RE: opendkim signed messages 'fail' spamassassin-based DKIM signature verification with 'OPENSSL ERROR: DATA TOO LARGE FOR KEY SIZE' ?
hi murray,
On Fri, 15 Apr 2011 09:19 -0700, "Murray S. Kucherawy"
<msk_at_cloudmark.com> wrote:
> The Spamassassin error (that, as you found, actually is simply relayed up
> from OpenSSL) indicates to me that the key you've generated is too small
> to completely enclose a SHA hash. Since OpenDKIM completed signing, the
> key file apparently contains a private key that is large enough
> (otherwise there would be an error logged), but the verifiers think the
> public key is not. So one possibility is corruption in your public key.
> Unfortunately it's hard to determine anything else since you're tightly
> guarding your domain name and selector name.
>
> Have you tried using opendkim-testkey to verify your setup?
bingo! not size, but corruption. and, of course -- my bad.
i'd run
opendkim-testkey -x /usr/local/etc/opendkim.conf -vv ...
originally on a shorter key, to verify my procedures, etc. all checked
OK. then.
i then increased the key size, and had to split the key up into smaller,
quoted & concatenated strings to make bind9 happy.
checking THAT key now, returned,
opendkim-testkey: keys do not match
staring at it, when splitting I'd mistakenly removed a "/" after a line
split, knee-jerk removing it as a linewrap artifact in my shell editor.
silly me.
FIXING the key, now
opendkim-testkey -x /usr/local/etc/opendkim.conf -vv ...
checks ok, and, a test mail
sent to my OpenDkim-savvy ISP
--> X-Truedomain-DKIM: Pass
sent to my other, spamassassin-running server
X-Spam-Report:
* -1.0 ALL_TRUSTED Passed through trusted hosts only
via SMTP
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
--> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK
signature from author's
* domain
--> * -0.1 DKIM_VALID Message has at least one valid DKIM
or DK signature
which looks like i'm in business!
other than your reminder to (re)check with opendkim-testkey, nothing i'd
seen in logs, various receivers' headers, or any verifiers, had
suggested to me directly that there was a key-mismatch.
as usual, 'operator error'. thanks very much!
DChil
Received on Fri Apr 15 2011 - 17:15:17 PST
This archive was generated by hypermail 2.3.0
: Mon Oct 29 2012 - 23:20:17 PST