Bug 358785

Summary: When forwarding a email as message/rfc822 attachment in a signed unencrypted email, header filtering leads to invalid signatures
Product: [Applications] kmail2 Reporter: trempify
Component: composerAssignee: kdepim bugs <kdepim-bugs>
Status: REPORTED ---    
Severity: wishlist    
Priority: NOR    
Version: 4.14.7   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed In:

Description trempify 2016-01-30 17:26:00 UTC 
I forwarded an email as a message/rfc822 attachment. The forwarded e-mail contained headers such as "X-Spam-Score" and some intermediate server filtered these out, despite them being part of the message rather than in the headers of the email I was sending. Because the headers of the forwarded message are included in the multipart/signed PGP signature, the signature is now invalid.

This isn't a bug in KMail as such, but KMail could be set up to work around it (which is why I have marked this bug report as a feature request).

Possible workarounds which could be done by KMail:
* Strip all but standard headers (e.g. Sender, From etc) when forwarding emails as message/rfc822
* Encode message/rfc822 attachments using base64 (or possibly abuse quoted-printable by quoting the header lines even when they do not need to be quoted)

Reproducible: Always
Comment 1 trempify 2016-01-30 17:29:30 UTC 
A third possible workaround: don't sign the forwarded message, or include it in a separate multipart/signed part so that at least it is obvious that the forwarded message has been modified but the text written by me is intact.
Comment 2 trempify 2016-01-30 17:35:17 UTC 
I would say my preferred solution is to strip all but a whitelist of headers from the forwarded message: the typical 'non-technical' user will not realise they are there and may inadvertently leak information through them. Someone who knows and cares about forwarding headers will still be able to 'View Source' and copy-paste the text (after mangling it so it will not be filtered).