Re: Problems debugging signature validation failure

From: Colin Fleming <colin.mailinglist_at_gmail.com>
Date: Sat, 29 Mar 2014 14:44:37 +1300

Hi Murray,

Thanks for the suggestion - indeed, opendkim-testkey reported a couple of errors:

sudo -u opendkim opendkim-testkey -d cursiveclojure.com -k /etc/opendkim/keys/cursiveclojure.com/default.private -s default -v -x /etc/opendkim.conf
opendkim-testkey: key not secure
opendkim-testkey: keys do not match

I’m not sure why it should report that the key is not secure, since it’s owned by the opendkim user with what looks like the right permissions:

root_at_cursiveclojure:/home/deploy# ls -la /etc/opendkim/keys/cursiveclojure.com/default.*
-rwx------ 1 opendkim opendkim 887 Mar 28 04:46 /etc/opendkim/keys/cursiveclojure.com/default.private
-rwx------ 1 opendkim opendkim 311 Mar 28 04:46 /etc/opendkim/keys/cursiveclojure.com/default.txt

I fixed the key mismatch, I hadn’t read the output from dig carefully enough on my second server install. That seems to have been my main problem, and the validation now passes - thanks!

Wow, they really need to update this. 
Is there a more up-to-date testing service that you recommend?

Thanks for the prompt help,

Colin


On March 29, 2014 at 6:55:17 AM, Murray S. Kucherawy (msk_at_blackops.org) wrote:

On Sat, 29 Mar 2014, Colin Fleming wrote:
> Am I missing something obvious? How should I go about debugging this?

Have you run opendkim-testkey to confirm your setup?

> NOTE: DKIM checking has been performed based on the latest DKIM specs 
> (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for 
> older versions. If you are using Port25's PowerMTA, you need to use 
> version 3.2r11 or later to get a compatible version of DKIM. 

Wow, they really need to update this.

-MSK
Received on Sat Mar 29 2014 - 01:45:29 PST