From: Dick St.P. <stpeters@NetHeaven.com> - 2005-10-05 18:38:10
|
SM writes: > At 07:11 05-10-2005, Dick St.Peters wrote: > >For testing I use two systems, "saint" and "mx0", which both run > >dk-filter. I send mail from saint to an alias on mx0 that sends the > >mail back to saint, so saint both signs and verifies, while mx0 only > >verifies. Using DKDEBUG=c, saint collects both signing and verifying > >debug files for each message. (Both systems also run dkim-filter, but > >that does not seem to interfere with dk-filter.) > > BTW, do you see the same failure with dkim-filter? No. The dkim signature *usually* verifies ok on both mx0 and saint. I do have two saved relay tests where both dkim-filter and dk-filter passed on mx0, but only dk-filter passed on the return to saint. The second of these was for a 3-hop loop, from saint to mx0 to test1 and back to saint. That one passed both milters on both mx0 and test1. > >Here is a diff of the signing and verifying debug output for a 'fail' > >case: > > [snip] > > > Message-Id:<200...@sa...> > > -From:"DickSt.Peters"<stpeters@NetHeaven.com> > > +From:"DickSt.Peters"<stp...@ne...> > > To:ro...@mx... > > The case change would cause the verification to fail. Yes, but so would the extra "Received" header you snipped out. > >The verifying debug output has a "Received" header that the signing > >output does not, and the verifying output has down-cased the domain in > >the "From:" header. > > It looks like the "From:" header is the culprit. Can you test using > "netheaven.com" and see whether it fails? It still fails. Now the debug files differ only in the verifying debug file having the additional "Received" header: saint# diff -u dk.20391.hpOtS6 dk.20391.k8uB3H --- dk.20391.hpOtS6 2005-10-05 13:35:32.000000000 -0400 +++ dk.20391.k8uB3H 2005-10-05 13:35:33.000000000 -0400 @@ -1,5 +1,6 @@ X-DKIM:SendmailDKIMFilterv0.1.1saint.heaven.netj95HZVsT003477 DKIM-Signature:a=rsa-sha1;c=nowsp;d=netheaven.com;s=saint;t=1128533732;h=Received:Date:Message-Id:From:To:Subject;b=Crc182zZacK4Io8ts8SF6oKM1akjm9mb4HbXjKHr11uegnw2Tkcc+tcKtUbLPzFgcpu2sdrZyEgu406xgmFO6A== +Received:fromsaint.heaven.net(localhost[127.0.0.1])bysaint.heaven.net(8.13.4/8.13.4)withESMTPidj95HZVsT003477for<ro...@mx...>;Wed,5Oct200513:35:32-0400 Received:(fromstpeters@localhost)bysaint.heaven.net(8.13.4/8.13.4/Submit)idj95HZVgl003474;Wed,5Oct200513:35:31-0400 Date:Wed,5Oct200513:35:31-0400 Message-Id:<200...@sa...> In this case, a non-context diff is probably clearer: saint# diff dk.20391.hpOtS6 dk.20391.k8uB3H 2a3 > Received:fromsaint.heaven.net(localhost[127.0.0.1])bysaint.heaven.net(8.13.4/8.13.4)withESMTPidj95HZVsT003477for<ro...@mx...>;Wed,5Oct200513:35:32-0400 Clearly in signing mode dk-filter is not including this header, but in verifying mode dk-filter is including it. You said you tried an "echo foo | Mail" type test on your system and got good verification. Did the debug files include the corresponding sm-client->sendmail "Received" header? -- Dick St.Peters, stpeters@NetHeaven.com |