Re: opendkim getting hardfail with Google
Here is an example of a failed header....
Delivered-To: mazzystr_at_gmail.com
Received: by 10.151.7.4 with SMTP id k4cs86653ybi;
Wed, 9 Mar 2011 12:54:27 -0800 (PST)
Received: by 10.52.94.68 with SMTP id da4mr10101710vdb.275.1299704065176;
Wed, 09 Mar 2011 12:54:25 -0800 (PST)
Return-Path: <crc_at_akc.org>
Received: from mailgate1.akc.org (mail7.akc.org [74.203.101.147])
by mx.google.com with ESMTPS id s5si2746256vck.34.2011.03.09.12.54.23
(version=TLSv1/SSLv3 cipher=OTHER);
Wed, 09 Mar 2011 12:54:23 -0800 (PST)
Received-SPF: pass (google.com: domain of crc_at_akc.org designates
74.203.101.147 as permitted sender) client-ip=74.203.101.147;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
crc_at_akc.org designates 74.203.101.147 as permitted sender)
smtp.mail=crc_at_akc.org; dkim=hardfail header.i=_at_akc.org
Received: from mailgate1.akc.org (localhost [127.0.0.1])
by mailgate1.akc.org (8.13.8/8.13.8) with ESMTP id p29KsNZf013320
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <mazzystr_at_gmail.com>; Wed, 9 Mar 2011 15:54:23 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=akc.org; s=mail;
t=1299704063; bh=vxHXq7bMZ9+UHGuKBsbQKsDHmmk=;
h=Date:From:Message-Id:To:Subject:Yes;
z=Date:=20Wed,=209=20Mar=202011=2015:54:23=20-0500|From:=20Chris=20
Callegari=20<crc_at_akc.org>|Message-Id:=20<201103092054.p29KsNaP0133
19_at_akc.org>|To:=20mazzystr_at_gmail.com|Subject:=20TEST;
b=rGTpDwFTI0UBddQhD/wUIjir+SGdR2w92lmhe90DTH5XzNmmWkLrZc2LpdZSJwuCt
fx9v513t3/tlW3GZICDDk2O3FaKQeKdM2bwBR4xhfzQ7DlhUiYJB14SU0O0aRps6gV
Lnr9kIEAiOTqioMl6EgP4Vb/xke6wh2UVwMTuXu4=
Received: (from crc_at_localhost)
by mailgate1.akc.org (8.13.8/8.13.8/Submit) id p29KsNaP013319
for mazzystr_at_gmail.com; Wed, 9 Mar 2011 15:54:23 -0500
Date: Wed, 9 Mar 2011 15:54:23 -0500
From: Chris Callegari <crc_at_akc.org>
Message-Id: <201103092054.p29KsNaP013319_at_mailgate1.akc.org>
To: mazzystr_at_gmail.com
Subject: TEST
testing
Here is my opendkim.conf
##
## opendkim.conf -- configuration file for OpenDKIM filter
##
ADSPAction Continue
ADSPNoSuchDomain Yes
AutoRestart Yes
AutoRestartRate 10/1h
AlwaysAddARHeader Yes
AlwaysSignHeaders Yes
AutoRestart Yes
AutoRestartCount 10
Canonicalization relaxed/simple
Diagnostics Yes
InternalHosts refile:/etc/mail/dkim/internalhosts
KeepTemporaryFiles No
KeyTable /etc/mail/dkim/keytable
LogWhy Yes
MilterDebug 3
Mode sv
MTA MTA,MSA
PidFile /var/run/opendkim/opendkim.pid
ReplaceRules /etc/mail/dkim/replace_rules
Selector mail
SignatureAlgorithm rsa-sha1
SigningTable refile:/etc/mail/dkim/signingtable
Socket inet:8891_at_localhost
Subdomains Yes
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp/opendkim
UserID opendkim
X-Header Yes
Here is my /etc/mail/dkim/replace_rules
_at_mailgate1.akc.org @akc.org
Here is version output from my opendkim binary
[root_at_mailgate1 opendkim]# opendkim -V
opendkim: OpenDKIM Filter v2.3.0
Compiled with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
SMFI_VERSION 0x2
Supported signing algorithms:
rsa-sha1
rsa-sha256
Supported canonicalization algorithms:
relaxed
simple
Active code options:
_FFR_REPLACE_RULES
libopendkim 2.3.0:
Thanks guys!
/Chris C
On Wed, Mar 9, 2011 at 3:53 PM, Chris C <mazzystr_at_gmail.com> wrote:
> I thought I had this working but again something is happening.
>
> Do you guys have some time to assist?
>
> Thanks,
> /Chris C
>
> On Wed, Mar 9, 2011 at 2:07 PM, Chris C <mazzystr_at_gmail.com> wrote:
>> I went with option 3.
>>
>> I added this to /etc/opendkim.conf...
>> ReplaceRules /etc/mail/dkim/replace_rules
>>
>> and added this to /etc/mail/dkim/replace_rules...
>> _at_mailgate1.akc.org @akc.org
>>
>> and I get this from Google...
>> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
>> crc_at_akc.org designates 74.203.101.147 as permitted sender)
>> smtp.mail=crc_at_akc.org; dkim=pass header.i=_at_akc.org
>>
>> Thanks for your help Gents!
>>
>> /Chris C
>>
>>
>>
>> On Wed, Mar 9, 2011 at 1:53 PM, Murray S. Kucherawy <msk_at_cloudmark.com> wrote:
>>>> -----Original Message-----
>>>> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Chris C
>>>> Sent: Wednesday, March 09, 2011 10:34 AM
>>>> To: Murray S. Kucherawy
>>>> Cc: opendkim-users_at_lists.opendkim.org
>>>> Subject: Re: opendkim getting hardfail with Google
>>>>
>>>> [...]
>>>
>>> Your configuration file confirms my suspicion. After OpenDKIM adds your signature, which covers the From: field, sendmail is changing the From: field which immediately invalidates the signature.
>>>
>>>> Any ideas?
>>>
>>> Any of these should give you what you want:
>>>
>>> 1) Arrange to inject mail into sendmail in a way that won't be modified. In your case, generate mail as "crc_at_akc.org" instead of with the longer name, which turns masquerading into a no-op. I use alpine to read my mail at home and doing this via its configuration solved the problem for me.
>>>
>>> 2) Do some layered sendmail trickery. (See the end of the top-level README for details.)
>>>
>>> 3) Enable the "replace rules" feature (--enable-replace_rules at compile time) and then configure them so that OpenDKIM will anticipate the rewrite sendmail will do, meaning it will sign the mail as though the rewrite had already occurred, and thus it should pass. See "ReplaceRules" in opendkim.conf(5) for details.
>>>
>>> 4) Use the Lua "setup" script's odkim.replace_header() function to do the same thing.
>>>
>>> -MSK
>>>
>>>
>>>
>>>
>>
>
Received on Wed Mar 09 2011 - 20:58:48 PST
This archive was generated by hypermail 2.3.0
: Mon Oct 29 2012 - 23:20:16 PST