On Sun, 16 Dec 2012, SM wrote:
> At 22:45 12-12-2012, Dan Mahoney, System Admin wrote:
>> 1) I'm running opendkim-milter under FreeBSD, and I could have sworn that
>> if you had t=y set on your flag during verification, that you'd get
>> something like "result=pass (testing)" in the Authentication-Results
>> header. Am I just misremembering, or does the (testing) only show up in
>> failure situations, or ADSP testing?
>
> There will be a "testing" in the Authentication-Results header. BTW, the
> verification for this message was "verification error: signing key too small;
> secure key".
It wasn't the same key, but that's useful to know. Guess it's time to
re-key. I *have* been using dkim/domainkeys for...many years now with
that key.
Luckily, all the zones that use it include a single file in their
zonefiles, making key-rolls easy.
I see we've also reached the golden age of dnssec-awareness. Yay. (With
my DayJob hat on, I'm happy about this).
>> 2) I've had a few experiences where I've had a key retrieval failure (DNS
>> issues), and I found that while OpenDKIM adds the X-DKIM header, and logged
>> the error to syslog, there's not a corresponding authentication-results
>> header that would be shown to the user that indicates this was tried and
>> failed Is it possible to "log" this to the mail message?
>
> In such cases you should see:
>
> Authentication-Results: mail.example.com; dkim=permerror
> reason="key not found"
The error I got in my maillogs was simply this:
maillog.3.bz2:Dec 13 01:21:47 quark-vm opendkim[2259]: qBD1LSrY002460: key
retrieval failed (s=dkim2012, d=isc.org): 'dkim2012._domainkey.isc.org'
query failed
And no authentication-results header, but it is 2.5.2 (on the validator
side), so if this is a recent feature addition, I'm not sure. Would you
know offhand? (I'm upgrading now).
> See the "On-DNSError" setting for setting the milter behavior on such
> failures.
Excellent, thanks.
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Received on Mon Dec 17 2012 - 20:04:02 PST