Re: Signature from a particular email provider failing from Murray S. Kucherawy on 2010-05-22 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Sat, 22 May 2010 22:20:34 -0700 (PDT)

On Sun, 23 May 2010, feisar wrote:
> Here's the strange thing. Mail from the email provider
> Bluebottle[dot]com verifies fine if it's sent to one recipient on my
> server, however, it fails if it is sent to two or more recipients:
>[...]
>
> 2.
> opendkim[14659]: (unknown-jobid) mi0.bluebottle[dot]com [ipaddress] not internal
> opendkim[14659]: (unknown-jobid) not authenticated
> opendkim[14659]: (unknown-jobid) mi0.bluebottle[dot]com [ipaddress] not internal
> opendkim[14659]: (unknown-jobid) not authenticated
> opendkim[14659]: 39C653F92 SSL error:04077068:rsa
> routines:RSA_verify:bad signature
> opendkim[14659]: 39C653F92: bad signature data
> opendkim[14659]: 37D583F16 SSL error:04077068:rsa
> routines:RSA_verify:bad signature
> opendkim[14659]: 37D583F16: bad signature data

Note that this is two different jobs, not two recipients on one job.

> I have access to a Bluebottle account and have sent an email to the
> automatic tester at port25[dot]com. The result is that it passes DKIM
> but fails DK ('Result: fail (bad signature)'. I did not enable
> '--with-domainkeys' when compiling so that shouldn't matter but could it
> be an issue?

We'd have to see an example message to do anything other than guess. I
have seen common rewrites that might damage a signature, i.e. an MTA that
tries to be "helpful" by altering a message that's already been signed so
that the header looks nice. For example:

         From:foo,bar

... might be changed to:

         From: foo, bar

Unless the signer is using relaxed canonicalization for the header block,
such a rewrite will make it impossible for the signature to verify once
that rewrite is done.

Another example is the use of unquoted periods in a header. For example,
one were to sign this:

         From: John Q. Public <jqpublic_at_example.com>

This is actually invalid mail syntax, so some MTA along the line might
rewrite it for you to:

         From: "John Q. Public" <jqpublic_at_example.com>

... which would break the signature even if "relaxed" were in use.

Are you able to capture a sample message, preferably right after signing?
Another helpful item would be a message from Bluebottle that contains a
signature with a "z=" tag.

-MSK
Received on Sun May 23 2010 - 05:20:53 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:47 PST