RE: opendkim getting hardfail with Google

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Wed, 9 Mar 2011 14:29:07 -0800

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Chris C
> Sent: Wednesday, March 09, 2011 2:00 PM
> To: opendkim-users_at_lists.opendkim.org
> Subject: Re: opendkim getting hardfail with Google
>
> So now all I need is to get this ReplaceRules directive working again
> and I should be good to go.

Once again, "z=" yields the answer.

> > DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=akc.org; s=mail;
> >        t=1299704063; bh=vxHXq7bMZ9+UHGuKBsbQKsDHmmk=;
> >        h=Date:From:Message-Id:To:Subject:Yes;
> >        z=Date:=20Wed,=209=20Mar=202011=2015:54:23=20-0500|From:=20Chris=20
> >         Callegari=20<crc_at_akc.org>|Message-Id:=20<201103092054.p29KsNaP0133
> >         19_at_akc.org>|To:=20mazzystr_at_gmail.com|Subject:=20TEST;
> >  b=rGTpDwFTI0UBddQhD/wUIjir+SGdR2w92lmhe90DTH5XzNmmWkLrZc2LpdZSJwuCt
> > fx9v513t3/tlW3GZICDDk2O3FaKQeKdM2bwBR4xhfzQ7DlhUiYJB14SU0O0aRps6gV
> >         Lnr9kIEAiOTqioMl6EgP4Vb/xke6wh2UVwMTuXu4=
> > Received: (from crc_at_localhost)
> >        by mailgate1.akc.org (8.13.8/8.13.8/Submit) id p29KsNaP013319
> >        for mazzystr_at_gmail.com; Wed, 9 Mar 2011 15:54:23 -0500
> > Date: Wed, 9 Mar 2011 15:54:23 -0500
> > From: Chris Callegari <crc_at_akc.org>
> > Message-Id: <201103092054.p29KsNaP013319_at_mailgate1.akc.org>
> > To: mazzystr_at_gmail.com
> > Subject: TEST

"z=" says you signed:

From: Chris Callegari <crc_at_akc.org>
Message-Id: <201103092054.p29KsNaP013319_at_akc.org>

But they received:

From: Chris Callegari <crc_at_akc.org>
Message-Id: <201103092054.p29KsNaP013319_at_mailgate1.akc.org>

So the rewrite rule was applied to both; this is what you want for From: but is not what you want for Message-Id; sendmail only modifies From: so that's the only one you want to modify in parallel.

The simplest thing for you to do right now is to change your rewrite rule to match your username as well as the hostname, thus:

crc_at_mailgate1.akc.org <TAB> crc_at_akc.org

But you'd have to do this for every user on your system.

Overall though, it looks like we might need to extend the "replace rules" feature to be able to control which header fields are affected or under which conditions. There are a few possible approaches, and I'd like some suggestions on which people would prefer:

1) An additional configuration item that contains a list of fields that should be processed using replacement rules; if no list is specified, we can either default to all of them or default only to those we expect to have addresses in them (from, to, cc, bcc, sender, resent-*).

2) The opposite: An additional configuration item that contains a list of fields that should be ignored during processing; by default the list is empty, or could contain things like message-id and subject that are commonly signed but not typically modified by masquerade functions of MTAs.

3) Improve use of regular expressions so that only subexpressions are changed; this means the rule would now look like this:

From: .*(_at_.*.akc.org) <TAB> @akc.org

This would apply the rule only to From: fields, and only to the part inside parentheses. This is cleaner config-wise, but it means you'd have to replicate the rule for To, Cc, and various other address-bearing header fields.

Opinions and other suggestions welcome.

-MSK
Received on Wed Mar 09 2011 - 22:29:15 PST