Re: DKIM verification failures due to message body change when using HTML email

From: Quanah Gibson-Mount <>
Date: Mon, 03 Dec 2012 12:08:02 -0800

--On Monday, December 03, 2012 11:09 AM -0800 "Murray S. Kucherawy"
<> wrote:

> On Mon, 3 Dec 2012, Quanah Gibson-Mount wrote:
>> [...]
>> where it looks like someone found an issue with mail using HTML that is
>> signed by OpenDKIM. Is this a bug on the OpenDKIM side or in the Amavis
>> verification side of things?
> Generally speaking, neither the filter nor the library know anything
> about the format of the content being signed or verified. HTML is the
> same as any other content, even binary.
> Further, the filter itself never changes the content passing through the
> MTA. In fact, it's not capable of doing so (even though milter is
> capable of it) because it neither makes the call nor does it negotiate
> for that permission from the MTA.
> The only things that leap to mind are canonicalization issues, which
> would be related to the way the content was provided to the filter and/or
> the library and not related to the format being used.
> The same canonicalization and hash generation code is used during signing
> and verifying, so processing is symmetric.
> I'm inclined to think some agent positioned between the signer and the
> verifier is doing something funky with HTML email.

Ok. I do see they have their own AV scanner we don't normally use with

X-Cyberoam-AV-Policy: wlasne_nie_skanuj

Perhaps that is what is doing it.


Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration
Received on Mon Dec 03 2012 - 20:08:45 PST

This archive was generated by hypermail 2.3.0 : Mon Dec 03 2012 - 20:18:01 PST