From: Peter W. <pw...@ch...> - 2008-02-05 14:48:12
|
Hello, > Your MS Exchange server is inserting a Return-Path header which > causes the "bad" signature. Use the "-o" parameter to omit that > header when signing. We're using Sendmail, not Exchange, for the messages in question. In any case, I added "-o Return-Path" to the dk-filter startup arguments, restarted Sendmail and domainkeys, and Yahoo is still saying that our signature is bad. If I add the -H option back to the dk-filter startup arguments, the signature turns out good, regardless of whether -o Return-Path is present. Here's the DomainKey signature header, as seen with the -H option on and the -o Return-Path option off. This signature is "good". (Authentication-Results: mta219.mail.mud.yahoo.com from=christianbook.com; domainkeys=pass (ok)) DomainKey-Signature: a=rsa-sha1; s=relay; d=christianbook.com; c=nofws; q=dns; h=from:to:subject; b=qZ7/cmEppm7lqiKJZtgPPfjWy2HqGUiD4sKX2jBHHPEoFaDrbSt1R9hSGzMnORu7F RvAA4wdB5AYOzkwlGfiZY/80toOg90nssFGEGVR49HjB+ItKZSz+7IvqAMjhK6h Here's the signature with -H turned on and -o Return-Path turned on. This signature is also "good". (Authentication-Results: mta195.mail.mud.yahoo.com from=christianbook.com; domainkeys=pass (ok)) DomainKey-Signature: a=rsa-sha1; s=relay; d=christianbook.com; c=nofws; q=dns; h=from:to:subject; b=qZ7/cmEppm7lqiKJZtgPPfjWy2HqGUiD4sKX2jBHHPEoFaDrbSt1R9hSGzMnORu7F RvAA4wdB5AYOzkwlGfiZY/80toOg90nssFGEGVR49HjB+ItKZSz+7IvqAMjhK6h Here's the signature with -H turned off and -o Return-Path turned off. This signature is "bad". (Authentication-Results: mta251.mail.re2.yahoo.com from=christianbook.com; domainkeys=fail (bad sig)) DomainKey-Signature: a=rsa-sha1; s=relay; d=christianbook.com; c=nofws; q=dns; b=qZ7/cmEppm7lqiKJZtgPPfjWy2HqGUiD4sKX2jBHHPEoFaDrbSt1R9hSGzMnORu7F RvAA4wdB5AYOzkwlGfiZY/80toOg90nssFGEGVR49HjB+ItKZSz+7IvqAMjhK6h Here's the signature with -H turned off and -o Return-Path turned on. This signature is also "bad". (Authentication-Results: mta127.mail.re4.yahoo.com from=christianbook.com; domainkeys=fail (bad sig)) DomainKey-Signature: a=rsa-sha1; s=relay; d=christianbook.com; c=nofws; q=dns; b=qZ7/cmEppm7lqiKJZtgPPfjWy2HqGUiD4sKX2jBHHPEoFaDrbSt1R9hSGzMnORu7F RvAA4wdB5AYOzkwlGfiZY/80toOg90nssFGEGVR49HjB+ItKZSz+7IvqAMjhK6h > > >Also, it seems to me that the -H flag is forcing Milter > insert messages > >to be written to the syslog, even though we are not using > the -l flag. > >Is there any reason for that? > > That insert message is generated by sendmail and not by dk-filter. Is it possible to configure sendmail not to log the Milter inserts, while still logging other events? Thanks, Peter |