On Thu, 7 Jun 2007, Steven M Jones wrote:
> When I sent messages from Thunderbird on the laptop, through my colo'd
> server, to the reflector at sendmail.net, the DKIM signatures created by
> my colo'd server verified. But when I sent to other reflectors like
> Alt-N or Port25, the signatures failed. If I sent my test message to the
> sendmail.net reflector and *any* other recipient, then the sendmail.net
> reflector would *not* be able to verify the signature. But if I went
> back to using the sendmail.net reflector alone, that signature would
> verify.
>[...]
Did you try sending messages to the sendmail.net autoresponder with "r="
in your policy? The failed message should send canonicalizations back to
the address advertised there. If you've rigged your dkim-filter to save
canonicalizations, you can then simply "diff" yours versus the one
returned to you and see what changed in transit.
The only problem reported to date with respect to Thunderbird and "simple"
header canonicalization has to do with how the From: and/or To: headers
are constructed by the MUA when there's no full name associated with an
address that's in the address book. In that case, it looks like an
expansion of "%s <%s>" takes place with the first token being the full
name and the second being the e-mail address; when the first token is
empty, a space is used rather than the empty string, so the header
produced looks like (for example):
To: <[EMAIL PROTECTED]>
This is how dkim-filter will see it as the MTA passes it in directly.
MTA versions prior to 8.14 tried to be helpful and removed the errant
space before transit; however, this means the header that got signed and
the header that got verified were not the same and thus the verification
could never succeed. Since "relaxed" header canonicalization crushes
multiple spaces down to one, the rewrite code in that case was a no-op and
verification succeeds.
_FFR_ANTICIPATE_SENDMAIL_MUNGE does this rewriting before
canonicalization, so the signed and verified headers match and
verification succeeds. Also, sendmail 8.14 allows the filter to request
that the munging not happen, so if you're running sufficiently recent code
then this shouldn't be a problem.
So, I'd recommend trying the test I described above to get the
canonicalization from both ends and "diff" them for the failing
configuration. This process is also described in dkim-filter/README under
"DEBUG FEATURES". If your canonicalization diff test yields something
other than what I described above, or if you're seeing this with sendmail
8.14, let me know.
--
Murray S. Kucherawy ========================================= [EMAIL PROTECTED]
Principal Engineer Sendmail, Inc. Emeryville, CA, USA
(510) 594-5400 http://www.sendmail.com
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
