Signing after verifying "unverifiable" messages

From: Дилян Палаузов <dilyan.palauzov_at_aegee.org>
Date: Wed, 11 Apr 2012 03:48:08 +0200

Hello,

I observed a situation, which I find strange. OpenDKIM 2.5.2 signs all
emails properly, except the one I submit (over SMTP-Submit). In those
emails, the bh= value was always the same and did not depend on the
content of the message. However, when I turned off the verification in
setup.lua and left only signing, the bh= value started getting right.

Here is my setup.lua script

local mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
if mtaname == "sm-80" then
         odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "dkim+sm-80_at_aegee.org")
elseif mtaname == "sm-localhost" then
-- odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "dkim+sm-localhost_at_aegee.org")
elseif mtaname == "sm-karlsruhe" then
         odkim.sign(ctx, "lists", "dkim+sm-karlsruhe_at_lists.aegee.org")
elseif mtaname == "sm-lists" then
         odkim.verify(ctx)
elseif mtaname == "MSA-ssl" then
-- odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "dkim+MSA-ssl_at_aegee.org")
elseif mtaname == "MSA-tls" then
-- odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "dkim+MSA-tls_at_aegee.org")
elseif mtaname == "sm-mail" then
         odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "dkim+sm-mail_at_aegee.org")
else
         odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "dkim+strange_at_aegee.org")
end
return nil

The point is, that the emails for MSA-tls/MSA-ssl/sm-localhost are not
signed, so the verification is not supposed to do something useful
(except the cases, where the user signs emails before submitting them,
otherwise it adds correctly Authentication-Results: aegee.org; dkim=none
(no signature) ). But putting those comments there / disabling the
verification really starts generating different bh= for those emails.
Otherwise only emails, that can be verifies, are signed. Any ideas?

Със здраве
   Дилян

opendkim.conf:

AddAllSignatureResults yes
AlwaysAddARHeader yes
AuthservID aegee.org
AuthservIDWithJobID yes
Canonicalization relaxed/relaxed
#Domain "csl:aegee.org,aegee.uka.de,aegee.uni-karlsruhe.de"
DisableADSP yes
EnableCoreDumps yes
InternalHosts file:/etc/mail/dkim/internal-hosts
KeepAuthResults yes
KeyTable file:/etc/mail/dkim/keys.dataset
LogWhy yes
MaximumSignaturesToVerify 5
MilterDebug 10
PidFile /var/run/opendkim.pid
ReportAddress mail_at_aegee.org
#SignatureAlgorithm rsa-sha1
#SingleAuthResult yes
SenderHeaders Sender
#SenderMacro {daemon_name}
SendReports yes
SetupPolicyScript /etc/mail/dkim/setup.lua
Socket local:/var/run/opendkim.sock
SubDomains yes
Syslog yes
SyslogSuccess yes
TemporaryDirectory /dev/shm
WeakSyntaxChecks yes
X-Header yes


opendkim -V
opendkim: OpenDKIM Filter v2.5.2
         Compiled with GnuTLS 3.0.18
         SMFI_VERSION 0x1000001
         libmilter version 1.0.1
         Supported signing algorithms:
                 rsa-sha1
                 rsa-sha256
         Supported canonicalization algorithms:
                 relaxed
                 simple
         Active code options:
                 QUERY_CACHE
                 USE_DB
                 USE_LUA
                 USE_ODBX
                 USE_UNBOUND
                 _FFR_ADSP_LISTS
                 _FFR_DIFFHEADERS
                 _FFR_IDENTITY_HEADER
                 _FFR_LDAP_CACHING
                 _FFR_OVERSIGN
                 _FFR_RATE_LIMIT
                 _FFR_RBL
                 _FFR_REDIRECT
                 _FFR_REPLACE_RULES
                 _FFR_RESIGN
                 _FFR_STATS
                 _FFR_STATSEXT
                 _FFR_VBR
         libopendkim 2.5.2: diffheaders xtags query_cache
Received on Wed Apr 11 2012 - 01:48:25 PST