Greetings
I'm setting up a new mail server, where I'm using opendkim to validate
dkim signatures on incoming mail. Noticed something in the added
Authentication-Results header, which made me wonder.
Authentication-Results: mail.arrakis.se; dkim=pass
reason="2048-bit key; insecure key"
header.d=arrakis.se header.i=_at_arrakis.se header.b=QkUD6aEe;
dkim-adsp=pass; dkim-atps=neutral
The "insecure key" part being what I'm wondering about.
From what I have understood that is due to a lack of DNSSEC validation
of the public key?
The thing is that the zone arrakis.se is signed by DNSSEC, and the mail
server in question uses a DNSSEC capable resolver. If I run the command
below in a shell on the mail server I will get a response including the
ad flag.
dig +dnssec halleck._domainkey.arrakis.se TXT
Any chance that opendkim for some reason fails to do a DNSSEC lookup due
to some missing library/package? If so, any suggestion on how to debug
that, or what (missing) libraries to look for?
I'm running opendkim 2.6.8, under Debian 7.0
opendkim is called from postfix, using (non_)smtpd_milters.
In case it matters, I'm attaching below a full example mail.
// Andreas
Return-Path: <andreas_at_arrakis.se>
Delivered-To: <andreas_at_bogosity.se>
Received: from mail.arrakis.se
by mail.arrakis.se (Dovecot) with LMTP id ybzjCAUvQ1IJbQAAKVq6IQ
for <andreas_at_bogosity.se>; Wed, 25 Sep 2013 18:44:21 +0000
Received: from halleck.arrakis.se (halleck.arrakis.se [IPv6:2001:ba8:1f1:f1d1::2])
(using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.arrakis.se (Postfix) with ESMTPS id 0B2491E7
for <andreas_at_bogosity.se>; Wed, 25 Sep 2013 18:44:20 +0000 (UTC)
Authentication-Results: mail.arrakis.se; dkim=pass
reason="2048-bit key; insecure key"
header.d=arrakis.se header.i=_at_arrakis.se header.b=QkUD6aEe;
dkim-adsp=pass; dkim-atps=neutral
Received: by halleck.arrakis.se (Postfix, from userid 1000)
id BBF2A2007F; Wed, 25 Sep 2013 18:44:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arrakis.se;
s=halleck; t=1380134659;
bh=JBxVF3awnh7NrrJuGsAnOTVvljaLuqdGTW9rC5y7FEE=;
h=To:Subject:Date:From;
b=QkUD6aEeY+zzTJrmlo5qL+f9eZXCEpxAjR89c65wo3cPocHX/yg1ulKpcXGFS1Y0a
2tl14Fc58HMVAeBpVKOd2t9eXTIbjpOW9MjP1bc1ZqExMWK8vriB5P7uSCMrcmfsno
w+H5i8/xlrKYHJbmMh1LKL2AcP6WThHwguQFk43VQq1ptKYvXIzPGm+mxIKii4DCHw
27NYDZEdyIJnMSg8dCuDo/4jD7Te0WJNCOrWi+5Ko08eBCn8vflpVUMEEQvR+wOMia
/5qbJzXBz3HlkEXI+bXHwCid+vXJ6DJiifhWXRjds1er8hkuYGnx4RJSrOHnQ4s6bN
iE7dWmjORL3Gw==
To: andreas_at_bogosity.se
Subject: dkimtest
Message-Id: <20130925184419.BBF2A2007F_at_halleck.arrakis.se>
Date: Wed, 25 Sep 2013 18:44:19 +0000 (UTC)
From: andreas_at_arrakis.se (Andreas Olsson)
blah blah
Received on Wed Sep 25 2013 - 19:02:24 PST