At 3:19 PM 4/4/07, Kyle Wheeler wrote:
It seems to me that if that's all you want to use it for, it should
be re-written as a wrapper around qmail-remote.
Maybe. There's been a lot of discussion here about signing in
qmail-remote vs. qmail-queue. There are pros and cons to each
approach.
I don't entirely understand this. Does DKEXCLUDEHEADERS apply to signing only?
Well, that environment variable applies only to signing.
Does it honor exclusions in the DK header?
I don't think it does. That's another reason not to use it for verification.
Does it *generate* an exclusion message in the DK header?
No, it generates an INCLUSION message (h=...), which specifies the
headers that are not listed in DKEXCLUDEHEADERS. Apparently, that's
what the DK specification calls for. Here's what a signature on one
of my messages looks like, as generated by the patched qmail-dk:
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=default; d=jmatt.net;
b=GYu6Wo6c4fiBl+AVljlmQ8VsSnWTYee9gUXzFmxdxmS34DqQkwF0rr9RAIyv35sLKtv+SjoG8BgC1GqcUk2O4rDg+o6rQ5VxW2Dh9i0/Z4aZKlIX2T3+2+6ngiNdTcbB30B2/FK7OKf6FkPnAOZpXSaXyKy5UgUq+vOkJ9bzXzE=;
h=Received:Mime-Version:Message-Id:Date:From:Subject:Mime-Version:Content-Type;
And, unless I'm misunderstanding this code, it is very broken for
headers that span multiple lines.
It might be. I don't know.
At 10:49 PM 4/4/07, Phil wrote:
when I set it up to sign all messages that were being relayed through
my server, qmail-dk would sign and forward mail that didn't already
have a signature, but die with "554 mail server permanently rejected
message (#5.3.0)" for mail messages that already had a signature.
Anyone else noticed this?
Maybe. I think that's the problem I ran into as an indirect result
of trying to sign bounce messages. Normally, I invoke qmail-dk by
setting QMAILQUEUE as necessary, either in the qmail-smtpd run script
for relay clients, or by setting it in tasks that generate mail
locally. But when I wanted to sign bounce messages, it appeared that
the only way to happen was to set it in the qmail-send run script,
which caused qmail-dk to be invoked every time a message was queued.
My bounce messages got signed correctly. And most mail was delivered
properly. But incoming messages that got queued more than once,
because of aliases, forwarding, etc. got that rejection message. I'm
pretty sure that it was that second trip through qmail-dk that caused
the problem, although I'm not sure exactly why. Wrapping the signing
function around qmail-remote instead of qmail-queue would probably
fix that problem.
|