If DomainKey-Signature explicitly lists the h= list
and nonlisted headers need to be removed before
computing digest and verifying signature, the
dk-milter-0.4.1 (in verification mode) passes an empty
line (a CRLF) in place of each removed header field to
the message digest algorithm, which results in
signiture verification to fail. The correct behaviour
is to completely ignore non-listed header fields.
A workaround for a verification-only milter is to
specify (a redundant) option -H, which should have no
effect on the verification mode, but actually changes
internal program flow which somehow avoids the
- run dk-milter with option -b v, (and no -H)
- let it verify a message with explicit h= list
which does not include all header fields present.