Re: Who manages the sa-test_at_sendmail.net account?

From: Erik Logtenberg <erik_at_logtenberg.eu>
Date: Wed, 26 Mar 2014 20:25:25 +0100

Hi MSK,

Your signature checked out fine:

Authentication-Results: mx.logtenberg.eu; dkim=pass
        reason="1024-bit key; unprotected key"
        header.d=blackops.org header.i=_at_blackops.org header.b=rSxxKKaJ;
        dkim-adsp=pass

I also saw the "z=" tag you were talking about. It's quite a big tag.

The signature added by the mailinglist also checks out. It doesn't have
the "z=" tag.

Authentication-Results: mx.logtenberg.eu; dkim=pass
        reason="1024-bit key; unprotected key"
        header.d=opendkim.org header.i=opendkim-users-bounce_at_lists.opendkim.org
        header.b=C5A51KxC; dkim-adsp=pass

By the way, I tried the sa-test twice, and got different results:

Authentication-Results: mx.logtenberg.eu; dkim=neutral
        reason="verification failed; unprotected key/testing"
        header.d=sendmail.net header.i=_at_sendmail.net header.b=ArMNgf/0;
        dkim-adsp=none (unprotected policy)

Authentication-Results: mx.logtenberg.eu; dkim=pass
        reason="1024-bit key; unprotected key/testing"
        header.d=sendmail.net header.i=_at_sendmail.net header.b=e1p3zywM;
        dkim-adsp=pass

Indeed sa-test runs an OpenDKIM version that calls itself OpenDKIM Filter:

DKIM-Filter: OpenDKIM Filter v2.8.3 services.sendmail.com s2LGemhS064713

I am running OpenDKIM 2.9.0 on my mailserver.

Kind regards,

Erik.


On 03/26/2014 06:17 PM, Murray S. Kucherawy wrote:
> On Tue, 25 Mar 2014, Erik Logtenberg wrote:
>> I did however find that sa-test also uses DKIM to sign their
>> autoresponse message, and according to my mailserver their signature
>> didn't check out. Now I don't know how to manually check a DKIM
>> signature, so I can't figure out if the error is on my side or theirs.
>> Anyway, I don't think you can really configure much about the DKIM
>> checking, apart from enabling or disabling it altogether. So that's
>> what I'd like to ask them.
>
> They're running a pretty old version of opendkim (back when it was known
> as dkim-filter), so I can explain some stuff.
>
> Generally speaking the only way to figure out what's breaking a
> signature is to get both sides to capture the exact data they
> signed/verified and compare them. Their code is configured to send you
> that information when your message fails to verify, but when their reply
> fails you don't have that information.
>
> Their code might also be configured to include in their response
> signature a "z=" tag. You could at least use that to see if the header
> is being changed in a way that breaks the signature, but you wouldn't be
> able to tell if the body changed.
>
> Let me know if this message's signature verifies. If it doesn't, we can
> start down the debugging path. Note that you will probably get two
> copies, one from the list and one from me directly; check the latter.
>
> -MSK
Received on Wed Mar 26 2014 - 19:25:38 PST