RE: Double signing

From: Murray S. Kucherawy <>
Date: Fri, 4 Mar 2011 09:02:33 -0800

> -----Original Message-----
> From: [] On Behalf Of Steve Jenkins
> Sent: Thursday, March 03, 2011 12:17 PM
> To:
> Subject: Double signing
> Someone just posted a question on my blog referencing these headers,
> and asking why two OpenDKIM signatures are there:
> [...]

I was hoping a postfix user would pipe up, but here I am just to break the silence...

Just about the only way I can think of this occurring is that the same message is passed to the filter twice somehow before it goes out. I'm not a postfix user so I couldn't say how this might occur in such a setup. The logs should give you some hints about the sequence of events (e.g. does the queue ID change between signing actions?).

The idea for fixing this would be one or more of the following:

1) Check the postfix configuration to see if there's some way the filter might hear about the same message twice. It has the notion of "smtpd_milters" and "non_smtpd_milters", so maybe opendkim is referenced in both places or something like that.

2) Check the logs to see how you might be able to distinguish the two instances. For example if one is coming in over the localhost address while the other is coming in over some non-localhost address, you could add one or the other to the PeerList so that the filter simply ignores one of them outright.

3) Have the reinjection step change the From: so that there's a hit in the SigningTable for one instance of the message but not the other. (You alluded to this idea in your email.)

4) Use a setup script (one of the Lua hooks) to make the signing determination rather than a SigningTable, and only use odkim.sign() if there's not already a signature on the message, or if it comes in over a particular interface or with particular other properties, etc.

Received on Fri Mar 04 2011 - 17:02:40 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:16 PST