM smtpd_milter before SA content-filter: still valid signing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

DKIM smtpd_milter before SA content-filter: still valid signing

André Peters
Hello,

I am a bit curious about this:

I run a smtpd_milter to sign mail via OpenDKIM. This happens
before-queue, right?
Next this signed mail goes through a Spamassassin content-filter, which
adds some X-Headers after-queue.

How can this mail still have a valid DKIM signature? Don't get me wrong,
that's what I want.
Both relaxed and simple header canonicalization algorithm seem to not
care about added X-Headers.
Is this by design? Or am I missing something in Postfix' architecture?

This is my listener for mail submission:

10587     inet  n       -       -       -       -   smtpd
   -o smtpd_upstream_proxy_protocol=haproxy
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o
smtpd_sender_restrictions=check_sender_access,hash:/etc/postfix/smime_sender_access
   -o content_filter=spamassassin
   -o smtpd_milters=inet:127.0.0.1:5432


Thanks!

André


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DKIM smtpd_milter before SA content-filter: still valid signing

A. Schulze

André Peters:

> I run a smtpd_milter to sign mail via OpenDKIM. This happens
> before-queue, right?
in your setup, right.

> Next this signed mail goes through a Spamassassin content-filter, which
> adds some X-Headers after-queue.

> How can this mail still have a valid DKIM signature?
OpenDKIM don't sign X- headers by default and your spamassassin don't  
alter the messages.
So the signatures keep valid.

Andreas