On Mon, Dec 01, 2008 at 05:55:28PM -0800, David Jonas wrote:
> We provide forwarding to external accounts (e.g. gmail.com) and it
> appears that in some cases postfix is invalidating the DKIM signatures.
> The most prominent and obvious case is eBay and PayPal where gmail is
> now bouncing/dropping messages where the signature doesn't match.
What version of Postfix are you using?
> I caused ebay to send an email to a gmail address and then to an address
> that forwards. Doing a diff between the messages show this:
>
> # diff -u ebay-fail.txt ebay-pass.txt
> ...
> @@ -92,6 +83,7 @@
> Designated trademarks and brands are the property of their respective
> owner=
> s.
> eBay and the eBay logo are registered trademarks or trademarks of eBay,
> Inc=
> -=20
> +.=20
> eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125.
Most likely Ebay sending software fails to implement RFC 821/2821/5281
correctly:
http://tools.ietf.org/html/rfc5321#section-4.5.2
not much you can do about that. Postfix can't possibly know all
the places in which the Ebay software screwed up.
The RFC is quite clear, leading "." characters in SMTP are stripped
regardless of the following character. Some MTAs only trim "." when
the next character is also a ".", but this violates the RFC.
> Adding a "." to that line in the version that doesn't verify causes the
> message to verify.
>
> Is there something I can do to keep postfix from altering this? Am I
> barking up the right tree, or should I be verifying these and resigning
> them? Should I just tell my customers, "tough luck, use your gmail
> account directly?"
Always good to encourage users to use direct routes. In a spam-averse
world, forwarding often loses to anti-spam strategies that use or
build origin reputation.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
