Bug#689414: spamassassin adds T_DKIM_INVALID to "X-Spam-Status:" even if the signature is valid

Tue, 02 Oct 2012 05:03:22 -0700 

Package: spamassassin
Version: 3.3.2-4
Severity: critical
Justification: causes serious data loss
(loss of mail with valid DKIM signature if the user trusts spamassassin)

If the libmail-dkim-perl package is not installed, spamassassin
generates a "X-Spam-Status:" header with T_DKIM_INVALID on messages
having a "DKIM-Signature:" header (whether the signature is valid
or not).

A user who configures his mail system (e.g. via procmail) to reject
messages with T_DKIM_INVALID ends up in losing legitimate mail!

A DKIM signature is the kind of information that can normally be
trusted, so that any false positives due to a bug in the verifier
(here, spamassassin) will likely to be lost mail.

A solution would be to make spamassassin depend on libmail-dkim-perl,
but this may not be sufficient, and a better solution would be a
check for internal errors (even if libmail-dkim-perl is installed,
an internal error might still be possible, e.g. what about network
related errors that prevent one from checking the signature?).

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages spamassassin depends on:
ii  adduser                         3.113+nmu3
pn  libarchive-tar-perl             <none>
ii  libhtml-parser-perl             3.69-2
ii  libnet-dns-perl                 0.68-1.1
ii  libnetaddr-ip-perl              4.062+dfsg-1
ii  libsocket6-perl                 0.23-1+b2
ii  libsys-hostname-long-perl       1.4-2
ii  libwww-perl                     6.04-1
ii  perl                            5.14.2-13
ii  perl-modules [libio-zlib-perl]  5.14.2-13

Versions of packages spamassassin recommends:
ii  gcc                        4:4.7.2-1
ii  gnupg                      1.4.12-4+b1
ii  libc6-dev                  2.13-35
ii  libio-socket-inet6-perl    2.69-2
ii  libmail-spf-perl           2.8.0-1
ii  make                       3.81-8.2
ii  perl [libsys-syslog-perl]  5.14.2-13
ii  re2c                       0.13.5-1
ii  spamc                      3.3.2-4

Versions of packages spamassassin suggests:
pn  libdbi-perl                                  <none>
ii  libio-compress-perl [libcompress-zlib-perl]  2.055-1
ii  libio-socket-ssl-perl                        1.76-1
pn  libmail-dkim-perl                            <none>
pn  libnet-ident-perl                            <none>
ii  perl [libcompress-zlib-perl]                 5.14.2-13
pn  pyzor                                        <none>
pn  razor                                        <none>

-- Configuration Files:
/etc/default/spamassassin changed:
ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
NICE="--nicelevel 10"
CRON=1

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to