Hi, I've been spending a while on a couple problems, and I thought I'd
turn here for help. To summarize, I'm wondering why there are messages
about bad signatures, and why verifications are coming out 'fail' or
'neutral'. Details follow.
I'm using opendkim-2.0.2+dfsg-0ubuntu1 with postfix 2.7.0-1 (all from
apt) on a current Ubuntu 10.04, and I'm getting a bunch of syslog
messages like the following:
<<<
opendkim[664]: A522C4E379 s=gamma d=gmail.com SSL error:04077068:rsa
routines:RSA_verify:bad signature
...
opendkim[664]: CFB494E4B6 s=salesforce.dkim d=salesforce.com SSL
error:04077068:rsa routines:RSA_verify:bad signature
...
opendkim[664]: B78CF4E88C s=081107 d=returnpath.net SSL
error:04077068:rsa routines:RSA_verify:bad signature
>>>
Example (from gmail.com, via returnpath.net):
<<<
opendkim[664]: 7B8C44E4BF smtp.corp.returnpath.net [38.109.196.7] not internal
opendkim[664]: 7B8C44E4BF not authenticated
opendkim[664]: 7B8C44E4BF s=gamma d=gmail.com SSL error:04077068:rsa
routines:RSA_verify:bad signature
opendkim[664]: 7B8C44E4BF: bad signature data
>>>
with opendkim outputting 'neutral' this on the corresponding email:
<<<
Authentication-Results: destination.com; dkim=neutral
(verification failed; insecure key) header.i=_at_gmail.com;
dkim-adsp=none (insecure policy)
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:subject:from:content-type
:x-mailer:message-id:date:to:content-transfer-encoding:mime-version;
bh=pgwFPKrpYZ1JcFguynO7G3LQQonPJ4LjnctB0wr8hU4=;
b=n5qTniyqO/byacPoaG5oBa5E836B4/B764J29ttn4UjavJUoK7vUBccGQU0EKbBmXB
kzXvXHNalwcO7KQSUPqM7I6JxchWSNaBbxMbtV6Xkx7c6DBVmhsrt5MNtKOPjkO31Gyr
lTmrbNU9u/WkdoDBq2XwNcBDXw3h8PWGlVoZw=
>>>
Another example (from returnpath.net):
<<<
opendkim[664]: B78CF4E88C smtp.corp.returnpath.net [38.109.196.7] not internal
opendkim[664]: B78CF4E88C not authenticated
opendkim[664]: B78CF4E88C s=081107 d=returnpath.net SSL
error:04077068:rsa routines:RSA_verify:bad signature
opendkim[664]: B78CF4E88C: bad signature data
>>>
with the email getting 'fail':
<<<
Authentication-Results: destination.com; dkim=fail
(verification failed; insecure key) header.i=_at_returnpath.net;
dkim-adsp=none (insecure policy)
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=returnpath.net;
s=081107; t=1288879270;
bh=KZ3lLEhH8jNi5CmsOFsy2pYCr1JChQ/8LaG/pnlBngk=;
h=From:To:Subject:Date:Message-Id;
b=dr9lNpcijm7a6dohZyTJzayoCXYXfGGeHhJ+nDMPXXiH9XfH8opG/la9hlUsK8zot
XbX9wP9TZdSrA764L0VkBwBjOp5mEaAwByAUQbJFOZxhr6ykJkVD70T0dwdHHOg2+M
ngqr+2zrt9f5IEq8YT6a02Tf+pwkh8FQJOrmTTFg=
>>>
According to
http://tools.ietf.org/html/rfc5451:
<<<
fail: The message was signed and the signature or signatures were
acceptable to the verifier, but they failed the verification
test(s).
neutral: The message was signed but the signature or signatures
contained syntax errors or were not otherwise able to be
processed. This result SHOULD also be used for other failures not
covered elsewhere in this list.
>>>
Shouldn't both examples above have resulted in neutral, given that
both had what opendkim identifies as bad signatures?
Not all messages are getting this treatment. The following email is
from gmail.com, directly:
<<<
Nov 3 12:09:47 ip-10-162-226-167 opendkim[664]: E4EB64E884
mail-gx0-f182.google.com [209.85.161.182] not internal
Nov 3 12:09:47 ip-10-162-226-167 opendkim[664]: E4EB64E884 not authenticated
>>>
with the headers:
<<<
Authentication-Results: destination.com; dkim=pass
(1024-bit key; insecure key) header.i=_at_gmail.com; dkim-adsp=pass
...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:mime-version:received:in-reply-to
:references:from:date:message-id:subject:to:cc:content-type;
bh=kjBYW2EbN8CtuVV3W79wQAjKhodGJuzRfnDc3abQM88=;
b=fL1WRCAU6n4ArXzp3BDtHsDwo649IpGEPJfWNkJYXg/nmzUeGrw/JPuHzL/lohsPTW
NuiT9JwUvTzsUgRNdAKsadLKGHlIcb3AQpVwlopSdwly/ITfL1WRrSy8m6F84cNcRkoP
q598sqlwbGFjN5fCUlXMxLLj/Rv/ND6aSRNC8=
>>>
Why is the gmail-via-returnpath email getting a bad signature, when
emails directly from gmail are getting verified fine? (The
gmail-produced DKIM-Signatures seem formatted identically in both.)
Are there simple ways I can verify independently or manually that the
signatures are bad (e.g. on the command line)? Or otherwise gather
more information on what precisely is bad about the signatures?
As another data point, I tried another DKIM implementation
(
http://hewgill.com/pydkim/), and while it doesn't complain about the
signatures being bad (it might just be incapable of doing that), it
also fails the gmail-via-returnpath example and the returnpath
example, while passing the gmail example. I'm mainly wondering if
there's something I'm misconfiguring either in Postfix or in OpenDKIM
that may be causing this mayhem.
Here is my /etc/opendkim.conf:
<<<
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 002
# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain example.com
#KeyFile /etc/mail/dkim.key
#Selector 2007
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization>simple
#Mode sv
#SubDomains no
#ADSPDiscard no
>>>
/etc/postfix/main.cf:
<<<
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtp_tls_loglevel=1
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_cert_file=/etc/ssl/certs/destination.crt
smtpd_tls_key_file=/etc/ssl/private/destination.key
smtpd_tls_loglevel=1
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
myhostname = destination.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = destination.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_mailbox_domains = destination.com invalid.invalid
virtual_mailbox_base = /var/mail/pod
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/valiases
virtual_minimum_uid = 100
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
sender_bcc_maps = hash:/etc/postfix/bccmaps
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_policy_service unix:private/policyd-spf
policyd-spf_time_limit = 3600
>>>
/etc/postfix/master.cf:
<<<
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
policyd-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf
>>>
Thanks a lot in advance for any hints.
--
Yang Zhang
http://yz.mit.edu/
Received on Thu Nov 04 2010 - 23:27:28 PST