I recently started siging our email with DKIM and started using a dkim filter
for our inbound mail.
We are a university and I got a complaint from certain parents who became
unable to email their son, a student here.
The parents also tried emailing our helpdesk, which also failed. This appears
in our logs:
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611:
from=<parent(_at_)bellsouth(_dot_)net>, size=3440, class=0, nrcpts=1,
msgid=<888823(_dot_)25503(_dot_)qm(_at_)web180614(_dot_)mail(_dot_)sp1(_dot_)yahoo(_dot_)com>,
proto=SMTP, daemon=MTA, relay=web180614.mail.sp1.yahoo.com [68.180.196.150]
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: header:
X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: header:
Received-SPF: Neutral (SMTP.WPI.EDU: 68.180.196.150 is neither permitted\n\tnor
denied by domain of parent(_at_)bellsouth(_dot_)net)\n\treceiver=SMTP.WPI.EDU;
client-ip=68.180.196.150;\n\tenvelope-from=<parent(_at_)bellsouth(_dot_)net>;
helo=web180614.mail.sp1.yahoo.com;
Aug 24 11:33:47 SMTP dkim-filter[11907]: n7OFXfCD009611: key retrieval failed
(s=s1024, d=bellsouth.net): `s1024._domainkey.bellsouth.net' record not found
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert (1): header:
Authentication-Results: SMTP.WPI.EDU;
dkim=neutral\n\theader(_dot_)i=(_at_)bellsouth(_dot_)net; x-dkim-adsp=none
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert (1): header:
X-DKIM: Sendmail DKIM Filter v2.8.3 SMTP.WPI.EDU n7OFXfCD009611
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter: data, reject=451
4.3.2 Please try again later
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611:
to=<helpdesk(_at_)WPI(_dot_)EDU>, delay=00:00:00, pri=33440, stat=Please try
again later
"parent" is not the addres at bellsouth. It gives "ok" from their mail server,
so maybe parent is somebody, but it's not them.
The parents claimed they were unable to get any help from Yahoo or BellSouth
about this issue. Those helpdesk people claimed that the problem was here at
WPI.
I thought that the parents had gotten onto yahoo by mistake and were sending a
bellsouth message, causing the trouble, but I found a mention of "netscape
mail" on the bellsouth.net Internet mail FAQ, and that leads me to suspect that
maybe Yahoo is really officially carrying BellSouth customers' email. Maybe
that's a bad guess of mine.
I turned off the DKIM filter, since I can't see the message until I do that.
A message from them to me had this header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net; s=s1024;
t=1251295577; bh=AWurPyCfrWyL7Q4VoVf/3EwEKj++xepXQ72Z/H6SNU0=;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=NtTZuqgdUa6AbMvBYLAcplSRLag1MYv64CaLP9tngtSO4p7uuclGatImb9L7aRHaLFlXH1LXPHPDH7DN05y4/JwxZSyg1lJND9iaNejALpGTeyuBSSE1NjBWAhh97Z1vpSWVEqvZL6x7q7JmBJVxy8dMrpqdRg92ahgXJgUYJc0=
The problem is that bellsouth.net has no selector named s1024. However,
yahoo.com does:
# dig s1024._domainkey.yahoo.com txt
; <<>> DiG 9.3.4-P1 <<>> s1024._domainkey.yahoo.com txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39073
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;s1024._domainkey.yahoo.com. IN TXT
;; ANSWER SECTION:
s1024._domainkey.yahoo.com. 86400 IN TXT "k=rsa\; t=y\;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm"
"JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB\;
n=A 1024 bit key\;"
So, my question is about how our DKIM filter is supposed to know to check
yahoo.com when given a domain of bellsouth.com in the DKIM-Signature
Is there a newer version than dkim-milter-2.8.3 which might understand some new
magic about how to translate domain names given in the DKIM header?
Is this just a configuration problem at Yahoo? I thought they were a leader in
the Domainkeys/DKIM area and it would seem strange if they didn't understand
their own protocol.
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops