alex:
> On 09/18/2011 07:41 PM, Wietse Venema wrote:
> > alex:
> >> On 09/17/2011 10:34 PM, Patrick Ben Koetter wrote:
> >>> * alex<[email protected]>:
> >>>> Hi
> >>>>
> >>>> I have a problem with messages signed by my server. All messages
> >>>> send from any email client(tb, webmail) , fail verification with :
> >>>> dkim=softfail (fail, message has been altered)
> >>>> except messages send from command line (telnet, sendmail).
> >>>>
> >>>> Software use is: centos 6 (x86_64), postfix 2.8.0/2.8.5,
> >>>> dkim-milter-2.8.3-8.el6.x86_64, no content filtering.
> >>>> I can't find anything in my config that could modify the body of the
> >>>> message after is signed.
> >>>>
> >>>> Any suggestions?
> >
> > A likely cause of breakage is that the sending application generates
> > email that is incompatible with RFC 5322 or RFC 5321 in some respect.
> >
> > - Lines longer than 990.
> >
> > The Postfix SMTP client keeps the line length below the SMTP
> > protocol limit of 1000 bytes including<CR><LF>. Since this change
> > happens after signing, it will definitely break DKIM signatures.
> >
> > To avoid long-line curruption problems send mail in quoted-printable
> > or base64 encoding, with lines of at most 80 characters long.
> >
> > - Malformed line endings.
> >
> > SMTP requires<CR><LF> line endings, and does not allow<CR> or
> > <LF> characters in any other context.
> >
> > The Postfix sendmail commands expects UNIX-style<LF> line endings.
> > It will also accept lines ending in<CR><LF> but you can't use
> > mixed line ending styles in the same message.
> >
> > And so on. If you want to ensure that DKIM signatures survive, you
> > need to send email that is within the protocol specs; otherwise
> > you'll have to "normalize" the message before applying the DKIM
> > signature.
> >
> > Postfix is only an MTA. It is not a message normalizer.
> >
> > Wietse
> Hi
>
> All messages used to test the dkim signatures was send with subject hhmm
> and body hhmm (ex 2126 hour 21 and 26 minutes) or with empty body.
> Nothing to complicated.
>
> Also in dkim-filter.conf I have:
>
> ## FixCRLF { yes | no }
> ##
> ## Requests that the library convert "naked" CR and LF characters to
> ## CRLFs during canonicalization. The default is "no".
This DOES NOT change the message - it just changes the way dkim-filter
computes the signature.
Instead, send email that is within the Internet email specs, and you
won't have to worry about line endings and such.
Wietse
