I was running dkim-filter (milter) 1.0.0 for a very long time, with 100% success on CentOS 5 with Postfix 2.4.5.
My server was moved to a new data center, so a new IP address was assigned, and dkim-milter might have broken in the process (possibly due to keys needing to be regenerated). Instead of searching that out, I downloaded/built/installed dkim-milter 2.5.2. I have it all working correctly (sort-of) with some notable exceptions. One more bit of background. I run multiple domains on the machine (all get signed correctly) and one remote domain, that I sign for but I'm _not_ the mail server for (this is the root cause of the problem). That domain gets signed correctly on the way out as well. When I run tests with sa-test at sendmail.net, with any domain that is hosted on my server, everything works as expected. They correctly verify my signatures (each domain has its own selector) and I correctly verify their response. When I run a test for the one remote domain, they _correctly_ verify that my domain has signed the other domain, with the correct selector, but when they send the reply to the other domain, and it gets forward (via an alias!) back to me, dkim-milter reports: Apr 11 10:01:32 new dkim-filter[5030]: B780A614F84: bad signature data I get the X-DKIM header (showing version 2.5.2), but not the "Authentication-Results" header (it's not there, I would have thought it would show the failure, so perhaps that's a clue?!?). To summarize, when sending a test mail from my server to sendmail.net, if their response goes to a third server, which forwards their response back to the original server via an alias, the original server throws a "bad signature" error. I have a few more strange problems that are probably just my complete misunderstanding of how the options should work. When the above problem first happened, my server bounced the mails, because I had the following option: -C bad=r So far so good. I add "-q" and the server correctly "held" the mail instead of bouncing it. Also good. Then I changed it to "-C bad=a", but left the "-q", and the mails still get held. Shouldn't "bad=a" _accept_ the mail, over-riding the "-q"? Finally, I added the third server to my peerlist (-a), which I thought would make my server stop trying to verify, but I still get "bad signature" whenever that server auto-forwards a mail to me that has a signature that my server created. Any help/pointers would be greatly appreciated. I would be delighted to turn on any kind of debugging information for the logs if that would shed some light. Thanks in advance! ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
