In general in these situations, there's something changing the message between the time the filter affixes the signature header and its receipt at a verifier.
As I'm unfamiliar with postfix, I'm left to guess at what that might be in your environment. With sendmail, for example, there are features which alter the headers to do things like replace your fully-qualified hostname with your outward-facing domain name. Unfortunately features like this, though aesthetically pleasing, thwart digital signatures that involve the changed headers, such as DKIM. You should audit your postfix configuration to see if any of the features you're using there might cause something like this to happen. Another thing you can try is to activate the "Diagnostics" feature. This causes a copy of your signed headers to be included in the signature. Then at a verifier, it's possible to see what changed between the headers that got signed and the ones seen on arrival. You would just need to send to a verifier that either automatically makes that analysis, or is run by someone who can do so manually. Let me know if you need that facility and I can set one up. There's some much more detailed debugging you can activate as well, but I'll explain that process later if these two steps don't solve the problem. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
