At 08:00 11-04-2008, Hadar Pedhazur wrote: >My server was moved to a new data center, so a new IP >address was assigned, and dkim-milter might have broken in >the process (possibly due to keys needing to be >regenerated).
You don't need to regenerate the keys when changing IP addresses. >One more bit of background. I run multiple domains on the >machine (all get signed correctly) and one remote domain, >that I sign for but I'm _not_ the mail server for (this is >the root cause of the problem). That domain gets signed >correctly on the way out as well. > >When I run tests with sa-test at sendmail.net, with any >domain that is hosted on my server, everything works as >expected. They correctly verify my signatures (each domain >has its own selector) and I correctly verify their response. > >When I run a test for the one remote domain, they >_correctly_ verify that my domain has signed the other >domain, with the correct selector, but when they send the >reply to the other domain, and it gets forward (via an >alias!) back to me, dkim-milter reports: > >Apr 11 10:01:32 new dkim-filter[5030]: B780A614F84: bad >signature data Compare the headers (and body) to see whether there are any changes when the message is forwarded. >I get the X-DKIM header (showing version 2.5.2), but not the >"Authentication-Results" header (it's not there, I would >have thought it would show the failure, so perhaps that's a >clue?!?). If there is any failure, it will show up in the maillog. >Then I changed it to "-C bad=a", but left the "-q", and the >mails still get held. Shouldn't "bad=a" _accept_ the mail, >over-riding the "-q"? The "-q" means that messages which fail verification should be quarantined by the MTA. I am not sure that the above behavior can be labelled as a bug. I suggest using the configuration file instead of command line parameters. >Finally, I added the third server to my peerlist (-a), which >I thought would make my server stop trying to verify, but I >still get "bad signature" whenever that server auto-forwards >a mail to me that has a signature that my server created. The peerlist identifies clients whose connections should be accepted without processing by the filter. Can you post your configuration and maillog? >Any help/pointers would be greatly appreciated. I would be >delighted to turn on any kind of debugging information for >the logs if that would shed some light. Headers and extracts from the maillog make debugging easier. Regards, -sm ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
