> -----Original Message-----
> From: L. David Baron [mailto:dbaron_at_dbaron.org]
> Sent: Wednesday, May 04, 2011 3:03 PM
> To: Murray S. Kucherawy
> Cc: opendkim-users_at_lists.opendkim.org
> Subject: Re: AlwaysSignHeaders causing messages not to verify
>
> > Can you try repeating these tests with "Diagnostics True" added to
> > both configuration files?
>
> Repeated test 1 + Diagnostics as test 3, and test 2 + Diagnostics as
> test 4:
>
> $ wget -q -O - http://dbaron.org/tmp/dkim-test-3 | dkimproxy-verify
> originator address: dbaron_at_dbaron.org
> signature identity: _at_dbaron.org
> verify result: fail (message has been altered)
> sender policy result: neutral
> author policy result: neutral
> ADSP policy result: neutral
> $ wget -q -O - http://dbaron.org/tmp/dkim-test-4 | dkimproxy-verify
> originator address: dbaron_at_dbaron.org
> signature identity: _at_dbaron.org
> verify result: pass
> sender policy result: accept
> author policy result: accept
> ADSP policy result: accept
This shows the difference. The first one fails because you requested signing of a Content-Disposition field which was apparently not there at the time of signing (i.e., it's missing from the "z=" tag), but was added later (i.e., it's there in the final message).
Naming a field in "h=" that's not there when signing causes its later addition to render the signature invalid. That's consistent with the protocol (RFC4871).
Since the second one didn't sign the non-existent Content-Disposition field, it passes.
The other fields listed in AlwaysSignHeaders don't seem to be there in the final message, so I suspect if you remove just that one from your list, both will verify.
Received on Wed May 04 2011 - 22:35:55 PST