Re: Signature broken for replies

From: John Massai <massaijohn_at_gmail.com>
Date: Mon, 5 Oct 2015 23:39:39 -0700

On 10/5/15, Murray S. Kucherawy <msk_at_blackops.org> wrote:
> On Mon, 5 Oct 2015, John Massai wrote:
>>> If you just have it in SignHeaders, then this shouldn't be a problem
>>> because opendkim shouldn't include it in "h=" if you don't have it in
>>> the original signed message.
>>
>> No I do not (except by default, apparently). It seemed to be signing it
>> by default and causing this problem unless I add it to OmitHeaders.
>
> Ah, right. From the documentation:
>
> By default, those fields listed in the DKIM specification as "SHOULD" be
> signed (RFC6376, Section 5.4) will be signed by the filter.
>
> That inclues In-Reply-To, so that explains why it's in "h=". If it's the
> thing breaking your signatures, however, that means its value is being
> changed post-signing.

Makes sense, but I don't know where that would happen - opendkim is,
as far as I know, the last thing to see the message before it is sent
to Gmail (by Postfix FWIW), where it lands in the inbox with an
invalid signature. Why would only this one header be getting munged?

I can live without that header being signed for now, as I'm not sure
what else I can do to diagnose the problem.

> If your posts are transiting lists, my guess is the list is moving that
> value to References:, and replacing the value of In-Reply-To: with the
> Message-Id: you generated.

No lists involved, just some test messages to Gmail.

> You could try using a more restrictive SignHeaders set.

I just added the offending header to OmitHeaders and everything works nicely.
Received on Tue Oct 06 2015 - 06:39:52 PST