RE: opendkim signed messages 'fail' spamassassin-based DKIM signature verification with 'OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE' ?

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Fri, 15 Apr 2011 09:19:12 -0700

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of dchilton_at_bestmail.us
> Sent: Friday, April 15, 2011 8:20 AM
> To: Murray S. Kucherawy
> Cc: opendkim-users_at_lists.opendkim.org
> Subject: Re: opendkim signed messages 'fail' spamassassin-based DKIM signature verification with 'OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE' ?
>
> > The signature may have been missing due to configuration. Can you
> > reproduce this now that some signing is happening?
>
> yes. it happens every time. the info i provided in the original
> message was from two immediately subsequent posts, i.e. same
> config/setup, nothing changed in between, and I got (1) the not-signed
> from port25's verifier, and (2) the FAIL from my other server's
> Spamassassin DKIM check.

If your mail is signed, then I don't know why the port25 verifier would say otherwise. In the copy of the message it returned to you, did you see a signature?

I would also try sa-test_at_sendmail.net.

The Spamassassin error (that, as you found, actually is simply relayed up from OpenSSL) indicates to me that the key you've generated is too small to completely enclose a SHA hash. Since OpenDKIM completed signing, the key file apparently contains a private key that is large enough (otherwise there would be an error logged), but the verifiers think the public key is not. So one possibility is corruption in your public key. Unfortunately it's hard to determine anything else since you're tightly guarding your domain name and selector name.

Have you tried using opendkim-testkey to verify your setup?

> Here are the headers from a message sent TO an account at that ISP
> [...]
>
> Note the FAIL,
>
> X-Truedomain-DKIM: Fail (Bad signature; failed to verify against
> domain specified key)

More than likely the message is being altered in transit, and that usually happens at your MTA because of some local rewrite that's happening.

Since you have Diagnostics enabled, you could try sending me a message directly from your test setup at msk_at_opendkim.org, and I can look at it more from there.
Received on Fri Apr 15 2011 - 16:19:26 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:17 PST