Re: Signature from a particular email provider failing
On Sun, 23 May 2010, feisar wrote:
> Here's the strange thing. Mail from the email provider
> Bluebottle[dot]com verifies fine if it's sent to one recipient on my
> server, however, it fails if it is sent to two or more recipients:
>[...]
>
> 2.
> opendkim[14659]: (unknown-jobid) mi0.bluebottle[dot]com [ipaddress] not internal
> opendkim[14659]: (unknown-jobid) not authenticated
> opendkim[14659]: (unknown-jobid) mi0.bluebottle[dot]com [ipaddress] not internal
> opendkim[14659]: (unknown-jobid) not authenticated
> opendkim[14659]: 39C653F92 SSL error:04077068:rsa
> routines:RSA_verify:bad signature
> opendkim[14659]: 39C653F92: bad signature data
> opendkim[14659]: 37D583F16 SSL error:04077068:rsa
> routines:RSA_verify:bad signature
> opendkim[14659]: 37D583F16: bad signature data
Note that this is two different jobs, not two recipients on one job.
> I have access to a Bluebottle account and have sent an email to the
> automatic tester at port25[dot]com. The result is that it passes DKIM
> but fails DK ('Result: fail (bad signature)'. I did not enable
> '--with-domainkeys' when compiling so that shouldn't matter but could it
> be an issue?
We'd have to see an example message to do anything other than guess. I
have seen common rewrites that might damage a signature, i.e. an MTA that
tries to be "helpful" by altering a message that's already been signed so
that the header looks nice. For example:
From:foo,bar
... might be changed to:
From: foo, bar
Unless the signer is using relaxed canonicalization for the header block,
such a rewrite will make it impossible for the signature to verify once
that rewrite is done.
Another example is the use of unquoted periods in a header. For example,
one were to sign this:
From: John Q. Public <jqpublic_at_example.com>
This is actually invalid mail syntax, so some MTA along the line might
rewrite it for you to:
From: "John Q. Public" <jqpublic_at_example.com>
... which would break the signature even if "relaxed" were in use.
Are you able to capture a sample message, preferably right after signing?
Another helpful item would be a message from Bluebottle that contains a
signature with a "z=" tag.
-MSK
Received on Sun May 23 2010 - 05:20:53 PST
This archive was generated by hypermail 2.3.0
: Mon Oct 29 2012 - 23:19:47 PST