Re: Problem signing MultipleSignatures from LDAP

From: Patrick Ben Koetter <p_at_state-of-mind.de>
Date: Tue, 29 Nov 2011 23:24:47 +0100

* Murray S. Kucherawy <msk_at_cloudmark.com>:
> > -----Original Message-----
> > From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Patrick Ben Koetter
> > Sent: Monday, November 21, 2011 12:15 PM
> > To: opendkim-users_at_lists.opendkim.org
> > Subject: Re: Problem signing MultipleSignatures from LDAP
> >
> > Now MultipleSignatures work, but I miss a signature that specifies the
> > full sender address. I hate to say it, but I seem to lack something
> > fundamental about how sender signatures should work:
>
> Did you modify the SigningTable to include the signer as the second parameter?

I believe I did:

MultipleSignatures yes

# SigningTable
# one field that contains a name found in the KeyTable (see above) that
# identifies which key should be used in generating the signature, and an
# optional second field naming the signer of the message that will be included
# in the "i=" tag in the generated signature.
SigningTable ldap://localhost/ou=people,dc=example,dc=com?DKIMSelector,DKIMIdentity?sub?(DKIMIdentity=$d)

# KeyTable
# (a) the name of the domain to use in the signature's "d=" value;
# (b) the name of the selector to use in the signature's "s=" value; and
# (c) either a private key or a path to a file containing a private key.
KeyTable ldap://localhost/ou=people,dc=example,dc=com?DKIMDomain,DKIMSelector,DKIMKey,?sub?(DKIMSelector=$d)


The Signature for the signer passes, but the signer domain signature fails:

From: Alice <alice_at_play.state-of-mind.de>
To: Patrick <p_at_state-of-mind.de>
Subject: Testing MultiSigs
Authentication-Results: mail.state-of-mind.de (amavisd-new); dkim=pass header.i=alice_at_play.state-of-mind.de
Authentication-Results: mail.state-of-mind.de (amavisd-new); dkim=softfail (invalid, bad identity) header.i=play.state-of-mind.de

Here's the output from the debug procedure:

p_at_play:~$ opendkim -Q
opendkim: enter data set description
        csl:entry1[,entry2[,...]]
        file:path
        refile:path
        db:path
        dsn:<backend>://[user[:pwd]_at_][port+]host/dbase[/key=val[?...]]
        ldapscheme://host[:port][/dn[?attrs[?scope[?filter[?exts]]]]]
        lua:path
> ldap://localhost/ou=people,dc=example,dc=com?DKIMSelector,DKIMIdentity?sub?(DKIMIdentity=$d)
opendkim: enter 'query/n' where 'n' is number of fields to request
> alice_at_play.state-of-mind.de/2
'alice-2011'
'alice_at_play.state-of-mind.de'
opendkim: enter 'query/n' where 'n' is number of fields to request
>
p_at_play:~$ opendkim -Q
opendkim: enter data set description
        csl:entry1[,entry2[,...]]
        file:path
        refile:path
        db:path
        dsn:<backend>://[user[:pwd]_at_][port+]host/dbase[/key=val[?...]]
        ldapscheme://host[:port][/dn[?attrs[?scope[?filter[?exts]]]]]
        lua:path
> ldap://localhost/ou=people,dc=example,dc=com?DKIMDomain,DKIMSelector,DKIMKey,?sub?(DKIMSelector=$d)
opendkim: enter 'query/n' where 'n' is number of fields to request
> alice-2011/3
'play.state-of-mind.de'
'alice-2011'
'-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDraoXQcnJcciaH1hj262XVtIYu5MwCT0uwWc1i/tq1SPOniEpv
UxczS3wtrL7P2WwqSyWzWx7pcxCsj5unB5u9s1Ohu3QRrfyXd5Txzz9ZbUdV8C1V
8m+CtUSu0yKceBn8bHc2B309UJYnZnx6Zq6Xe3PE0E9rzpeHtbHa4pj5uQIDAQAB
AoGBAK7eFIIO0SYcYMSb4zVfC+jfTKD+sQ+yKS3YtvinCHyKsPqsAWaKGPywQJCI
9b/c6DzOTzXYJLESGLulfOBohWTKWv0ee/GW4mKS7VH9f7m/uGBKSsqPzzK9YYiU
5leOCoOLZRvevf0/8YWks4VtoVeyXiJ/AdrBv9dzh1K6FUbRAkEA99lrhhG4xUrb
olN7OfAUeEYt2uJQnvV06+mVp0gjjv9UscIlcGYk23/JpfImWENGLa0P2kYBOOUr
+g3PYMdP7QJBAPMobkpUT7Zc90apIlg8fpG9e2NtQChUh6uUWwN2J4upVkxm7z16
Hgw5baXnbvLaq1xq2SKWPFjMKscNrPVWX30CQQCCAAmU9eCrozsWpqEA37ts5qqQ
n5pX9jlQsGFtr7nu/GApKMNIdFsqwpk7MIsKSqcZuCeTfpqPhC0P6IR4p7J1AkEA
0locp1Kurs1X4Zn5qymSORQZhRcDFKCjyYwK/ECfz1NL48Z8mstk6SBZOdevhIol
Ckso0qHzTMI7E35CLO9upQJAPVAXcka0/1+/EYHZ/tm5MVyS8vzbJ9tyfJM0uWWH
MWw5P/1/uPGZlylrr9JZBOrBja9y8t2VmuoV/MYAMND9yg==
-----END RSA PRIVATE KEY-----'
opendkim: enter 'query/n' where 'n' is number of fields to request
>



And here's the LDAP Tree including the objects in question:

dn: ou=Example Inc.,ou=people,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
objectClass: DKIM
DKIMKey:: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDV3dJQkFBS0JnUURDR0
 1qQ0lLOU55Zm1tTnBTT2I0QklYa2FYSnRVSWo1WmhQQys0anBPWFNabU9ITVAxCnNxNFA4S08yR
 Hlqd0tQM3FXK1Z0NXhsdVFVTTVCK2ZGOENZUFhSRzliSTk3RmU5OFhqaDQzSjVZV1dWcitDT0YK
 c2loWVpJM0YrU3JqZnczM2R5ZzhLQ3o4L1U2QmdpRlB1M2EzU2xQSXNkMngvcnBvZDBoWUdYRHM
 2d0lEQVFBQgpBb0dBUVJqRzNEVFNGcWpTemVnb1VzMGFuU3JoU2ZpQUltcmw2SjZpOHFiKzRSS1
 NLWk9FTlhkRDRaeTNpMnZ5Ck12bk1qemxhN1UxQXZqV3RNZ2R3dUhZZWpScGIyZzcrQU16M3hXT
 kJQUGdiTElPQXRSNWxtWDhMYmR4Q2hydmUKME8rVTB0Uk9kM1Z4bVZ5STBVdm9IR0JtWkFseFZ2
 eWdtV1hxb2g0aWdyaHRIMEVDUVFEMUV6NTFaOGZJbHVaQwpCV1pxNy9Hd0grUzRraXJqN09rbmd
 4RVNwYVlMa1hBMTR3Z2V4aW5XUEJ2MCtsWGJJRFpOMVFKOWs0MHlkSEV1CnpaOEZVcUZqQWtFQX
 lyL0lya3FBLzlFNHFwWjg0YTA2cHJIdVQ1dmlnaVM4V0VxTExTMFdKbEVJcWFpVDZseWkKMFBQR
 VpVMmtBbENWQldDZ2ZlYzIyRDc2Tlk2eS9PdGcyUUpBQkJaWEUxUXd3OHFvZW05bW50L3prdkZs
 T2lMTgo3bEUwTGtHRVZtQkczYWlHUzQvR3dlU2lLLzJDcGRwSzlrV2FRa0FNTTVYelkrVUhRald
 Sc21BSGF3SkFZbS9vCjlFNHlBWUpJTy9LaW9VTms1WWdnQjBETklaaktaU2VVR1JQNTNCS2QzUm
 wrNzF1WXBWQ2xPdllPT2gxN3JNZTAKUkV5ZEFUTGFjbVJkSEpUL1NRSkFjNEVxSWpmUUZuNE9Fb
 mFRakR5YlBnY1MrMXNqM3UxSkhkbHR2WTkzTE5yeQp3bmx6dDN4dndUWDI5QllDMG5IdHBIQlYy
 dzFESzhYVVhDMGQrVWZ5M0E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==
DKIMSelector: play-2011
ou: Example Inc.
DKIMDomain: play.state-of-mind.de
DKIMIdentity: play.state-of-mind.de

dn: uniqueIdentifier=alice_at_play.state-of-mind.de,ou=Example Inc.,ou=people,d
 c=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: PostfixBookMailAccount
objectClass: extensibleObject
objectClass: DKIM
cn: Alice
DKIMKey:: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURyYW
 9YUWNuSmNjaWFIMWhqMjYyWFZ0SVl1NU13Q1QwdXdXYzFpL3RxMVNQT25pRXB2ClV4Y3pTM3d0c
 kw3UDJXd3FTeVd6V3g3cGN4Q3NqNXVuQjV1OXMxT2h1M1FScmZ5WGQ1VHh6ejlaYlVkVjhDMVYK
 OG0rQ3RVU3UweUtjZUJuOGJIYzJCMzA5VUpZblpueDZacTZYZTNQRTBFOXJ6cGVIdGJIYTRwajV
 1UUlEQVFBQgpBb0dCQUs3ZUZJSU8wU1ljWU1TYjR6VmZDK2pmVEtEK3NRK3lLUzNZdHZpbkNIeU
 tzUHFzQVdhS0dQeXdRSkNJCjliL2M2RHpPVHpYWUpMRVNHTHVsZk9Cb2hXVEtXdjBlZS9HVzRtS
 1M3Vkg5ZjdtL3VHQktTc3FQenpLOVlZaVUKNWxlT0NvT0xaUnZldmYwLzhZV2tzNFZ0b1ZleVhp
 Si9BZHJCdjlkemgxSzZGVWJSQWtFQTk5bHJoaEc0eFVyYgpvbE43T2ZBVWVFWXQydUpRbnZWMDY
 rbVZwMGdqanY5VXNjSWxjR1lrMjMvSnBmSW1XRU5HTGEwUDJrWUJPT1VyCitnM1BZTWRQN1FKQk
 FQTW9ia3BVVDdaYzkwYXBJbGc4ZnBHOWUyTnRRQ2hVaDZ1VVd3TjJKNHVwVmt4bTd6MTYKSGd3N
 WJhWG5idkxhcTF4cTJTS1dQRmpNS3NjTnJQVldYMzBDUVFDQ0FBbVU5ZUNyb3pzV3BxRUEzN3Rz
 NXFxUQpuNXBYOWpsUXNHRnRyN251L0dBcEtNTklkRnNxd3BrN01Jc0tTcWNadUNlVGZwcVBoQzB
 QNklSNHA3SjFBa0VBCjBsb2NwMUt1cnMxWDRabjVxeW1TT1JRWmhSY0RGS0NqeVl3Sy9FQ2Z6MU
 5MNDhaOG1zdGs2U0JaT2RldmhJb2wKQ2tzbzBxSHpUTUk3RTM1Q0xPOXVwUUpBUFZBWGNrYTAvM
 SsvRVlIWi90bTVNVnlTOHZ6Yko5dHlmSk0wdVdXSApNV3c1UC8xL3VQR1pseWxycjlKWkJPckJq
 YTl5OHQyVm11b1YvTVlBTU5EOXlnPT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=
DKIMSelector: alice-2011
mail: alice_at_play.state-of-mind.de
sn: Alice
DKIMDomain: play.state-of-mind.de
DKIMIdentity: alice_at_play.state-of-mind.de
givenName: Lastname
uniqueIdentifier: alice_at_play.state-of-mind.de
userPassword:: c2VjcmV0


Can you see what I am doing wrong?

Thanks,

p_at_rick

-- 
state of mind ()
http://www.state-of-mind.de
Franziskanerstraße 15      Telefon +49 89 3090 4664
81669 München              Telefax +49 89 3090 4666
Amtsgericht München        Partnerschaftsregister PR 563
Received on Tue Nov 29 2011 - 22:25:14 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:21 PST