opendkim 2.1.3 and signing subdomains

From: Richard Rognlie <rrognlie_at_gamerz.net>
Date: Thu, 26 Aug 2010 14:25:48 -0400

using SigningTable and KeyTable, I've got opendkim 2.1.3
happily signing subdomains.

/etc/mail/siglist.txt
=====================
*_at_gamerz.net testdkim
*_at_*.gamerz.net testdkim

/etc/mail/keylist.txt
=====================
testdkim gamerz.net:testdkim:/etc/mail/dkim-keys/testdkim.private


However, if I have the selector in question set up to declare
that it is not valid for signing subdomains... it still signs
them. And those signatures happily verify


Now, I know I could fix part of this (suppress the signing of the
domain) by removing that 2nd line from the siglist.txt.

But why is the signature validating at all?

Aug 26 16:09:13 play.gamerz.net sm-mta[20636]: o7QG9DCZ020636: Milter insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.gamerz.net;\n\ts=vmh12; t=1282838953;\n\tbh=P7MYAPI7SHS+Gc0ChXlh2x6hAamE/I+JaNcVID74Pkg=;\n\th=From:To:Sender:Subject;\n\tb=OIctlWSU0cay1wH87zx57DVYmlGyI7qZSNreEBR7JjvtBSRubUEi6EykZ5VoxmawS\n\t l349sd9ryivobpGfOAKSia5k0Y4XjV6ldCJh8IU9xf1uYygmmCqYggMpKDcbAz6vA9\n\t 0ee3fQoN80yhtexiojgAKc0fGgPVLhoYxGp+7zMw=


I note that there is no "i=" clause in the signature, and looking at
the opendkim code, I see that the t=s check is done by comparing the
d= and the i=. If either is NULL, it skips the check.

Shouldn't i= default to the sender domain if missing from the dkim-signature?

I see mention of something in SignatureTable about the i= clause, but
for the life of my I can't parse what it's saying, nor can I find an
example anywhere...

        values in this data set should include one field that refers
        to a name found in the KeyTable (see above) that identifies
        which key should be used in generating the signature, and an
        optional second field naming the signer of the message that will
        be included in the "i=" tag in the generated signature.

I've tried

        *_at_*.gamerz.net testdkim:%

(hoping that the % would exhibit the same behaviour as mentioned in KeyTable)

but 1. I didn't get an i= flag at all, and
    2. on inspection of the code, I can't find anything that appears to
        parse the key returned from the signature table for post processing.

Or is there some option I'm not including in either the opendkim.conf or
SignatureTable or KeyTable to turn that on?



-- 
 /  \__  | Richard Rognlie / Sendmail Ninja / Gamerz.NET Lackey
 \__/  \ | http://www.gamerz.net/~rrognlie    <rrognlie at gamerz.net>
 /  \__/ | Creator of pbmserv_at_gamerz.net
 \__/    |                Helping reduce world productivity since 1994
Received on Thu Aug 26 2010 - 18:26:03 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:48 PST