On 24/09/2008, at 9:33 PM, Mark Martinec wrote:
James,If I send an email to [EMAIL PROTECTED] to comes back saying: DKIM check details: Result: fail (signature doesn't verify) The same thing happens sending from my iPhone.But it works fine sending from the same computer using Thunderbird. Orif I use webmail (Roundcube or Ilohamail) to send the email. All are sending through the same mail server (Postfix), same account, with and without SSL. Has anyone had any similar problems with DKIM and Mail.app?Your signer signed the following header section: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bordo.com.au; s=mail; h=Message-Id:From:To:In-Reply-To: Mime-Version:Subject:Date:References:MIME-Version:Content-Type; bh=FBGlG3/lg4Qa0cw6oM9LAu83D6E9uxKw+uQSQmKN7EQ=; b=D8uXGWZusRopo 0Dx4TQeApJbajiayRIpN/Q+GTgn/MPv7Qj+Cq5EOcwr75ZXv/GV+MRpo+qGiOfv0 fJtqDvR1TwbjuvSuRTHgQVCc1+AY3T4iDEQ5f4EGJ0NPR56rPqrKGDi1AwCGjvVD sieq86AnRWfredZLTHzXvzq5neSGOE= Message-Id: <[EMAIL PROTECTED]> From: James Brown <[EMAIL PROTECTED]> To: postfix-users@postfix.org In-Reply-To: <[EMAIL PROTECTED]> MIME-Version: 1.0 Subject: Re: [OFF]: DKIM broken by certain email clients Date: Wed, 24 Sep 2008 17:42:40 +1000References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED] >MIME-Version: 1.0Content-Type: multipart/signed; protocol="application/x-pkcs7- signature"; micalg=sha1; boundary="----31313EF4F437E4210E9DC5F9C2D9A7A1"Note the double occurrence MIME-Version, but this is not in itself a reason for DKIM validation failure. The above header section was modified on its way out from your site, replacing the first "MIME-Version: 1.0" of the two with a Mime-Version: 1.0 (Apple Message framework v929.2) thus breaking the signature. So it seems you have two problems here: why are there two MIME-Versionheader fields in the first place, and why is one of them modified AFTER signing.
Thanks Mark. The flow of my email is:Mail.app -> ASSP -> Postfix -> amavisd-new -> Postfix -> Astarto Gateway -> Internet
I think :-)I'm at home now so can't check. I intent to stop going through amavid- new when sending, but haven't got round to it yet. Perhaps this is the problem?
My postfix settings are: $postconf -n broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisd-new:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 7 default_process_limit = 100 disable_vrfy_command = yes html_directory = no mail_owner = postfix mailbox_size_limit = 102400000 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 102400000 mydomain = bordo.com.au myhostname = mail.bordo.com.au newaliases_path = /usr/bin/newaliases queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix relayhost = astaro1.bordo.com.au sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_client_connection_count_limit = 100 smtpd_data_restrictions = reject_unauth_pipelining smtpd_enforce_tls = no smtpd_etrn_restrictions = reject smtpd_helo_required = yessmtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_loglevel = 1 smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:27 virtual_mailbox_base = /usr/local/virtual/virtual_mailbox_domains = mysql:/etc/postfix/ mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 5120000000 virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 27 virtual_transport = virtual virtual_uid_maps = static:27The Astaro box is setup as a smarthost (relayhost = astaro1.bordo.com.au). It should be the final link before the internet, so nothing should therefore interfere with the message after it has been signed.
And why would it work fine for Thunderbird? And when my web server sends the email (ie using webmail)?
Thanks for your help. James.
smime.p7s
Description: S/MIME cryptographic signature