RE: Signing problem from Murray S. Kucherawy on 2010-10-26 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Tue, 26 Oct 2010 14:31:48 -0700

You have to do something such that what opendkim signs is the same as what people will receive. Because of the way the MTA and milter are designed, masquerading (changing the From) happens after signing, guaranteeing what people will receive is different from what you signed, and thus causing the signature to fail.

At my home domain, for example, I just make sure my mail is generated to match how sendmail would masquerade.

From: Jason Clint [mailto:nosaj_17_at_hotmail.com]
Sent: Tuesday, October 26, 2010 2:30 PM
To: Murray S. Kucherawy; opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem

Ok so if I understand you correctly the problem is I am sending mail as root_at_marlborosurvey.net from root_at_mail.marlborosurvey.net and if I want to continue to send like that I have to disable sendmail's masquerade feature? Is that correct?
________________________________
From: msk_at_cloudmark.com
To: opendkim-users_at_lists.opendkim.org
Date: Tue, 26 Oct 2010 14:22:45 -0700
Subject: RE: Signing problem
The error in the log is fine; it just means it didn't find "mail.marlborosurvey.net" in the Domain list. Then it tested Subdomains and got a match, which is why the second line went away and the mail is now signed.

The signature failure is probably caused by you using sendmail's "MASQUERADE" feature. Your signing filter sees "mail.marlborosurvey.net", but I can tell from the reply that what sendmail.net sees is just "marlborosurvey.net". So what gets signed and what gets received aren't the same, so the signature will fail.

You need to turn off masquerading, or generate mail with a From: that's in the main domain, not in the "mail" subdomain.

From: Jason Clint [mailto:nosaj_17_at_hotmail.com]
Sent: Tuesday, October 26, 2010 2:20 PM
To: Murray S. Kucherawy; opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem

By the way in case you where wondering what I did to the opendkim.conf file I just set "subdomains yes".
________________________________
From: nosaj_17_at_hotmail.com
To: msk_at_cloudmark.com; opendkim-users_at_lists.opendkim.org
Subject: RE: Signing problem
Date: Tue, 26 Oct 2010 21:12:37 +0000

Ok so now I am getting a different error:
Received on Tue Oct 26 2010 - 21:32:31 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:49 PST