Re: opendkim signed messages 'fail' spamassassin-based DKIM signature verification with 'OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE' ?

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Thu, 14 Apr 2011 23:24:15 -0700 (PDT)

On Thu, 14 Apr 2011, dchilton_at_bestmail.us wrote:
> i'm in the process of securing a new postfix server, and have set up
> OpenDkim v2.3.1 as a postfix milter for use in signing outbound mail.
>
> i've checked outbound email with port25.com's DKIM verifier, and it
> reports a 'neutral', caliming the message is NOT signed,
>
> ----------------------------------------------------------
> DKIM check details:
> ----------------------------------------------------------
> Result: neutral (message not signed)
> ID(s) verified:

The signature may have been missing due to configuration. Can you
reproduce this now that some signing is happening?

Your mail to this list produced the following result at the MLM:

Authentication-Results: mx.elandsys.com; dkim=pass (1024-bit key)
     header.i=_at_messagingengine.com header.b=Z6lBI2Jn; dkim-adsp=temperror

...so it looks good so far. The ADSP temperror is because of your
wildcard TXT pointing at an SPF record.

> checking further by receiving at another of my own servers, the rec'd
> message sure looks to be signed, but FAILs an inbound Spamassassin DKIM
> test. The message's headers include:
>
> [...]
>
> looking at Spamassassin's logs, i see,
>
> Apr 14 22:19:24.817 [12200] dbg: dkim: signature verification
> result: FAIL (OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE)

I haven't seen that error before, so I can't explain it. What does
Spamassassin's documentation say?

> searching, i'm not having much luck tracking this down, but suspect it's
> a misconfiguration of my opendkim.conf

Could be. What about AOL, Gmail or Yahoo mail? Do they verify your
signatures?

> any suggestions as to what to do about this?

I've never debugged against Spamassassin. Port25's autoresponder is
generally pretty accurate though, so I'd look into what might be causing
it not to sign that mail.

Can you attach your opendkim.conf and associated files?

Do the postfix logs say anything about the messages that aren't getting
signed? You may need to turn on "SyslogSuccess" in opendkim.conf to get
it to log signing activity.
Received on Fri Apr 15 2011 - 06:24:34 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:17 PST