Wieste : apparently, the php script uses htmlMimeMail5.php, that you can find here: http://code.google.com/p/punchcms/source/browse/trunk/manager/libraries/htmlMimeMail5/htmlMimeMail5.php?r=87. I think it could be as buggy as you described, i'll try to dump the Raw message.
Viktor : thank you for the tip, i didin't figure the difference between relaxed and simple, thank you. Your strategy for detecting post-added fields seems good! I'll give it a try! Jean-Christophe BEGUE Ingénieur R&D - Devisubox Marseille - France +33 6 89 64 45 88 http://www.devisubox.com 2013/11/21 Viktor Dukhovni <[email protected]> > On Thu, Nov 21, 2013 at 09:07:44AM -0500, Wietse Venema wrote: > > > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com; > s=mail; > > > t=1385028965; bh=75o/sAM/Vtv41UrIwg0b4q1zZtrst1XwSPtjrKyZij0=; > > > > h=To:Subject:From:Reply-To:Content-Type:Content-Transfer-Encoding: > > > Message-Id:Date; > > > > This email contains Content-Type: and Content-Transfer-Encoding: > > without MIME-Version: header. That is the result of buggy software. > > Furthermore, "simple" canonicalization is too fragile, use "relaxed" > at least for the headers. I would add "Cc" and "Content-Disposition" > and all the above to the list headers signed even when absent (thus > detecting downstream insertion as a DKIM signature failure). > > -- > Viktor. >
