On 11/11/2014 2:38 AM, Patrick von der Hagen wrote:
However, since you can confirm that DKIM-signatures are not broken in
the general case and your problem is specific to your bank, I boldly
state: your bank got it wrong. And I'd really place a bet, that the
first server in the chain adds a valid DKIM-signature and the second one
breaks it. Like adding a disclaimer to the message only if it is leaving
the corporate network and thus breaking the signature in a way that is
not detected by their staff if they only test their setup internally.
It appears in this case the problem starts much earlier. Exim's DKIm
verifier reports:
body hash mismatch
It is supposed to be SHA256 computed on relaxed canonical format. (Based
on the header info)
I have confirmed that a body hash computed using these parameters does
not agree with the one in the header. So, I have to agree with:
your bank got it wrong
But it is the original signature that is broken. If the hashes are
computed wrong to begin with, there is no possibility of ever matching a
signature computed over the hashes.
Furthermore, after trying out numerous combinations (using openssl dgst)
to create hashes, I have yet to figure out how Chase could have come up
with the hash they show. (Using simple instead of relaxed; using
different hash algorithms; playing with the text; changing the line ends
to unix; ...)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
