Hi, Lucas,
On 01/24/2013 05:14 PM, L.W. van Braam van Vloten wrote:
>
> Dear list,
> I would appreciate some advice on setting up DKIM on my mailserver.
> I am running a standard Debian 6 box using the default Postfix and
> dkim-filter packages. Postfix is configured to use amavisd-new for
> spam- and virus filtering.
First of all, see the comment of Scott: dkim-milter is no longer
maintained actively, while opendkim is.
> I have followed the instructions at
> http://www.debiantutorials.com/setup-domainkeys-identified-mail-dkim-in-postfix/,
> where:
> My selector is "list"
> My domain name is "list.ecompass.nl"
> I have added the following records to my DNS "ecompass.nl" zonefile:
> _domainkey.list IN TXT "t=n;o=~"
Not sure what you want to achieve here. According to
http://tools.ietf.org/html/rfc6376 the value of 't=' can be either 'y'
or 's'. Furthermore, there is no 'o' tag. Also, this is not the right
place in DNS for a key in relation to a signature for d=list.ecompass.nl.
> list._domainkey.list IN TXT "g=*; k=rsa;
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRIUfe6fct5L75N0M2SOLVUE16THGX62egUTSj8mzi8uFjO6+ZuI9F8G7sIaHhHQ6RITrqYvH7cNxU2VWhqV9UobEs3ZecCkzThDewdloUmZ0oOkHGmE6zlNnodRcbfP+1VxMNC2KTHhSc8ONk3hlYuI6zyTxkU68Kg7kpajNXjQIDAQAB"
> Mail sent to an _at_yahoo.com address contains the following header:
> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=list.ecompass.nl;
> s=list.private; t=1359040840;
It seems from this signature that your selector is 'list.private', not
'list'.
> bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
> h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type:
> Content-Transfer-Encoding;
> b=aGYNtCgjRv45NOT+lR2r+PpzeBmSthzDKLiG7XIig//N2qpUxFEmUmscOoeYhr7Bm
> uIxaL5dA0KcArlEheEIL66Yfx+Z5Zggdz5cSBMnjmFXyULgramQExWn1y8sSjdw1Xm
> zZsr9UHvt2ZQ/O+Xn1yPc8cnXRyOA/fy52xMCaBM=
> The test at http://dkimcore.org/c/keycheck says: "This is a valid DKIM
> key record"
> However this does not work properly:
> - When I test "list._domainkey.list.ecompass.nl" at
> http://domainkeys.sourceforge.net/selectorcheck.html gives me the result:
> "This selector is in error: Tag 'p': Invalid public key has no modulus"
> - mail sent from my server to an _at_yahoo.com address contains the header:
> Authentication-Results: mta1092.mail.ac4.yahoo.com
> from=list.ecompass.nl; domainkeys=neutral (no sig);
> from=list.ecompass.nl; dkim=permerror (no key)
If Yahoo is encountering a DKIM signature with 's=list.private', it will
look for a key at list.private._domainkey.list.ecompass.nl. Periods in
selectors are explicitly allowed as per RFC6376, see the text and
rationale in par. 3.1 of the RFC.
> - Mail sent from my server to an _at_google.com address contains the header:
> Authentication-Results: mx.google.com;
> spf=pass (google.com: domain of beheer_at_list.ecompass.nl
> designates 5.9.107.177 as permitted sender)
> smtp.mail=beheer_at_list.ecompass.nl;
> dkim=neutral (bad format) header.i=_at_list.ecompass.nl
> I am at a loss... Dear list, please help me: any ideas?
To further complicate things: is this domain used for mailing lists (as
the domainname list.ecompass.nl and your website seems to imply)? Then
you may want to have a look at
http://tools.ietf.org/html/rfc6377, as
mailing lists often break an already present DKIM-signature due to
modification of Subject and/or adding a footer section. Not sure about
LISTSERV, has there been work ongoing to support DKIM in Listserv?
Regards,
/rolf
Rolf E. Sonneveld
Sonnection B.V.
Received on Thu Jan 24 2013 - 18:55:34 PST