From: Don L. <dk...@th...> - 2009-06-09 17:42:34
|
SM wrote: > Hi Don, > At 08:31 09-06-2009, Don Levey wrote: >> Here's the maillog extract for a message sent from my desktop at work, >> that is not signed: >> >> Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: >> from=<do...@th...>, size=826, class=0, nrcpts=2, >> msgid=<4A2...@th...>, proto=ESMTP, daemon=MTA2, >> relay=gateway.example.com [nnn.nnn.nnn.nnn] > > The daemon name is MTA2. You can specify that mails to that daemon > (-m) should be signed. > >> My MUA is Thunderbird; it's set to "Use TLS if available". I'm using >> similar settings for Thunderbird at home, which *does* sign. Before I >> had built the external network file and pointed to it using "-I" I was >> getting the "external host attempted to send" errors in maillog; they >> don't happen anymore. > > That's most likely the problem. Sendmail modifies the headers > injected by Thunderbird and that invalidates the signature. Can you > test with another mail client? > > ... > There were several X- headers added by clamav-milter and SpamAssassin > after the message was signed. Your smarthost (mr02.lnh.mail.rcn.net) > also adds some X- headers. The only way around that is for you to > sign specific headers only. See the -H option in the dk-filter manual. > That did it! The -m option got my external client to sign properly, and the -H option allowed the headers to be rewritten so that the signature will verify. Thank you *very* much for your help and patience! -Don |