RE: opendkim signed messages 'fail' spamassassin-based DKIM signature verification with 'OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE' ?

From: <dchilton_at_bestmail.us>
Date: Fri, 15 Apr 2011 10:15:00 -0700

hi murray,

On Fri, 15 Apr 2011 09:19 -0700, "Murray S. Kucherawy"
<msk_at_cloudmark.com> wrote:
> The Spamassassin error (that, as you found, actually is simply relayed up
> from OpenSSL) indicates to me that the key you've generated is too small
> to completely enclose a SHA hash. Since OpenDKIM completed signing, the
> key file apparently contains a private key that is large enough
> (otherwise there would be an error logged), but the verifiers think the
> public key is not. So one possibility is corruption in your public key.
> Unfortunately it's hard to determine anything else since you're tightly
> guarding your domain name and selector name.
>
> Have you tried using opendkim-testkey to verify your setup?

bingo! not size, but corruption. and, of course -- my bad.

i'd run

  opendkim-testkey -x /usr/local/etc/opendkim.conf -vv ...

originally on a shorter key, to verify my procedures, etc. all checked
OK. then.

i then increased the key size, and had to split the key up into smaller,
quoted & concatenated strings to make bind9 happy.

checking THAT key now, returned,

        opendkim-testkey: keys do not match

staring at it, when splitting I'd mistakenly removed a "/" after a line
split, knee-jerk removing it as a linewrap artifact in my shell editor.

silly me.

FIXING the key, now

  opendkim-testkey -x /usr/local/etc/opendkim.conf -vv ...

checks ok, and, a test mail

 sent to my OpenDkim-savvy ISP
--> X-Truedomain-DKIM: Pass

 sent to my other, spamassassin-running server
         X-Spam-Report:
                 * -1.0 ALL_TRUSTED Passed through trusted hosts only
                 via SMTP
                 * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
                 * [score: 0.0000]
--> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK
signature from author's
                 * domain
--> * -0.1 DKIM_VALID Message has at least one valid DKIM
or DK signature
 
which looks like i'm in business!

other than your reminder to (re)check with opendkim-testkey, nothing i'd
seen in logs, various receivers' headers, or any verifiers, had
suggested to me directly that there was a key-mismatch.

as usual, 'operator error'. thanks very much!

DChil
Received on Fri Apr 15 2011 - 17:15:17 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:17 PST