--On Tuesday, December 11, 2012 1:07 PM -0800 "Murray S. Kucherawy"
<msk_at_blackops.org> wrote:
> On Tue, 11 Dec 2012, Quanah Gibson-Mount wrote:
>> Again the complaint about the body being modified?
>
> I've no idea how that's even possible. One of the properties of the
> milter protocol involves having the filter request certain privileges
> from the MTA. One of the possible privileges is called SMFIF_CHGBODY
> which would allow the filter to send body alteration requests to the MTA.
> Requesting a body change without first requesting that privilege results
> in an error. As you can see for yourself, that privilege is never
> requested by opendkim, nor is smfi_chgbody() ever called, so it simply
> can't change the body.
>
> The more likely issue would be a canonicalization bug, but I'd be
> suprirsed to see such a bug that's survived this long undetected.
>
> Are you able to arrange to capture the canonicalized forms at signing and
> at verifying? If both ends are opendkim, then you can just tell it to
> KeepTemporaryFiles at both ends, then diff them (matching header to
> header and body to body) to see what's changing. That often points to
> which agent is making the change, and why.
Current flow is:
postfix -> opendkim -> postfix -> amavis (origination) -> postfix -> amavis
(SA/DKIM verification) -> postfix -> delivery
Flow in our next release is:
postfix -> amavis (origination) -> opendkim -> postfix -> amavis (SA/DKIM
verification) -> postfix -> delivery
Amavis does the DKIM verification just prior to delivery. I now have at
least 3 different people all hitting this issue. For one person, it fails
if they use Thunderbird on Linux, but not if they use Thunderbird on
Windows. In their case, they are sending the email to Yahoo, so the flow
is:
postfix -> opendkim -> amavis (origination) -> postfix -> Yahoo! for
verification and delivery, so it's not our Amavis SA/DKIM verification step
that is at fault either.
For the Linux thunderbird client, Yahoo! shows:
Authentication-Results: mta1038.mail.ird.yahoo.com from=horret.fr;
domainkeys=neutral (no sig); from=horret.fr; dkim=permerror (bad sig)
Otherwise:
Authentication-Results: mta1097.mail.ird.yahoo.com from=horret.fr;
domainkeys=neutral (no sig); from=horret.fr; dkim=pass (ok)
So I'm at a total loss here. :/
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Received on Tue Dec 11 2012 - 22:27:36 PST