adding/enabling 'SignHeaders' in v1.2.2 config causes fail 2 sign, "DKIM: The From header field MUST be signed",
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| dkimpy-milter |
Fix Released
|
Medium
|
Scott Kitterman | ||
Bug Description
i've installed
pip show dkimpy-milter
Name: dkimpy-milter
Version: 1.2.2
Summary: Domain Keys Identified Mail (DKIM) signing/verifying milter for Postfix/Sendmail.
Home-page: https:/
Author: Scott Kitterman
Author-email: <email address hidden>
License: UNKNOWN
Location: /usr/local/
Requires: pymilter, PyNaCl, Py3DNS, dkimpy, authres
Required-by:
on
python -V
Python 3.8.6
grep _NAME /etc/os-release
PRETTY_
CPE_NAME=
as an outbound, signing milter for
postconf mail_version
mail_version = 3.5.7
with config,
dkimpy-milter.conf
...
#SignHeaders
...
outbound mail's correctly signed
Oct 25 14:21:07 mx.example.com dkimpy-
Oct 25 14:21:07 mx.example.com dkimpy-
Oct 25 14:21:07 mx.example.com dkimpy-
and verifies/passes at all test sites.
adding _any_ SignHeaders values to config, changing _only_
dkimpy-milter.conf
...
- #SignHeaders
...
+ SignHeaders From
or
+ SignHeaders From,Sender,
or
+ SignHeaders From,Sender,
outbound mail -- (re)sending the same mail -- logs,
Oct 25 14:59:32 mx.example.com dkimpy-
Oct 25 14:59:32 mx.example.com dkimpy-
Oct 25 14:59:32 mx.example.com dkimpy-
and the mail's sent unsigned.
| Birgit Edel (biredel) wrote | #1 |
| Scott Kitterman (kitterman) wrote | #2 |
| Changed in dkimpy-milter: | |
| importance: | Undecided → Medium |
| milestone: | none → 1.2.3 |
| status: | New → Triaged |
| Changed in dkimpy-milter: | |
| status: | Triaged → Fix Committed |
| assignee: | nobody → Scott Kitterman (kitterman) |
| Changed in dkimpy-milter: | |
| status: | Fix Committed → Fix Released |
Workaround: Place to-be-signed header names - one per line, oversigned headers occurring twice - in a separate file.
SignHeaders file:/etc/
The config parser does not read comma separated lists as expected for OpenDKIM compatibility, but the file option works.