On Wednesday 2011-05-04 15:35 -0700, Murray S. Kucherawy wrote:
> This shows the difference. The first one fails because you requested signing of a Content-Disposition field which was apparently not there at the time of signing (i.e., it's missing from the "z=" tag), but was added later (i.e., it's there in the final message).
>
> Naming a field in "h=" that's not there when signing causes its later addition to render the signature invalid. That's consistent with the protocol (RFC4871).
>
> Since the second one didn't sign the non-existent Content-Disposition field, it passes.
>
> The other fields listed in AlwaysSignHeaders don't seem to be there in the final message, so I suspect if you remove just that one from your list, both will verify.
Thanks for the help. It looks like:
* My old setup with dkim-milter was ignoring the stuff at the end
of the AlwaysSignHeaders line (it definitely honored "references"
and ignored "cc" and "content-disposition"), so I didn't see this
problem before.
* Postfix does something to add Content-Disposition: inline later
in the process than the dkim signing
Removing Content-Disposition from AlwaysSignHeaders works.
-David
--
L. David Baron http://dbaron.org/
Mozilla Corporation http://www.mozilla.com/
Received on Wed May 04 2011 - 23:08:17 PST