Re: opendkim signed messages 'fail' spamassassin-based DKIM signature verification with 'OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE' ?

From: <dchilton_at_bestmail.us>
Date: Fri, 15 Apr 2011 08:19:56 -0700

hi murray,

On Thu, 14 Apr 2011 23:24 -0700, "Murray S. Kucherawy"
<msk_at_blackops.org> wrote:
> > DKIM check details:
> > ----------------------------------------------------------
> > Result: neutral (message not signed)
> > ID(s) verified:
>
> The signature may have been missing due to configuration. Can you
> reproduce this now that some signing is happening?

yes. it happens every time. the info i provided in the original
message was from two immediately subsequent posts, i.e. same
config/setup, nothing changed in between, and I got (1) the not-signed
from port25's verifier, and (2) the FAIL from my other server's
Spamassassin DKIM check.

> Your mail to this list produced the following result at the MLM:
>
> Authentication-Results: mx.elandsys.com; dkim=pass (1024-bit key)
> header.i=_at_messagingengine.com header.b=Z6lBI2Jn; dkim-adsp=temperror

Sure, that's because it's been sent from a known to be working,
ISP-provider's webmail system ... that has a properly setup and
functioning DKIM signature. IT's not at all representative of, or
related to in any way, the issue I'm having problems with.

> > Apr 14 22:19:24.817 [12200] dbg: dkim: signature verification
> > result: FAIL (OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE)
>
> I haven't seen that error before, so I can't explain it. What does
> Spamassassin's documentation say?

Afaict, Spamassassin's documentation doesn't mention it in any way,

If you google that error,
http://www.google.com/search?q=+%22OPENSSL+ERROR%3A+DATA+TOO+LARGE+FOR+KEY+SIZE%22,
it brings up only 5 results, 3 of which are on the dkim-milter list.
I'll reread the threads, but I found questions, not answers.

Searching source trees, nothing at all in Spamassassin.

The string "DATA TOO LARGE FOR KEY SIZE" *is* found in openssl source,
./openssl/openssl-1.0.0d/crypto/rsa/rsa_err.c. I've pasted that file
here, http://pastebin.com/U8DDFDUE

> > searching, i'm not having much luck tracking this down, but suspect it's
> > a misconfiguration of my opendkim.conf
>
> Could be. What about AOL, Gmail or Yahoo mail? Do they verify your
> signatures?

Atm, don't have accounts there. But, as mentioned, I do have an account
at a known-to-be good ISP that uses Truedomain, which iiuc uses OpenDkim
in production use ...

Here are the headers from a message sent TO an account at that ISP

------------------------
...
X-DKIM: OpenDKIM Filter v2.3.1 submit.mydomain1.com 071062BE81
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
        d=mydomain1.com; s=key1.mydomain1; t=1302877279;
        bh=ziDRZu6L4pppDdxZfoTWiCKctnXcJu+3txAkk95Dc0I=;
        h=From:To:Subject;
        z=From:=20test=20<test_at_mydomain1.com>|To:=20test=20<dchilton_at_bestmail.us>|Subject:=20TEST;
        b=f2mfQYY2YUnaAmpJnMKUXwUngBN7AaL3+7KxYrceVXVOyNW93++mNkTZ4BAEPNzbg
         KqtdWd7WxHG7brd3UmzPWgYczGo5K3IjWfB/3+ke0SEgAunSgNWO5w6kn8/nkWZSOB
         bzIShJkAD/PdE8vcG68jI7AlMQpLhG0bMoQ7NmxQ=
...
X-Truedomain-Domain: mydomain1.com
X-Truedomain-SPF: Pass
X-Truedomain-DKIM: Fail (Bad signature; failed to verify against domain
specified key)
...
------------------------

Note the FAIL,

        X-Truedomain-DKIM: Fail (Bad signature; failed to verify against
        domain specified key)

> > any suggestions as to what to do about this?
>
> I've never debugged against Spamassassin. Port25's autoresponder is
> generally pretty accurate though, so I'd look into what might be causing
> it not to sign that mail.
>
> Can you attach your opendkim.conf and associated files?

here's the conf and internal hosts. i'm not vouching at all for the
correctness of any of it; still learning what does what. anything
immediately problematic jump out at you?

cat /usr/local/etc/opendkim.conf
        Diagnostics yes
        Domain mydomain1.com
        KeyFile /etc/ssl/dkim/dkim.mydomain1.com.pem
        LogWhy yes
        Quarantine no
        ReportAddress "DCh" <dchilton_at_bestmail.us>
        ResolverTracing no
        Selector key1.mydomain1
        Socket inet:9999_at_localhost
        Syslog yes
        SyslogFacility mail
        SyslogSuccess yes
        UserID dkim:dkim
        X-Header yes

        # ADSPAction continue
        # ADSPNoSuchDomain No
        # AllowSHA1Only no
        # AlwaysAddARHeader no
        # AlwaysSignHeaders header1,header2,...
        # AuthservID example.com
        # AuthservIDWithJobId no
        # AutoRestart No
        # AutoRestartCount 0
        # AutoRestartRate n/tu
        Background Yes
        # BaseDirectory /var/run/opendkim
        BodyLengths No
        Canonicalization relaxed/simple
        ClockDrift 300
        DNSTimeout 10
        DomainKeysCompat no
        # DontSignMailTo addr1,addr2,...
        EnableCoredumps no
        # ExternalIgnoreList filename
        FixCRLF no
        InternalHosts /var/db/dkim/internal_hosts
        KeepTemporaryFiles no
        # KeyTable dataset
        # LocalADSP /etc/mail/local-adsp-rules
        # MacroList foo=bar,baz=blivit
        MaximumHeaders 65536
        # MaximumSignedBytes n
        MilterDebug 0
        Minimum 0
        Mode sv
        # MTA name
        MultipleSignatures no
        # MustBeSigned header1,header2,...
        NoHeaderB no
        # OmitHeaders header1,header2,...
        # PeerList filename
        PidFile /var/run/opendkim.pid
        # POPDBFile filename
        ## QueryCache No
        # RemoveARAll No
        # RemoveARFrom host1,host2,.domain1,.domain2,...
        # RemoveOldSignatures No
        # RequiredHeaders No
        RequireSafeKeys Yes
        # ResignAll No
        # ResignMailTo dataset
        SendADSPReports No
        # SenderHeaders From
        SendReports No
        SignatureAlgorithm rsa-sha256
        SignatureTTL 0
        # SignHeaders header1,header2,...
        # SigningTable filename
        ## (NOT ENABLED) SingleAuthResult no
        StrictHeaders no
        StrictTestMode no
        SubDomains No
        TemporaryDirectory /var/tmp
        # TrustAnchorFile /var/named/trustanchor
        # UMask 022
        # UnboundConfigFile /var/named/unbound.conf

cat /var/db/dkim/internal_hosts
        127.0.0.1

> Do the postfix logs say anything about the messages that aren't getting
> signed? You may need to turn on "SyslogSuccess" in opendkim.conf to get
> it to log signing activity.

_at_ the 'data' send stage, here's the current postfix logs, with
"SyslogSuccess" enabled,

        Apr 15 07:54:33 dchilsvr postfix/cleanup[25447]: 8B7AD2BE82:
        message-id=<>
>>> Apr 15 07:54:33 dchilsvr opendkim[25438]: 8B7AD2BE82: DKIM-Signature header added (s=key1.mydomain1, d=mydomain1.com)
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: public/cleanup
        socket: wanted attribute: status
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
        name: status
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
        value: 0
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: public/cleanup
        socket: wanted attribute: reason
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
        name: reason
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
        value: (end)
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: public/cleanup
        socket: wanted attribute: (list terminator)
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: input attribute
        name: (end)
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: >
        localhost[127.0.0.1]: 250 2.0.0 Ok: queued as 8B7AD2BE82
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: abort all milters
        Apr 15 07:54:34 dchilsvr postfix/smtpd[25442]: milter8_abort:
        abort milter inet:127.0.0.1:9999
        Apr 15 07:54:34 dchilsvr postfix/qmgr[25426]: 8B7AD2BE82:
        from=<test_at_mydomain1.com>, size=470, nrcpt=1 (queue active)
        Apr 15 07:54:36 dchilsvr postfix/smtp[25448]: 8B7AD2BE82:
        to=<dchilton_at_bestmail.us>,
        relay=in1.smtp.messagingengine.com[66.111.4.71]:25, delay=23,
        delays=21/0.02/1.7/0.41, dsn=2.0.0, status=sent (250 2.0.0 Ok:
        queued as C99F5780619)
        Apr 15 07:54:36 dchilsvr postfix/qmgr[25426]: 8B7AD2BE82:
        removed

that 'abort' looks troublesome, but looking around, i have yet to find
it identifies as a problem.

looking at the source (e.g.,
http://www.opensource.apple.com/source/postfix/postfix-174/postfix/src/milter/milter8.c),
i find

        ...
     /* milter8_abort - cancel one milter's message receiving state */
        ...
     /*
     * XXX Sendmail 8 libmilter closes the MTA-to-filter socket when it
     finds
     * out that the SMTP client has disconnected. Because of this,
     Postfix
     * has to open a new MTA-to-filter socket for each SMTP client.
     */
        ...

not sure what to make of that ...

DChil
Received on Fri Apr 15 2011 - 15:20:14 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:17 PST