Jim Fenton wrote: > Alin Năstac wrote: > >> I have the following environment: >> - SSP record: _ssp._domainkey IN TXT "dkim=strict" >> - my selectors are in following form: tsr._domainkey IN TXT "k=rsa\; >> p=..." - one host sends cron job outputs through a secondary mail >> server of mine, which signs all mail originating from my domains, >> (including subdomains) using its own key. The cron daemon sends mail >> using [EMAIL PROTECTED] as originator address. >> - the subdomain part of the sender address is an A record >> >> The mail gets signed and everything, but when my primary server >> receives it, authentication fails with >> >> dkim=hardfail (SSP) [EMAIL PROTECTED] >> >> Am I doing something wrong or is this a bug of dkim-filter? >> > Alin, > > It looks like the i= address in your signature doesn't include the > hostname that is in the From address in the message. For that reason, > the signing address does not match the From address, and since you have > published Strict practices, the SSP check fails. > > dkim-filter doesn't generate a signature with i= tag and therefore is considered to be the default (namely @mydomain.com).
I think the problem is generated by the signing dkim-filter daemon, which should have set [EMAIL PROTECTED] in DKIM-Signature when following conditions are satisfied: - the originator address is [EMAIL PROTECTED] - "SubDomains Yes" is present in dkim-filter.conf - the selector TXT record doesn't have t=s
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
