Re: Double X-DKIM Header (all the way across the sky!!!!)

From: Daniel Black <daniel.subs_at_internode.on.net>
Date: Tue, 15 Feb 2011 21:55:44 +1100

On Tuesday 15 February 2011 13:27:35 Steve Jenkins wrote:
> I just added Amavis-new (with ClamAV and SpamAssassin) to my Postfix
> setup on my personal box.
>
> For context, I'm using this content_filter argument in Postfix to push
> incoming mail through the filter on port 10024:
>
> content_filter = smtp-amavis:[127.0.0.1]:10024
>
> Then I've added the following to /etc/postfix/master.cf to set up port
> 10025 for the mail to be re-injected into the Postfix queue:
>
> smtp-amavis unix - - n - 2 smtp
> -o smtp_data_done_timeout=1200
> -o smtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
> -o max_use=20
>
> 127.0.0.1:10025 inet n - n - - smtpd
> -o content_filter=
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_end_of_data_restrictions=
> -o mynetworks=127.0.0.0/8
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
>
> Now, when I sent a test message from my GMail account to my personal
> server to check that Amavis-new is working correctly, I noticed that
> I'm getting two X-DKIM headers, as follows:
>
> X-DKIM: OpenDKIM Filter v2.3.0 carbonfiber.stevejenkins.com 830E110424E7
> Authentication-Results: carbonfiber.stevejenkins.com; dkim=pass
> (1024-bit key) header.i=_at_gmail.com header.b=IiKEGPTz; dkim-adsp=pass
> X-DKIM: OpenDKIM Filter v2.3.0 carbonfiber.stevejenkins.com D120510424E8
>
> I'm assuming one is added on the way IN to the content filter, and the
> second is added when Amavis-new re-injects the message back into the
> Postfix queue.
>
> I don't see any harm in this, but I don't know if this is a bug or if
> it's the desired behavior for some reason. If it's not a bug, any
> guidance on how to configure OpenDKIM to parse the message once,
> instead of twice?

deep in the bowels of the opendkim/README lies:

    (c) If you have a content filter in master.cf that feeds it back into a
        different smtpd process, you should alter the second smtpd process in
        master.cf to contain '-o receive_override_options=no_milters' to
        prevent messages being signed or verified twice. For tips on avoiding
        DKIM signature breakage, see:
        http://www.postfix.org/MILTER_README.html#workarounds


> Thanks,
welcome
Received on Tue Feb 15 2011 - 10:55:33 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:33:08 PST