RE: opendkim getting hardfail with Google

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Wed, 9 Mar 2011 15:27:28 -0800

Hi Rolf,

> -----Original Message-----
> From: Rolf E. Sonneveld [mailto:R.E.Sonneveld_at_sonnection.nl]
> Sent: Wednesday, March 09, 2011 3:11 PM
> To: Murray S. Kucherawy
> Cc: opendkim-users_at_lists.opendkim.org
> Subject: Re: opendkim getting hardfail with Google
>
> Although I like software that provides a lot of flexibility (and this
> sure applies to OpenDKIM!) I'm not sure whether this functionality
> should be part of a DKIM signing/verifying milter/filter package.
> Flexibility comes with a price: complexity. IMHO, what you
> describe/propose, sounds like working around some shortcomings of a
> particular MTA, where other MTA's (Postfix, Sun/Oracle Messaging Server
> etc.) provide the hooks and options to sign the
> message-as-it-is-sent-to-the-Internet, without the need to modify
> OpenDKIM.

Actually this code has been present in the filter since before OpenDKIM forked from dkim-milter in 2009. This recent case has shown that this code has a flaw, so we're really fixing a bug here and not adding something totally new. Granted, though, any of the fixes will increase complexity a little.

OpenDKIM has dkim-milter at its base, and dkim-milter was written specifically for sendmail and later had stuff added to support the milter implementation in postfix. It seems strange to decide suddenly to ignore that, leaving lots of current sendmail users out in the cold.

But otherwise I agree, if sendmail would include the outbound filters feature in the MTA, all of these sorts of problems would go away. And I also agree with the general sentiment and would be hard-pressed to add MTA-specific extensions in the future. For example, I considered the idea of ignoring ADSP failures on bounces because sendmail doesn't sign its bounces, but went along with the strong consensus not to do so.

> I don't know the development process of Sendmail, but you mentioned
> there is a long-standing enhancement request for Sendmail to do outbound
> filtering; wouldn't it be an option to re-open this request and ask the
> DKIM community (or those of them who are running Sendmail) to have their
> name associated with the request? Maybe it will boost the priority of
> this RFE and solve this problem at the MTA level.

I haven't been successful at this in the past, but I can try. At last report they were deciding whether or not to put this feature into the current sendmail 8 line, or add it to their rewritten open source package. In either case I don't think the answer will be anything like "soon".

> P.S. Another very interesting question to me is, how many signature
> verification failures (the stats show something like 7 percent I
> believe) are due to this type of 'misconfigurations'; i.e. mail is
> signed and before final delivery, something (small) in the message
> changes. I'm afraid this question will be hard to answer, without a lot
> of additional research.

Based on OpenDKIM's collected statistics, the vast majority of verification failures caused by header field changes have to do with To:, not From:. It's unclear, though, whether that's a masquerading issue or something like a malformation that's corrected by some downstream MTA; for example:

        To: Murray S. Kucherawy <msk_at_cloudmark.com>

...is actually not legal, but this is:

        To: "Murray S. Kucherawy" <msk_at_cloudmark.com>

If you sign the former but it's rewritten to the latter, the signature breaks. There was no masquerading here, but rather a required syntax correction.

-MSK
Received on Wed Mar 09 2011 - 23:27:35 PST