Re: [courier-users] Using courierfilter to modify outbound mail

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri 08/Apr/2022 03:02:24 +0200 Sam Varshavchik wrote:
> MK via courier-users writes:
> 
>> However, doing a minimal DKIM hash of the From and body is dependent on 
>> those fields not subsequently changing.  I have read in some posts that 
>> courier may do some re-writing or re-structuring.  Is there a potential 
>> problem here, or am I good to go?>
> Yes, this is a very remote possibility but this can happen.
>
> If Courier tries to send a message with non-7bit content to a mail server that 
> does not claim 8BITMIME support Courier will re-encode the message into safe 
> 7-bit quoted-printable encoding.

Another case is the length of To:, From:, Cc:, wrapped to 70 chars by rfc822_getaddrs_wrap().

> I always took a position that cryptographic signatures of encoded MIME content 
> was a fundamental design flaw, right from their inception. Cryptographic hashes 
> should be calculated on the content before it gets MIME-encoded, not after, so 
> that the signatures remain valid if the mail content get re-encoded.

100% agreed.  There were some proposals[*], but had no traction.

> But, that's already a done deal, a lot of water under the bridge. Also, by now 
> the chances of encountering a 7-bit dinosaur on the Internet are very rare. 
> But, technically this can happen and everything will break.

Also quite rare is replacing "From " with ">From ", adding antivirus results as a footer, and similar.

> If you have control over the mail then if you make sure that it does not have 
> 8-bit content, or if it's already quoted-printable-encoded then you're out of 
> the woods.

For plain text messages, however, quoted printable is rather weak.  If a mailing list converts it to base64 it can hardly be recovered.

> And it would've been real nice if DKIM used MIME and a multipart/signed content 
> type, to indicate signed content. Courier is smart enough not to reencode 
> something that's explicitly identified as signed content. But that was another 
> missed opportunity, and more water under the bridge.

Well, the presence of a DKIM-Signature identifies the body and part of the header as signed.  Courier can be configured with NOADDRREWRITE, BOFHBADMIME and MIME.

Best
Ale
-- 

[*] For example:
draft-crocker-dkim-doseta-00 DomainKeys Security Tagging (DOSETA) 2011-01-13
draft-crocker-dkim-rfc4871bis-doseta-00 DomainKeys Identified Mail (DKIM) Signatures - Over DOSETA 2011-01-13
draft-crocker-doseta-base-03 DomainKeys Security Tagging (DOSETA) 2011-07-11
draft-crocker-doseta-mimeauth-00 MIME Content Authentication using DOSETA (MIMEAUTH) 2011-02-23