Re: DKIM verification failures due to message body change when using HTML email

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Tue, 11 Dec 2012 13:07:24 -0800 (PST)

On Tue, 11 Dec 2012, Quanah Gibson-Mount wrote:
> Again the complaint about the body being modified?

I've no idea how that's even possible. One of the properties of the
milter protocol involves having the filter request certain privileges from
the MTA. One of the possible privileges is called SMFIF_CHGBODY which
would allow the filter to send body alteration requests to the MTA.
Requesting a body change without first requesting that privilege results
in an error. As you can see for yourself, that privilege is never
requested by opendkim, nor is smfi_chgbody() ever called, so it simply
can't change the body.

The more likely issue would be a canonicalization bug, but I'd be
suprirsed to see such a bug that's survived this long undetected.

Are you able to arrange to capture the canonicalized forms at signing and
at verifying? If both ends are opendkim, then you can just tell it to
KeepTemporaryFiles at both ends, then diff them (matching header to header
and body to body) to see what's changing. That often points to which
agent is making the change, and why.

-MSK
Received on Tue Dec 11 2012 - 21:07:43 PST