On Sat, 5 Jan 2008, Andrew Haveland-Robinson wrote: > No, not relying on gmail, just noticed it didn't verify. Perhaps signed > messages should be delimited to protect against appendices, and made clear > where the authentication begins and ends? > Like the OSI 7 layer model, can't dkim not make use of wrappers and > encapsulation to preserve integrity during transmission/forwarding?
DKIM does have ways to do that (e.g. the "l=" tag), plus the mailing list manager or whatever is munging the message enroute could simply re-sign the mail after making the changes it wants to make. I don't think gmail is using either method at the moment. > I used a couple of dkimi test addresses... my test messages did verify ok, > however my verification of the reply from [EMAIL PROTECTED] gave: > Authentication-Results: gaia.haveland.com; dkim=permerror (verification > error: signature timestamp in the future) [EMAIL PROTECTED] > > My ntp source is a nuclear physics research institute, and I'm sure my time > is accurate so I think someone ought to check the machine. That means your dkim-filter checked the timestamp in the signature against its view of local time and found that they're out of order (i.e. the signature had a timestamp later than what you think the current time is) by enough of a difference to complain about it (see the "ClockDrift" configuration option). Clearly though if your clock is correct then the signing machine's clock is out of whack. > I will try and get it to do a core dump and get a trace. That would be ideal. -MSK ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
