Re: AlwaysSignHeaders causing messages not to verify

From: L. David Baron <>
Date: Wed, 4 May 2011 16:08:00 -0700

On Wednesday 2011-05-04 15:35 -0700, Murray S. Kucherawy wrote:
> This shows the difference. The first one fails because you requested signing of a Content-Disposition field which was apparently not there at the time of signing (i.e., it's missing from the "z=" tag), but was added later (i.e., it's there in the final message).
> Naming a field in "h=" that's not there when signing causes its later addition to render the signature invalid. That's consistent with the protocol (RFC4871).
> Since the second one didn't sign the non-existent Content-Disposition field, it passes.
> The other fields listed in AlwaysSignHeaders don't seem to be there in the final message, so I suspect if you remove just that one from your list, both will verify.

Thanks for the help. It looks like:
 * My old setup with dkim-milter was ignoring the stuff at the end
   of the AlwaysSignHeaders line (it definitely honored "references"
   and ignored "cc" and "content-disposition"), so I didn't see this
   problem before.
 * Postfix does something to add Content-Disposition: inline later
   in the process than the dkim signing

Removing Content-Disposition from AlwaysSignHeaders works.


L. David Baron                       
Mozilla Corporation             
Received on Wed May 04 2011 - 23:08:17 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:17 PST