Re: DKIM hardfail (with eg. google or test sites)

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 15 Mar 2013 09:12:47 -0700 (PDT)

On Fri, 15 Mar 2013, Matthias Weiss wrote:
> turned out that this is the reason: I removed Sender and Message-Id from the
> AlwaysSignHeaders parameter and now it passes Googles DKIM checks.
>
> Which of course leads me to the question why the message-id and the sender
> fields are added to the mail after OpenDKIM signed the mail? I paste here the
> opendkim.conf:
>
> AlwaysSignHeaders To,Subject,MIME-Version,Content-Type,From,Date,Reply-
> To,List-Unsubscribe
> Canonicalization relaxed/relaxed
> Domain mydomain.com
> DomainKeysCompat true
> KeyTable refile:/etc/opendkim/key_table
> LogWhy yes
> PidFile /var/run/opendkim/opendkim.pid
> ReportAddress postmaster_at_mydomain.com
> Selector mail
> SendReports yes
> SigningTable refile:/etc/opendkim/signing_table
> Socket unix:/var/spool/postfix/milter/opendkim
> Statistics /var/lib/opendkim/stats.dat
> Syslog yes
> SyslogSuccess yes
> UMask 007
> UserID milter
>
> We're sending out mail with the postfix sendmail command. The test mails I
> sent to gmail had the "Sender" field set on the command line.
>
> In our postfix main.cf we have:
>
> smtpd_milters = unix:/var/spool/postfix/milter/opendkim
>
> non_smtpd_milters = unix:/var/spool/postfix/milter/opendkim
>
> Does anything catch your eye?

Chances are this is what's happening:

1) you generate a message missing a Sender field (or both) and pass it to
your MTA

2) the message is handed to opendkim for signing as-is

3) because you used AlwaysSignHeaders, opendkim includes them in the
signature anyway, which causes a signature to be generated that will fail
if someone else adds them

4) your MTA then adds the missing fields

5) the message arrives at Gmail (or wherever), and the verification fails
because of the above

So you could either do what you did and don't force those header field
names into the signature even if the fields are missing, or change your
message generator so that it includes them in what's passed to the MTA.

If you want Sender and Message-ID to be signed if they're present, use
"SignHeaders" instead of "AlwaysSignHeaders".

-MSK
Received on Fri Mar 15 2013 - 16:13:03 PST

This archive was generated by hypermail 2.3.0 : Fri Mar 15 2013 - 16:18:02 PST