[EMAIL PROTECTED] (Justin Mason) writes:
> It's pretty easy for normal mail transmission to break DK
> signatures
It sure is. Kai's and Pollywog's problems prompted me to investigate
why my own DK plugin was not verifying signatures from Yahoo! and
gmail.com. I filled SA's DomainKeys plugin and
Mail::DomainKeys::Signature.pm with debugging and got busy with -D.
It turns out that gmail.com encodes its outgoing email as
quoted-printable and signs the content-transfer-encoding header.
sendmail converts quoted-printable to 8bit, changing
Content-Transfer-Encoding accordingly, and the signature fails to
verify.
So, bang goes gmail.
I didn't have any Yahoo correspondence lying around for me to test so
I tried the autoresponders at dk.elandsys.com (thank you Matthew van
Eerde for the pointers). In Domainkeys 0.80 we have:
# FIXME: only needs to match the end of the domain
$prms{'Sender'}->host eq $self->domain or
$self->errorstr("domain " . $self->domain
. " does not match address " . $prms{'Sender'}->host),
return;
...and sure enough, elandsys.com does not match dk.elandsys.com.
That is easily fixed.
I see now why SA's default scores for DK rules are so low.
On the upside, my implementation of hashcash was so old that upgrading
it allowed me to add another four bits of work to each outgoing
message. Go, hashcash!
--
_________________________________________________________________________
Andrew Donkin Waikato University, Hamilton, New Zealand
