[dkim-milter-discuss] DKIM and Cisco PIX

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Some people have reported difficulty sending DKIM-signed mail through to 
sites that use Cisco PIX firewalls with the "mail fixup" feature turned 
on.

I'm told by a senior engineer at Cisco that this is a Cisco PIX problem 
for which a patch is already available.  The issue is that the feature 
observes "Content-Type" twice in the message header (once for 
Content-Type: itself and once in the h= tag of the DKIM signature), 
assumes it's malformed (possibly an attack) and disallows the message.

If you're having this problem and the destination site hasn't updated to 
the newest version of PIX, you can simply use the "-o" or "OmitHeaders" 
feature to skip signing of Content-Type: headers and avoid the problem.

-MSK