I think I found some problem with NOFWS signing messages and created a patch for it.
1) a list of headers used to calculate the signature (h=..) should always be created. Lots of mailer daemons, anti-virus scanners and mailing services add additional headers at the end of the list. eg: www.gmx.net and others. If the signature is checked against the altered mail it will certainly fail. So I added proper code and two functions to be able to read a list of headers used to calculate the signature.
2) During my tests validating the sent messages always failed. I found out that validation was successful if the "h=" list was removed. Scrutinizing the code I found the following:
* if a header list is set then this list is looped to find the proper header. these steps are taken:
a) get a header name from the "h=" list ("RECEIVED")
b) start searching for this name in the list of mail headers
c) use the FIRST occurence of this header
d) get back to a
you have a big problem if there are more than one header lines with the same name, as it usually is with "RECEIVED". During verification the first occurence will be used multiple times instead of each one only once. Therefore validation failes.
The solution would be to exchange the loops. Get a mail header line and search for it in the list of headers. Then erase the header name from the header list. I have done that and additionally have rewritten the code to fit into function "dkheaders" instead of "dkheaders_headers".
3) unfortunately there are a lot of mail filters that do not care about the order of the mail header lines. Especially qmail-scanner gives damn about it. If the mail is sent to another mail server using qmail-scanner, the previous "X-Spam-Status" line may be removed and relocated at the top of the mail, with new values. If this header has been used to calculate the signature then verifying the signature fails (of course properly). I think there are a lot more programs that reposition some header lines occasionally. In order to be able to cope with these without reprogramming every of them, the environment variable DKIGNORE is introduced. This contains a list of header names that should not be used for signing, separated by colons ':'. Now "X-Spam-Status" can be ignored when calculating the signature. eg: "X-Spam-Level:X-Spam-Status". Checks are made case insensitive.
I think the DomainKeys draft does not forbid ignoring some header if in "nofws" mode lines and I think it complies with validation standard procedure if a "h=" list of used headers is included in the signature.
To achive this major rewriting of "dkheaders" was necessary.
I have tested the included patch extensively but bugs may still exists. Please drop me a line if you find some.
In case you have any questions or need some further explanations feel free to contact me:
per (dot.) sil (at-@) gmx (dot.) it
PS: Happy new year!!