Re: opendkim getting hardfail with Google

From: Chris C <mazzystr_at_gmail.com>
Date: Wed, 9 Mar 2011 17:00:05 -0500

The plot thickens.

I read the man pages thoroughly. opendkim 1.2.x mentions using a
first host for masquerading and a second host for signing. All of our
hosts masquerade locally. Using that logic I went to a test host and
sent email to my google account. Lo and behold SPF, OpenDKIM,
DomainKeys & ASDF all verify correctly.

So now all I need is to get this ReplaceRules directive working again
and I should be good to go.

Thanks,
/Chris C



On Wed, Mar 9, 2011 at 3:58 PM, Chris C <mazzystr_at_gmail.com> wrote:
> Here is an example of a failed header....
> Delivered-To: mazzystr_at_gmail.com
> Received: by 10.151.7.4 with SMTP id k4cs86653ybi;
>        Wed, 9 Mar 2011 12:54:27 -0800 (PST)
> Received: by 10.52.94.68 with SMTP id da4mr10101710vdb.275.1299704065176;
>        Wed, 09 Mar 2011 12:54:25 -0800 (PST)
> Return-Path: <crc_at_akc.org>
> Received: from mailgate1.akc.org (mail7.akc.org [74.203.101.147])
>        by mx.google.com with ESMTPS id s5si2746256vck.34.2011.03.09.12.54.23
>        (version=TLSv1/SSLv3 cipher=OTHER);
>        Wed, 09 Mar 2011 12:54:23 -0800 (PST)
> Received-SPF: pass (google.com: domain of crc_at_akc.org designates
> 74.203.101.147 as permitted sender) client-ip=74.203.101.147;
> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
> crc_at_akc.org designates 74.203.101.147 as permitted sender)
> smtp.mail=crc_at_akc.org; dkim=hardfail header.i=_at_akc.org
> Received: from mailgate1.akc.org (localhost [127.0.0.1])
>        by mailgate1.akc.org (8.13.8/8.13.8) with ESMTP id p29KsNZf013320
>        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
>        for <mazzystr_at_gmail.com>; Wed, 9 Mar 2011 15:54:23 -0500
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=akc.org; s=mail;
>        t=1299704063; bh=vxHXq7bMZ9+UHGuKBsbQKsDHmmk=;
>        h=Date:From:Message-Id:To:Subject:Yes;
>        z=Date:=20Wed,=209=20Mar=202011=2015:54:23=20-0500|From:=20Chris=20
>         Callegari=20<crc_at_akc.org>|Message-Id:=20<201103092054.p29KsNaP0133
>         19_at_akc.org>|To:=20mazzystr_at_gmail.com|Subject:=20TEST;
>        b=rGTpDwFTI0UBddQhD/wUIjir+SGdR2w92lmhe90DTH5XzNmmWkLrZc2LpdZSJwuCt
>         fx9v513t3/tlW3GZICDDk2O3FaKQeKdM2bwBR4xhfzQ7DlhUiYJB14SU0O0aRps6gV
>         Lnr9kIEAiOTqioMl6EgP4Vb/xke6wh2UVwMTuXu4=
> Received: (from crc_at_localhost)
>        by mailgate1.akc.org (8.13.8/8.13.8/Submit) id p29KsNaP013319
>        for mazzystr_at_gmail.com; Wed, 9 Mar 2011 15:54:23 -0500
> Date: Wed, 9 Mar 2011 15:54:23 -0500
> From: Chris Callegari <crc_at_akc.org>
> Message-Id: <201103092054.p29KsNaP013319_at_mailgate1.akc.org>
> To: mazzystr_at_gmail.com
> Subject: TEST
>
> testing
>
>
> Here is my opendkim.conf
> ##
> ## opendkim.conf -- configuration file for OpenDKIM filter
> ##
> ADSPAction              Continue
> ADSPNoSuchDomain        Yes
> AutoRestart             Yes
> AutoRestartRate         10/1h
> AlwaysAddARHeader       Yes
> AlwaysSignHeaders       Yes
> AutoRestart             Yes
> AutoRestartCount        10
> Canonicalization        relaxed/simple
> Diagnostics             Yes
> InternalHosts           refile:/etc/mail/dkim/internalhosts
> KeepTemporaryFiles      No
> KeyTable                /etc/mail/dkim/keytable
> LogWhy                  Yes
> MilterDebug             3
> Mode                    sv
> MTA                     MTA,MSA
> PidFile                 /var/run/opendkim/opendkim.pid
> ReplaceRules            /etc/mail/dkim/replace_rules
> Selector                mail
> SignatureAlgorithm      rsa-sha1
> SigningTable            refile:/etc/mail/dkim/signingtable
> Socket                  inet:8891_at_localhost
> Subdomains              Yes
> Syslog                  Yes
> SyslogSuccess           Yes
> TemporaryDirectory      /var/tmp/opendkim
> UserID                  opendkim
> X-Header                Yes
>
>
> Here is my /etc/mail/dkim/replace_rules
> _at_mailgate1.akc.org      @akc.org
>
>
> Here is version output from my opendkim binary
> [root_at_mailgate1 opendkim]# opendkim -V
> opendkim: OpenDKIM Filter v2.3.0
>        Compiled with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>        SMFI_VERSION 0x2
>        Supported signing algorithms:
>                rsa-sha1
>                rsa-sha256
>        Supported canonicalization algorithms:
>                relaxed
>                simple
>        Active code options:
>                _FFR_REPLACE_RULES
>        libopendkim 2.3.0:
>
>
> Thanks guys!
>
> /Chris C
>
>
> On Wed, Mar 9, 2011 at 3:53 PM, Chris C <mazzystr_at_gmail.com> wrote:
>> I thought I had this working but again something is happening.
>>
>> Do you guys have some time to assist?
>>
>> Thanks,
>> /Chris C
>>
>> On Wed, Mar 9, 2011 at 2:07 PM, Chris C <mazzystr_at_gmail.com> wrote:
>>> I went with option 3.
>>>
>>> I added this to /etc/opendkim.conf...
>>> ReplaceRules            /etc/mail/dkim/replace_rules
>>>
>>> and added this to /etc/mail/dkim/replace_rules...
>>> _at_mailgate1.akc.org      @akc.org
>>>
>>> and I get this from Google...
>>> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
>>> crc_at_akc.org designates 74.203.101.147 as permitted sender)
>>> smtp.mail=crc_at_akc.org; dkim=pass header.i=_at_akc.org
>>>
>>> Thanks for your help Gents!
>>>
>>> /Chris C
>>>
>>>
>>>
>>> On Wed, Mar 9, 2011 at 1:53 PM, Murray S. Kucherawy <msk_at_cloudmark.com> wrote:
>>>>> -----Original Message-----
>>>>> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Chris C
>>>>> Sent: Wednesday, March 09, 2011 10:34 AM
>>>>> To: Murray S. Kucherawy
>>>>> Cc: opendkim-users_at_lists.opendkim.org
>>>>> Subject: Re: opendkim getting hardfail with Google
>>>>>
>>>>> [...]
>>>>
>>>> Your configuration file confirms my suspicion.  After OpenDKIM adds your signature, which covers the From: field, sendmail is changing the From: field which immediately invalidates the signature.
>>>>
>>>>> Any ideas?
>>>>
>>>> Any of these should give you what you want:
>>>>
>>>> 1) Arrange to inject mail into sendmail in a way that won't be modified.  In your case, generate mail as "crc_at_akc.org" instead of with the longer name, which turns masquerading into a no-op.  I use alpine to read my mail at home and doing this via its configuration solved the problem for me.
>>>>
>>>> 2) Do some layered sendmail trickery.  (See the end of the top-level README for details.)
>>>>
>>>> 3) Enable the "replace rules" feature (--enable-replace_rules at compile time) and then configure them so that OpenDKIM will anticipate the rewrite sendmail will do, meaning it will sign the mail as though the rewrite had already occurred, and thus it should pass.  See "ReplaceRules" in opendkim.conf(5) for details.
>>>>
>>>> 4) Use the Lua "setup" script's odkim.replace_header() function to do the same thing.
>>>>
>>>> -MSK
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
Received on Wed Mar 09 2011 - 22:00:17 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:16 PST