From: SM <sm...@re...> - 2005-10-05 22:39:48
|
Hi Dick, At 11:37 05-10-2005, Dick St.Peters wrote: >No. The dkim signature *usually* verifies ok on both mx0 and saint. >I do have two saved relay tests where both dkim-filter and dk-filter >passed on mx0, but only dk-filter passed on the return to saint. The >second of these was for a 3-hop loop, from saint to mx0 to test1 and >back to saint. That one passed both milters on both mx0 and test1. I recall having failed signatures using both dkim-filter and dk-filter for signing. You shouldn't be having the same problem as you are signing specific headers only. >Yes, but so would the extra "Received" header you snipped out. I didn't think that these headers would cause the signature failure. >It still fails. Now the debug files differ only in the verifying >debug file having the additional "Received" header: > > saint# diff -u dk.20391.hpOtS6 dk.20391.k8uB3H > --- dk.20391.hpOtS6 2005-10-05 13:35:32.000000000 -0400 > +++ dk.20391.k8uB3H 2005-10-05 13:35:33.000000000 -0400 > @@ -1,5 +1,6 @@ > X-DKIM:SendmailDKIMFilterv0.1.1saint.heaven.netj95HZVsT003477 > >DKIM-Signature:a=rsa-sha1;c=nowsp;d=netheaven.com;s=saint;t=1128533732;h=Received:Date:Message-Id:From:To:Subject;b=Crc182zZacK4Io8ts8SF6oKM1akjm9mb4HbXjKHr11uegnw2Tkcc+tcKtUbLPzFgcpu2sdrZyEgu406xgmFO6A== > >+Received:fromsaint.heaven.net(localhost[127.0.0.1])bysaint.heaven.net(8.13.4/8.13.4)withESMTPidj95HZVsT003477for<ro...@mx...>;Wed,5Oct200513:35:32-0400 > >Received:(fromstpeters@localhost)bysaint.heaven.net(8.13.4/8.13.4/Submit)idj95HZVgl003474;Wed,5Oct200513:35:31-0400 > Date:Wed,5Oct200513:35:31-0400 > Message-Id:<200...@sa...> > >In this case, a non-context diff is probably clearer: > > saint# diff dk.20391.hpOtS6 dk.20391.k8uB3H > 2a3 > > > Received:fromsaint.heaven.net(localhost[127.0.0.1])bysaint.heaven.net(8.13.4/8.13.4)withESMTPidj95HZVsT003477for<ro...@mx...>;Wed,5Oct200513:35:32-0400 > >Clearly in signing mode dk-filter is not including this header, but in >verifying mode dk-filter is including it. That Received header should be above the signature and wouldn't be part of the verification if I am not mistaken. I will try to test your scenario to see whether I get the same results for the signing and verification files. >You said you tried an "echo foo | Mail" type test on your system and >got good verification. Did the debug files include the corresponding >sm-client->sendmail "Received" header? I also glanced at Authentication-Results and I saw a pass. I do not have DK debugging at the receiving end. I'm running the patched DKIM which also does DomainKeys verification at the receiving end. I'll do the test and I'll post the results. Regards, -sm |