I'm not sure if this is covered by the ANTICIPATE_SENDMAIL_MUNGE FFR or not, perhaps somebody can tell from the description that follows. I have a workaround in place, but would like to understand the root cause someday.
I have a colo'd server (versions of things appended) that will accept submissions using SMTP AUTH on port 25. This is how I've used various Linux and Mac laptops to send email for around 2.5 years now. The sid- and dkim-milters were recently deployed in response to the dkim-milter 1.0.0 release. When I sent messages from Thunderbird on the laptop, through my colo'd server, to the reflector at sendmail.net, the DKIM signatures created by my colo'd server verified. But when I sent to other reflectors like Alt-N or Port25, the signatures failed. If I sent my test message to the sendmail.net reflector and *any* other recipient, then the sendmail.net reflector would *not* be able to verify the signature. But if I went back to using the sendmail.net reflector alone, that signature would verify. Messages sent from Evolution on the same laptop verified, no matter how many receipients were involved or which reflector was used. Messages sent from mutt running on the colo'd server were seen to verify, but I didn't cover all cases with mutt. I tried disabling all extensions in Thunderbird, but the problem persisted. Finally, I ran across some discussion somewhere about the canonicalization options and decided to try that. I changed the header canonicalization to "relaxed" and ran my tests again. This time messages from Thunderbird verified in all cases. I'll be traveling the next few days, but if somebody wants samples I can arrange that next week. FYI, --Steve. VERSIONS: On the laptop I have Thunderbird 1.5.0.10 and Evolution 2.8.3 running on Fedora Core 6. On the server I have FreeBSD 5.3, Sendmail 8.13.3 (I know, I know...), dkim-milter 1.0.0, sid-milter 0.2.14, SpamAssassin 3.0.3 with v0.3.1 of the "spamass-milter." (Since this testing, I've added v3.0 of the milter-greylist package. Order of milters was/is grey, DKIM, SID, SA.) The server has multiple IPv4 and IPv6 addresses on a single network interface. dkim-milter was built out of the then-current FreeBSD "ports" package. The following options were specified at build-time: WITHOUT_ALLMAN_SSP_02 WITH_FLUSH_HEADERS WITH_MULTIPLE_KEYS WITH_QUERY_CACHE WITH_SELECT_SIGN_HEADERS WITH_SET_REPLY WITH_STATS WITH_VBR WITH_VERIFY_DOMAINKEYS WITH_OPENSSL_PORT (I had to add a few lines to implement a QUERY_CACHE and MULTIPLE_KEYS in the Makefile.) dkim-milter line from the sendmail.cf: Xdkim-filter, S=unix:/var/run/milterdkim/dkim-filter, F=T, T=R:2m How dkim-filter was running: /usr/local/libexec/dkim-filter -h -l -D \ -i /etc/mail/local-host-addresses -l \ -p local:/var/run/milterdkim/dkim-filter -u mailnull \ -P /var/run/milterdkim/pid -d crash.com \ -k /etc/mail/keys/20070401.private.pem -s 20070401 The local-host-addresses include the IPv4 /32 loopback and the IPv4 /29 block for my assigned colo addresses. The workaround is to add "-c relaxed/simple" to the above command line. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
