Re: opendkim verify, but signed email has a hardfail.

From: Josef Karliak <karliak_at_ajetaci.cz>
Date: Wed, 09 Nov 2011 07:13:44 +0100

   Hi,
   I wanna signing domain fnhk.cz, celer (.ajetaci.cz) is from my own
domain, signing and verifying works well.
   When I send email to elandsys, I got:
DKIM Signature validation: fail
DKIM Author Domain Signing Practices: "dkim=all"

   If I use command for test adsp on the opendkim signing machine, adsp is ok:
opendkim-testadsp: fnhk.cz:
         policy is "all"
         policy result code is "author domain policy found"

   And opendkim test keys binary don't show any problem message:
opendkim-testkey -d fnhk.cz -k ./mail.private -v -s mail

   If I made a mistake for test it again, I got a error message. So I
suppose that no message from opendkim-testkey means no errors (-s mail
-> -s maillll)

   For generating opendkim key I used command:
   opendkim-genkey -s mail -d fnhk.cz

   contains of the file mail.txt is in the fnhk.cz zone record, dig
from celer.ajetaci.cz:
dig +short -t txt mail._domainkey.fnhk.cz
"v=DKIM1\; r=postmaster\; g=*\; k=rsa\;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCe2YTzbZM8cF+o/xmJ3E1szp6hKJJeoO9CF94laBr6/9mBnlDwJLAcA8s3K5WYpvuVm3huEaeBeBpikIwrWsvm4VBwAS2LuzdH9oMVYxR1RID8Zj1HuR9QeJrviWFqJijExI5KHoWR8eKFI8RZVTHfQTvh6BbtVgAIk2eg3jxvgQIDAQAB"

   So I'm out of the ideas :-/
   I made a few dkims before, without any problems. I missed something :-/
   Thanks and best regards
   J.K.

Cituji "Murray S. Kucherawy" <msk_at_blackops.org>:

> On Tue, 8 Nov 2011, Josef Karliak wrote:
>> Hi,
>> I've some problems with opendkim with postfix on the opensuse 11.4 64-bit.
>> Email is signed, but verifiers don't accept it. Part of the email's header:
>> Authentication-Results: celer.ajetaci.cz; dkim=hardfail
>> (verification failed) header.i=_at_fnhk.cz; dkim-adsp=fail
>>
>> In the syslog I see:
>> Nov 8 13:22:00 celer dkim-filter[4888]: ED4D1C58FF SSL
>> error:04077068:rsa routines:RSA_verify:bad signature
>> Nov 8 13:22:00 celer dkim-filter[4888]: ED4D1C58FF: bad signature data
>
> You should update celer to opendkim as well, and test again.
>
> If it still fails, read opendkim/README's "DEBUG FEATURES" section
> and try using the tools described there. Let us know if you need
> further assistance.
>
> -MSK
>



-- 
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




Received on Wed Nov 09 2011 - 06:13:53 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:21 PST