Quoting David Jonas ([EMAIL PROTECTED]):
> We provide forwarding to external accounts (e.g. gmail.com) and it
> appears that in some cases postfix is invalidating the DKIM signatures.
> The most prominent and obvious case is eBay and PayPal where gmail is
> now bouncing/dropping messages where the signature doesn't match.
>
> I caused ebay to send an email to a gmail address and then to an address
> that forwards. Doing a diff between the messages show this:
>
> # diff -u ebay-fail.txt ebay-pass.txt
> ...
> @@ -92,6 +83,7 @@
> Designated trademarks and brands are the property of their respective
> owner=
> s.
> eBay and the eBay logo are registered trademarks or trademarks of eBay,
> Inc=
> -=20
> +.=20
> eBay is located at 2145 Hamilton Avenue, San Jose, CA 95125.
>
> Adding a "." to that line in the version that doesn't verify causes the
> message to verify.
>
> Is there something I can do to keep postfix from altering this? Am I
> barking up the right tree, or should I be verifying these and resigning
> them? Should I just tell my customers, "tough luck, use your gmail
> account directly?"
>
> Any help is appreciated.
Not body related but Paypal includes headers in the DKIM header
specification that do not exist when they originate the message,
but some of those headers may be added when a message is forwarded.
h=from:sender:reply-to:subject:date:message-id:to:cc:
mime-version:content-transfer-encoding:content-id:
content-description:resent-date:resent-from:resent-sender:
resent-to:resent-cc:resent-message-id:in-reply-to:
references:list-id:list-help:list-unsubscribe:
list-subscribe:list-post:list-owner:list-archive;
We add a Resent-From: header to forwarded mail to satisfy Hotmail's
SenderID crap. That additional header causes the signature check
to fail at Gmail. Yet another policy daemon that only prepends a
Resent-From: header for Hotmail would be a solution but I'm quite
tired of fixing problems created by others.
John Capo
