alex: > On 09/18/2011 07:41 PM, Wietse Venema wrote: > > alex: > >> On 09/17/2011 10:34 PM, Patrick Ben Koetter wrote: > >>> * alex<m...@deltaindigo.ro>: > >>>> Hi > >>>> > >>>> I have a problem with messages signed by my server. All messages > >>>> send from any email client(tb, webmail) , fail verification with : > >>>> dkim=softfail (fail, message has been altered) > >>>> except messages send from command line (telnet, sendmail). > >>>> > >>>> Software use is: centos 6 (x86_64), postfix 2.8.0/2.8.5, > >>>> dkim-milter-2.8.3-8.el6.x86_64, no content filtering. > >>>> I can't find anything in my config that could modify the body of the > >>>> message after is signed. > >>>> > >>>> Any suggestions? > > > > A likely cause of breakage is that the sending application generates > > email that is incompatible with RFC 5322 or RFC 5321 in some respect. > > > > - Lines longer than 990. > > > > The Postfix SMTP client keeps the line length below the SMTP > > protocol limit of 1000 bytes including<CR><LF>. Since this change > > happens after signing, it will definitely break DKIM signatures. > > > > To avoid long-line curruption problems send mail in quoted-printable > > or base64 encoding, with lines of at most 80 characters long. > > > > - Malformed line endings. > > > > SMTP requires<CR><LF> line endings, and does not allow<CR> or > > <LF> characters in any other context. > > > > The Postfix sendmail commands expects UNIX-style<LF> line endings. > > It will also accept lines ending in<CR><LF> but you can't use > > mixed line ending styles in the same message. > > > > And so on. If you want to ensure that DKIM signatures survive, you > > need to send email that is within the protocol specs; otherwise > > you'll have to "normalize" the message before applying the DKIM > > signature. > > > > Postfix is only an MTA. It is not a message normalizer. > > > > Wietse > Hi > > All messages used to test the dkim signatures was send with subject hhmm > and body hhmm (ex 2126 hour 21 and 26 minutes) or with empty body. > Nothing to complicated. > > Also in dkim-filter.conf I have: > > ## FixCRLF { yes | no } > ## > ## Requests that the library convert "naked" CR and LF characters to > ## CRLFs during canonicalization. The default is "no".
This DOES NOT change the message - it just changes the way dkim-filter computes the signature. Instead, send email that is within the Internet email specs, and you won't have to worry about line endings and such. Wietse