I am having trouble with "bad identity" signatures for sender signatures, but
not for domain level signatures.
To me the obvious problem which breaks identification is an "_at_", which is
added before the actual mail address in the header.i= section:
Authentication-Results: mail.state-of-mind.de (amavisd-new); dkim=softfail (invalid, bad identity)
header.i=_at_alice_at_play.state-of-mind.de
This is not the case when I sign at domain level:
Authentication-Results: mail.state-of-mind.de (amavisd-new); dkim=pass
header.i=_at_play.state-of-mind.de
Identifiers, Selectors and Keys are retrieved from an LDAP backend. The
identifiers are noted as fqdn mail address and subdomain:
alice_at_play.state-of-mind.de
play.state-of-mind.de
I believe this complies with openDKIMs selection algorithm as documented in
opendkim.conf(5):
For all other database types, the full user_at_host is checked first,
then simply host, then user_at_.domain (with all superdomains checked
in sequence, so "foo.example.com" would first check
"user_at_foo.example.com", then "user@.example.com", then "user@.com"),
then .domain, then user_at_*, and finally *.
Could it be openDKIM erroneously always adds an "_at_"? I tried with
_at_play.state-of-mind.de as Indentifier and ended up with two @@s:
header.i=_at__at_play.state-of-mind.de
This is as far as I went. Anything beyond would be pure speculation.
Anyone with an idea what I could be doing wrong?
p_at_rick
P.S.
I am using opendkim-2.5.0 Beta 2 and didn't test other versions.
--
state of mind ()
Digitale Kommunikation
http://www.state-of-mind.de
Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666
Amtsgericht München Partnerschaftsregister PR 563
Received on Mon Nov 21 2011 - 11:27:37 PST