Victor Duchovni wrote: > On Mon, Dec 01, 2008 at 05:55:28PM -0800, David Jonas wrote: > > >> We provide forwarding to external accounts (e.g. gmail.com) and it >> appears that in some cases postfix is invalidating the DKIM signatures. >> The most prominent and obvious case is eBay and PayPal where gmail is >> now bouncing/dropping messages where the signature doesn't match. >> > > What version of Postfix are you using? > > 2.3.8 and 2.4.6-- yea, we're a little behind. Perhaps I'll bring us up to 2.5 today.
>> I caused ebay to send an email to a gmail address and then to an address >> that forwards. Doing a diff between the messages show this: >> >> # diff -u ebay-fail.txt ebay-pass.txt >> ... >> @@ -92,6 +83,7 @@ >> Designated trademarks and brands are the property of their respective >> owner= >> s. >> eBay and the eBay logo are registered trademarks or trademarks of eBay, >> Inc= >> -=20 >> +.=20 >> eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125. >> > > Most likely Ebay sending software fails to implement RFC 821/2821/5281 > correctly: > > http://tools.ietf.org/html/rfc5321#section-4.5.2 > > not much you can do about that. Postfix can't possibly know all > the places in which the Ebay software screwed up. > > The RFC is quite clear, leading "." characters in SMTP are stripped > regardless of the following character. Some MTAs only trim "." when > the next character is also a ".", but this violates the RFC. > > I will attempt to file a bug with eBay/PayPal. Thanks. I'm going to try to set up a clean environment (no processing at all) to make sure this is definitely real and not just a side effect. Nothing touches the body right now, but the message does get juggled a bit before being sent out again. >> Adding a "." to that line in the version that doesn't verify causes the >> message to verify. >> >> Is there something I can do to keep postfix from altering this? Am I >> barking up the right tree, or should I be verifying these and resigning >> them? Should I just tell my customers, "tough luck, use your gmail >> account directly?" >> > > Always good to encourage users to use direct routes. In a spam-averse > world, forwarding often loses to anti-spam strategies that use or > build origin reputation. > > Indeed. I would like to due away with it altogether on our system. It is the source of much trouble.
