Re: Signature broken for replies

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Mon, 5 Oct 2015 23:32:04 -0700 (PDT)

On Mon, 5 Oct 2015, John Massai wrote:
>> If you just have it in SignHeaders, then this shouldn't be a problem
>> because opendkim shouldn't include it in "h=" if you don't have it in
>> the original signed message.
>
> No I do not (except by default, apparently). It seemed to be signing it
> by default and causing this problem unless I add it to OmitHeaders.

Ah, right. From the documentation:

By default, those fields listed in the DKIM specification as "SHOULD" be
signed (RFC6376, Section 5.4) will be signed by the filter.

That inclues In-Reply-To, so that explains why it's in "h=". If it's the
thing breaking your signatures, however, that means its value is being
changed post-signing.

If your posts are transiting lists, my guess is the list is moving that
value to References:, and replacing the value of In-Reply-To: with the
Message-Id: you generated.

You could try using a more restrictive SignHeaders set.

-MSK
Received on Tue Oct 06 2015 - 06:32:21 PST

This archive was generated by hypermail 2.3.0 : Tue Oct 06 2015 - 06:36:00 PST