hi murray,
On Thu, 14 Apr 2011 23:24 -0700, "Murray S. Kucherawy"
<msk_at_blackops.org> wrote:
> > DKIM check details:
> > ----------------------------------------------------------
> > Result: neutral (message not signed)
> > ID(s) verified:
>
> The signature may have been missing due to configuration. Can you
> reproduce this now that some signing is happening?
yes. it happens every time. the info i provided in the original
message was from two immediately subsequent posts, i.e. same
config/setup, nothing changed in between, and I got (1) the not-signed
from port25's verifier, and (2) the FAIL from my other server's
Spamassassin DKIM check.
> Your mail to this list produced the following result at the MLM:
>
> Authentication-Results: mx.elandsys.com; dkim=pass (1024-bit key)
> header.i=_at_messagingengine.com header.b=Z6lBI2Jn; dkim-adsp=temperror
Sure, that's because it's been sent from a known to be working,
ISP-provider's webmail system ... that has a properly setup and
functioning DKIM signature. IT's not at all representative of, or
related to in any way, the issue I'm having problems with.
> > Apr 14 22:19:24.817 [12200] dbg: dkim: signature verification
> > result: FAIL (OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE)
>
> I haven't seen that error before, so I can't explain it. What does
> Spamassassin's documentation say?
Afaict, Spamassassin's documentation doesn't mention it in any way,
If you google that error,
http://www.google.com/search?q=+%22OPENSSL+ERROR%3A+DATA+TOO+LARGE+FOR+KEY+SIZE%22,
it brings up only 5 results, 3 of which are on the dkim-milter list.
I'll reread the threads, but I found questions, not answers.
Searching source trees, nothing at all in Spamassassin.
The string "DATA TOO LARGE FOR KEY SIZE" *is* found in openssl source,
./openssl/openssl-1.0.0d/crypto/rsa/rsa_err.c. I've pasted that file
here,
http://pastebin.com/U8DDFDUE
> > searching, i'm not having much luck tracking this down, but suspect it's
> > a misconfiguration of my opendkim.conf
>
> Could be. What about AOL, Gmail or Yahoo mail? Do they verify your
> signatures?
Atm, don't have accounts there. But, as mentioned, I do have an account
at a known-to-be good ISP that uses Truedomain, which iiuc uses OpenDkim
in production use ...
Here are the headers from a message sent TO an account at that ISP
------------------------
...
X-DKIM: OpenDKIM Filter v2.3.1 submit.mydomain1.com 071062BE81
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=mydomain1.com; s=key1.mydomain1; t=1302877279;
bh=ziDRZu6L4pppDdxZfoTWiCKctnXcJu+3txAkk95Dc0I=;
h=From:To:Subject;
z=From:=20test=20<test_at_mydomain1.com>|To:=20test=20<dchilton_at_bestmail.us>|Subject:=20TEST;
b=f2mfQYY2YUnaAmpJnMKUXwUngBN7AaL3+7KxYrceVXVOyNW93++mNkTZ4BAEPNzbg
KqtdWd7WxHG7brd3UmzPWgYczGo5K3IjWfB/3+ke0SEgAunSgNWO5w6kn8/nkWZSOB
bzIShJkAD/PdE8vcG68jI7AlMQpLhG0bMoQ7NmxQ=
...
X-Truedomain-Domain: mydomain1.com
X-Truedomain-SPF: Pass
X-Truedomain-DKIM: Fail (Bad signature; failed to verify against domain
specified key)
...
------------------------
Note the FAIL,
X-Truedomain-DKIM: Fail (Bad signature; failed to verify against
domain specified key)
> > any suggestions as to what to do about this?
>
> I've never debugged against Spamassassin. Port25's autoresponder is
> generally pretty accurate though, so I'd look into what might be causing
> it not to sign that mail.
>
> Can you attach your opendkim.conf and associated files?
here's the conf and internal hosts. i'm not vouching at all for the
correctness of any of it; still learning what does what. anything
immediately problematic jump out at you?
cat /usr/local/etc/opendkim.conf
Diagnostics yes
Domain mydomain1.com
KeyFile /etc/ssl/dkim/dkim.mydomain1.com.pem
LogWhy yes
Quarantine no
ReportAddress "DCh" <dchilton_at_bestmail.us>
ResolverTracing no
Selector key1.mydomain1
Socket inet:9999_at_localhost
Syslog yes
SyslogFacility mail
SyslogSuccess yes
UserID dkim:dkim
X-Header yes
# ADSPAction continue
# ADSPNoSuchDomain No
# AllowSHA1Only no
# AlwaysAddARHeader no
# AlwaysSignHeaders header1,header2,...
# AuthservID example.com
# AuthservIDWithJobId no
# AutoRestart No
# AutoRestartCount 0
# AutoRestartRate n/tu
Background Yes
# BaseDirectory /var/run/opendkim
BodyLengths No
Canonicalization relaxed/simple
ClockDrift 300
DNSTimeout 10
DomainKeysCompat no
# DontSignMailTo addr1,addr2,...
EnableCoredumps no
# ExternalIgnoreList filename
FixCRLF no
InternalHosts /var/db/dkim/internal_hosts
KeepTemporaryFiles no
# KeyTable dataset
# LocalADSP /etc/mail/local-adsp-rules
# MacroList foo=bar,baz=blivit
MaximumHeaders 65536
# MaximumSignedBytes n
MilterDebug 0
Minimum 0
Mode sv
# MTA name
MultipleSignatures no
# MustBeSigned header1,header2,...
NoHeaderB no
# OmitHeaders header1,header2,...
# PeerList filename
PidFile /var/run/opendkim.pid
# POPDBFile filename
## QueryCache No
# RemoveARAll No
# RemoveARFrom host1,host2,.domain1,.domain2,...
# RemoveOldSignatures No
# RequiredHeaders No
RequireSafeKeys Yes
# ResignAll No
# ResignMailTo dataset
SendADSPReports No
# SenderHeaders From
SendReports No
SignatureAlgorithm rsa-sha256
SignatureTTL 0
# SignHeaders header1,header2,...
# SigningTable filename
## (NOT ENABLED) SingleAuthResult no
StrictHeaders no
StrictTestMode no
SubDomains No
TemporaryDirectory /var/tmp
# TrustAnchorFile /var/named/trustanchor
# UMask 022
# UnboundConfigFile /var/named/unbound.conf
cat /var/db/dkim/internal_hosts
127.0.0.1
> Do the postfix logs say anything about the messages that aren't getting
> signed? You may need to turn on "SyslogSuccess" in opendkim.conf to get
> it to log signing activity.
_at_ the 'data' send stage, here's the current postfix logs, with
"SyslogSuccess" enabled,
Apr 15 07:54:33 dchilsvr postfix/cleanup[25447]: 8B7AD2BE82:
message-id=<>
>>> Apr 15 07:54:33 dchilsvr opendkim[25438]: 8B7AD2BE82: DKIM-Signature header added (s=key1.mydomain1, d=mydomain1.com)
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: public/cleanup
socket: wanted attribute: status
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
name: status
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
value: 0
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: public/cleanup
socket: wanted attribute: reason
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
name: reason
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
value: (end)
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: public/cleanup
socket: wanted attribute: (list terminator)
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
name: (end)
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: >
localhost[127.0.0.1]: 250 2.0.0 Ok: queued as 8B7AD2BE82
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: abort all milters
Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: milter8_abort:
abort milter inet:127.0.0.1:9999
Apr 15 07:54:34 dchilsvr postfix/qmgr[25426]: 8B7AD2BE82:
from=<test_at_mydomain1.com>, size=470, nrcpt=1 (queue active)
Apr 15 07:54:36 dchilsvr postfix/smtp[25448]: 8B7AD2BE82:
to=<dchilton_at_bestmail.us>,
relay=in1.smtp.messagingengine.com[66.111.4.71]:25, delay=23,
delays=21/0.02/1.7/0.41, dsn=2.0.0, status=sent (250 2.0.0 Ok:
queued as C99F5780619)
Apr 15 07:54:36 dchilsvr postfix/qmgr[25426]: 8B7AD2BE82:
removed
that 'abort' looks troublesome, but looking around, i have yet to find
it identifies as a problem.
looking at the source (e.g.,
http://www.opensource.apple.com/source/postfix/postfix-174/postfix/src/milter/milter8.c),
i find
...
/* milter8_abort - cancel one milter's message receiving state */
...
/*
* XXX Sendmail 8 libmilter closes the MTA-to-filter socket when it
finds
* out that the SMTP client has disconnected. Because of this,
Postfix
* has to open a new MTA-to-filter socket for each SMTP client.
*/
...
not sure what to make of that ...
DChil
Received on Fri Apr 15 2011 - 15:20:14 PST