Re: Double signing

From: Scott Kitterman <ietf-dkim_at_kitterman.com>
Date: Fri, 4 Mar 2011 14:04:44 -0500

On Friday, March 04, 2011 12:02:33 pm Murray S. Kucherawy wrote:
> > -----Original Message-----
> > From: opendkim-users-bounce_at_lists.opendkim.org
> > [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Steve
> > Jenkins Sent: Thursday, March 03, 2011 12:17 PM
> > To: opendkim-users_at_lists.opendkim.org
> > Subject: Double signing
> >
> > Someone just posted a question on my blog referencing these headers,
> > and asking why two OpenDKIM signatures are there:
> > [...]
>
> I was hoping a postfix user would pipe up, but here I am just to break the
> silence...
>
> Just about the only way I can think of this occurring is that the same
> message is passed to the filter twice somehow before it goes out. I'm not
> a postfix user so I couldn't say how this might occur in such a setup.
> The logs should give you some hints about the sequence of events (e.g.
> does the queue ID change between signing actions?).
>
> The idea for fixing this would be one or more of the following:
>
> 1) Check the postfix configuration to see if there's some way the filter
> might hear about the same message twice. It has the notion of
> "smtpd_milters" and "non_smtpd_milters", so maybe opendkim is referenced
> in both places or something like that.
>
> 2) Check the logs to see how you might be able to distinguish the two
> instances. For example if one is coming in over the localhost address
> while the other is coming in over some non-localhost address, you could
> add one or the other to the PeerList so that the filter simply ignores one
> of them outright.
>
> 3) Have the reinjection step change the From: so that there's a hit in the
> SigningTable for one instance of the message but not the other. (You
> alluded to this idea in your email.)
>
> 4) Use a setup script (one of the Lua hooks) to make the signing
> determination rather than a SigningTable, and only use odkim.sign() if
> there's not already a signature on the message, or if it comes in over a
> particular interface or with particular other properties, etc.
>
> -MSK

It's not difficult to end up running the message through the milter twice if
you have multiple smtpd processes in your configuration. If the OP will send
me the output of postconf -n and his master.cf (offlist is probably best) I'll
take a look at it.

Scott K

P.S. I was hoping some other postfix user would speak up ...
Received on Fri Mar 04 2011 - 19:05:04 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:16 PST