Re: Rejected messages from the mailing list

From: Alessandro Vesely <vesely_at_tana.it>
Date: Mon, 02 Aug 2010 14:37:39 +0200

On 02/Aug/10 12:29, SM wrote:
> One of the subscribers to this mailing list is rejecting messages from
> the list. The remote MTA returns a "550 DKIM signature required by
> policy" reply.

Ooops, it's me, or someone else having enabled ADSP on zdkimfilter.

BTW, source now says "554 DKIM signature required by ADSP" --not released yet.

> The rejection is triggered when the domain used by the poster has a
> "dkim=all" ADSP policy. This mailing list adds a DKIM signature to
> the message but it does not alter the message or remove the
> existing DKIM signature.

It breaks most of the times, though. (About 3:1 in my current folder)

> It seems that the DKIM verifier is only checking the top-most DKIM
> signature instead of all the DKIM signatures. That would explain the
> policy rejection.

Zdkimfilter has whitelisting options, and orders signatures according to their domain being author, whitelisted, sender, helo, using dkim_set_final. Then, the library delivers the first verified signature. However, I had forgotten to whitelist opendkim.org :-/

> As this mailing list is about discussing about OpenDKIM and also
> debugging it, it would be helpful if you do not apply ADSP policy for
> mail traffic from this mailing list.

I've now disabled ADSP actions, as it should be --and is, by default. Obviously, I cannot rely on remembering to whitelist each list. In addition, whitelisting by signing domain wouldn't work in case a signature fails. (Apparently, SPF is more reliable for whitelisting.)

The message I'm replying to, for example, has a failed signature. I suspect the Content-Type field. What I received has:

Authentication-Results: wmail.tana.it;
  dkim=fail (signature verification failed) header.i=_at_opendkim.org
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org;
        s=mail2010; t=1280745029; x=1280831429;
        bh=SXsrVrRIAAz9ES/yfFYwknCoueE4fc8QHgJXjEggp5o=;
        h=Message-Id:Date:To:From:Subject:Mime-Version:Content-Type:Sender:
         List-Help:List-Unsubscribe:List-Id:List-Subscribe:List-Owner:
         List-Post:Cc;
        b=r+yBfctFk41xuqod1U0s/Y55aO0UBuHn3zLEwCcGcVNius5pSFPU9kmIyCiAlAbOH
         JCqdqgtGbiGLNhKGVYRARPboOkMsVQqeezFN9J5TN4jcR5BNpA6nrUmqbHVSitI9Xl
         0JUQrSLth/CaoMMtmrVs5S8Ox1GdXtojipd8LegA=
Message-Id: <6.2.5.6.2.20100802030851.0973c670_at_elandnews.com>
Date: Mon, 02 Aug 2010 03:29:22 -0700
To: opendkim-users_at_lists.opendkim.org
From: SM <sm_at_resistor.net>
Subject: Rejected messages from the mailing list
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Sender: opendkim-users-bounce_at_lists.opendkim.org
List-Help: <mailto:listria_at_lists.opendkim.org?Subject=help>
List-Unsubscribe: <mailto:opendkim-users-request_at_lists.opendkim.org?Subject=unsubscribe>
List-Id: <opendkim-users.lists.opendkim.org>
List-Subscribe: <mailto:opendkim-users-request_at_lists.opendkim.org?Subject=subscribe>
List-Owner: <mailto:listria+admin_at_lists.opendkim.org>
List-Post: <mailto:opendkim-users_at_lists.opendkim.org>
Received on Mon Aug 02 2010 - 12:37:55 PST