Re: [AMaViS-user] Dkim signing and altermime / disclaimer failure

Michael Scheidell wrote the following on 7/7/2007 7:48 AM -0800:
> Seems if you use dkim to sign outgoing email through amavisd-new policy
> bank and forward-method, the 'disclaimer' added to message does not pass
> the body test. since it seems to sign the message before the disclaimer
> is added.
>
> Q) how do I get it to sign AFTER mangling (do I do it in amavisd.conf?)
> or wait till Mark gets back?
>
> (as least assume this is why I get this error on reflector:
> testing.dkim.org; header.DKIM-Signature=@secnap.net; dkim=fail (
> Err: body altered; RSA-128 err: hdrdiffs=none; bodyvfy=no;
> secnap.net/s102
> 4 fail; );
> header.From=scheidell@secnap.net; dkim=neutral
>
> [DKIM-Bodyhash: Warning]
> body hashes do not match for "Michael Scheidell"
> sig=k9XtizUNBPIHQDW1po4NYI6foNM= calc=QsnK/S4Ee01odgjQhyN9o4FaZjk=
> [DKIM-Vfy: Warning]
> RSA-128 err: scheidell@secnap.net hdrdiffs=none; bodyvfy=no;
> openssl=error:00000000:lib(0):func(0):reason(0); 'v=1; a=rsa-sha1;
> c=relaxed; d=secnap.net;
> h=mime-version:content-type:content-transfer-encoding:subject:
> date:message-id:from:to; q=dns/txt; s=s1024; bh=k9XtizUNBPIHQDW1
> po4NYI6foNM=; b='
>
>
> Using FREEBSD, postfix, amavisd-new 2.5.2, Mail:DKIM .26, dkimproxy.
>

I don't use dkim proxy, but do sign with both dk and dkim. Just out of
curiosity, since you are using postfix (that is, if you are using a
relatively new version of postfix that supports milters), why not use
the dkim-milter and do your signing as the last thing postfix does
before delivering the message to the recipient MTA? That should resolve
any issues you may be experiencing with something changing the body or
headers after signing.

Bill
> Used this to do forwarding, disclaimers:
>
> (using dkim proxy from ports, in rc.conf:
>
> amavisd-new forward sends to 127.0.0.1:10027.
> Dkimproxy listens on 127.0.0.0:10027, signs message and send back out
> 10028.
> Postfix listens on 10028 and sends email back out.
>
> dkimproxy_out_enable="YES"
> dkimproxy_out_flags="--keyfile=/usr/local/etc/dkimproxy/private.key \
> --selector=s1024 --domain=secnap.com,secnap.net --method=relaxed
> \
> 127.0.0.1:10027 127.0.0.1:10028"
>
> master.cf:
>
> 127.0.0.1:10028 inet n - n - 10 smtpd
> -o content_filter=
> -o
> receive_override_options=no_unknown_recipient_chec ks,no_header_body_chec
> ks
> -o smtpd_helo_restrictions=
> -o smtpd_client_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,rej ect
> -o mynetworks=127.0.0.0/8
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
> amavisd.conf
>
> @altermime_args_disclaimer =
> qw(--verbose --disclaimer=/var/amavis/etc/disclaimer.txt
> --disclaimer-html=/var/amavis/etc/disclaimer.html);
> $defang_maps_by_ccat{+CC_CLEAN} = [ 'disclaimer' ];
>
> $policy_bank{'MYNETS'} = { # mail originating from @mynetworks
> originating => 1,
> forward_method => 'smtp:[127.0.0.1]:10027',
> allow_disclaimers => 1,
> smtpd_discard_ehlo_keywords => ['8BITMIME'],
> ....
>
>
>


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/