On Sun, May 23, 2010 at 10:20 PM, Murray S. Kucherawy <msk_at_cloudmark.com> wrote:
>>
>> So _something_ is changing that Sender header after the signature is
>> generated. I have not been able to isolate where the change is
>> occurring, but I didn't really do much beyond getting it to work.
>> Since it works, I'm done with it for now.
> Good sleuth work. It would be interesting to know which piece of software is making that change, especially post-signing. This would be useful for our README.
I'll create the test list again, turn on KeepTemporaryFiles and see if
I can spot something.
>> Also, SM asked if the description for SigningTable wasn't clear. I
>> have to say that it was not clear, but that is partly because my
>> understanding of the KeyTable was muddled from prior experience with
> Right, that is indeed how it works and what the documentation tries to get across. Having seen someone struggling with that in a chat room (was that you?),
Not sure, cannonball in #sendmail in freenode is me.
> I wrote up a segment of our installation guide that contains an example of this which will appear in 2.1.0. If you'd like a preview to provide feedback about whether or not it's better, visit:
>
> http://www.opendkim.org/INSTALL
> Toward the end there's a new section called "COMPLEX SIGNING CONFIGURATIONS".
Very well written, and it's a great addition to the understanding of
the concept. There is a typo. You show the format of the KeyTable as:
KEY "selector:domain:private_key_or_private_key_file"
Whereas it only seems to work when I do:
KEY "domain:selector:private_key_or_private_key_file"
>> 3. If you define KeyTable but not SigningTable, it just won't start.
> That's intentional.
A note under KeyTable in the man page "This option requires the
SigningTable feature" would have probably helped me catch this. If
you consider that too much hand-holding, I do understand :-)
> Well the format can change. The right side of the KeyTable, which actually contains three fields, is only colon-separated for text files, regex files and DBs. If it's LDAP or SQL, they come from different fields.
Another excellent point. I've not yet done anything with this yet
where the info is in an external source.
>> Thanks for all the help guys, some of this might make a good FAQ item
>> WRT mailing lists.
>
> I absolutely agree. And it's also useful for consideration in some DKIM working group work that's being done right now with respect to re-signing list traffic.
>
> Thanks for providing us with your experiences!
You are quite welcome!
--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius
Received on Tue May 25 2010 - 18:36:46 PST