ddx - Re: [ddx] DKIM and forwarding
Subject: DKIM Deployment
List archive
- From: Jim Fenton <>
- To: Jesse Thompson <>
- Cc:
- Subject: Re: [ddx] DKIM and forwarding
- Date: Wed, 13 Jan 2010 16:27:13 -0800
- Authentication-results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
Jesse Thompson wrote:
Hi Jim,
The Info-IMS list is the discussion list for Sun Java System Messaging Server (formerly Sun ONE Messaging Server, formerly iPlanet Messaging Server, which has roots from Sun Internet Mail Server, Netscape Messaging Server, and PMDF.)
Ned is a developer for this product. Here is another quote from Ned's other message in this thread.
" attempting to keep DKIM signatures intact across multiple hops is
an exercise in futility, so there is no point in purusing this or
any of the dozens of other things you'd have to do to even stand a
chance of this working.
I don't see why multiple hops are a problem; it isn't as though the bits fade or anything! It does, perhaps, increase the likelihood that some MTA along the line is going to fiddle with the message, but in practice most messages pass between domains on only one hop. That's the part of the message transit that you need to worry about, because it's not under the control of either the signer or verifier.
SJSMS is a popular MTA with large ISPs, so your last statement about there not being a problem with DKIM signatures breaking "in practice" seems unlikely.
I was asking why SJSMS made the following changes to messages from Yahoo, which caused DKIM signatures to fail.
1. changing the case of header names
e.g. s/Message\-ID/Message\-id/
#2. changing the value of the Content-type header
# s/charset=us\-ascii/CHARSET=US\-ASCII/
# this one might be due to a misconfiguration
These are both pretty silly -- changing the case of case-insensitive values.
3. reformatting the Date header
Shouldn't this really be a user agent function?
I'm not familiar with this product -- is this like Microsoft Exchange, something that is used to manage messages within a domain, with SMTP to receive and send messages from/to the outside world? If so, it should sign messages on the way out, and verify messages on the way in. It should not modify messages, and then attempt to verify them because it's not going to work.
-Jim
- DKIM and forwarding, Jesse Thompson, 01/13/2010
- Re: [ddx] DKIM and forwarding, Jim Fenton, 01/13/2010
- Re: [ddx] DKIM and forwarding, Jesse Thompson, 01/13/2010
- Re: [ddx] DKIM and forwarding, Jim Fenton, 01/13/2010
- Re: [ddx] DKIM and forwarding, Dave CROCKER, 01/13/2010
- Re: [ddx] DKIM and forwarding, Serge Aumont, 01/14/2010
- Re: [ddx] DKIM and forwarding, Jose-Marcio Martins da Cruz, 01/14/2010
- Re: [ddx] DKIM and forwarding, Jose-Marcio Martins da Cruz, 01/14/2010
- Re: [ddx] DKIM and forwarding, Jesse Thompson, 01/14/2010
- Message not available
- Re: [ddx] DKIM and forwarding, Jesse Thompson, 01/14/2010
- Re: [ddx] DKIM and forwarding, Dave CROCKER, 01/14/2010
- Re: [ddx] DKIM and forwarding, Serge Aumont, 01/14/2010
- Re: [ddx] DKIM and forwarding, Dave CROCKER, 01/14/2010
- Re: [ddx] DKIM and forwarding, Jesse Thompson, 01/14/2010
- Re: [ddx] DKIM and forwarding, Dave CROCKER, 01/14/2010
- Re: [ddx] DKIM and forwarding, Dave CROCKER, 01/13/2010
- Re: [ddx] DKIM and forwarding, Jim Fenton, 01/13/2010
- Re: [ddx] DKIM and forwarding, Jesse Thompson, 01/13/2010
- Re: [ddx] DKIM and forwarding, Jim Fenton, 01/13/2010
Archive powered by MHonArc 2.6.16.