Re: opendkim getting hardfail with Google

From: Rolf E. Sonneveld <R.E.Sonneveld_at_sonnection.nl>
Date: Thu, 10 Mar 2011 00:11:01 +0100

Hi, Murray,

On 3/9/11 11:29 PM, Murray S. Kucherawy wrote:
>> -----Original Message-----
>> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Chris C
>> Sent: Wednesday, March 09, 2011 2:00 PM
>> To: opendkim-users_at_lists.opendkim.org
>> Subject: Re: opendkim getting hardfail with Google
>>
>> So now all I need is to get this ReplaceRules directive working again
>> and I should be good to go.
> Once again, "z=" yields the answer.
>
>>> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=akc.org; s=mail;
>>> t=1299704063; bh=vxHXq7bMZ9+UHGuKBsbQKsDHmmk=;
>>> h=Date:From:Message-Id:To:Subject:Yes;
>>> z=Date:=20Wed,=209=20Mar=202011=2015:54:23=20-0500|From:=20Chris=20
>>> Callegari=20<crc_at_akc.org>|Message-Id:=20<201103092054.p29KsNaP0133
>>> 19_at_akc.org>|To:=20mazzystr_at_gmail.com|Subject:=20TEST;
>>> b=rGTpDwFTI0UBddQhD/wUIjir+SGdR2w92lmhe90DTH5XzNmmWkLrZc2LpdZSJwuCt
>>> fx9v513t3/tlW3GZICDDk2O3FaKQeKdM2bwBR4xhfzQ7DlhUiYJB14SU0O0aRps6gV
>>> Lnr9kIEAiOTqioMl6EgP4Vb/xke6wh2UVwMTuXu4=
>>> Received: (from crc_at_localhost)
>>> by mailgate1.akc.org (8.13.8/8.13.8/Submit) id p29KsNaP013319
>>> for mazzystr_at_gmail.com; Wed, 9 Mar 2011 15:54:23 -0500
>>> Date: Wed, 9 Mar 2011 15:54:23 -0500
>>> From: Chris Callegari<crc_at_akc.org>
>>> Message-Id:<201103092054.p29KsNaP013319_at_mailgate1.akc.org>
>>> To: mazzystr_at_gmail.com
>>> Subject: TEST
> "z=" says you signed:
>
> From: Chris Callegari<crc_at_akc.org>
> Message-Id:<201103092054.p29KsNaP013319_at_akc.org>
>
> But they received:
>
> From: Chris Callegari<crc_at_akc.org>
> Message-Id:<201103092054.p29KsNaP013319_at_mailgate1.akc.org>
>
> So the rewrite rule was applied to both; this is what you want for From: but is not what you want for Message-Id; sendmail only modifies From: so that's the only one you want to modify in parallel.
>
> The simplest thing for you to do right now is to change your rewrite rule to match your username as well as the hostname, thus:
>
> crc_at_mailgate1.akc.org<TAB> crc_at_akc.org
>
> But you'd have to do this for every user on your system.
>
> Overall though, it looks like we might need to extend the "replace rules" feature to be able to control which header fields are affected or under which conditions. There are a few possible approaches, and I'd like some suggestions on which people would prefer:
>
> 1) An additional configuration item that contains a list of fields that should be processed using replacement rules; if no list is specified, we can either default to all of them or default only to those we expect to have addresses in them (from, to, cc, bcc, sender, resent-*).
>
> 2) The opposite: An additional configuration item that contains a list of fields that should be ignored during processing; by default the list is empty, or could contain things like message-id and subject that are commonly signed but not typically modified by masquerade functions of MTAs.
>
> 3) Improve use of regular expressions so that only subexpressions are changed; this means the rule would now look like this:
>
> From: .*(_at_.*.akc.org)<TAB> @akc.org
>
> This would apply the rule only to From: fields, and only to the part inside parentheses. This is cleaner config-wise, but it means you'd have to replicate the rule for To, Cc, and various other address-bearing header fields.
>
> Opinions and other suggestions welcome.

Although I like software that provides a lot of flexibility (and this
sure applies to OpenDKIM!) I'm not sure whether this functionality
should be part of a DKIM signing/verifying milter/filter package.
Flexibility comes with a price: complexity. IMHO, what you
describe/propose, sounds like working around some shortcomings of a
particular MTA, where other MTA's (Postfix, Sun/Oracle Messaging Server
etc.) provide the hooks and options to sign the
message-as-it-is-sent-to-the-Internet, without the need to modify OpenDKIM.

I don't know the development process of Sendmail, but you mentioned
there is a long-standing enhancement request for Sendmail to do outbound
filtering; wouldn't it be an option to re-open this request and ask the
DKIM community (or those of them who are running Sendmail) to have their
name associated with the request? Maybe it will boost the priority of
this RFE and solve this problem at the MTA level.

/rolf

P.S. Another very interesting question to me is, how many signature
verification failures (the stats show something like 7 percent I
believe) are due to this type of 'misconfigurations'; i.e. mail is
signed and before final delivery, something (small) in the message
changes. I'm afraid this question will be hard to answer, without a lot
of additional research.
Received on Wed Mar 09 2011 - 23:09:39 PST