dkim-ops
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [dkim-ops] Yahoo/BellSouth configuration

2009-08-26 12:57:55
from [Murray S. Kucherawy] [Permanent Link] 
-----Original Message-----
From: dkim-ops-bounces(_at_)mipassoc(_dot_)org [mailto:dkim-ops-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Allan E. Johannesen
Sent: Wednesday, August 26, 2009 8:37 AM
To: dkim-ops(_at_)mipassoc(_dot_)org
Cc: aej(_at_)wpi(_dot_)edu
Subject: [dkim-ops] Yahoo/BellSouth configuration

[...]

I turned off the DKIM filter, since I can't see the message until I do
that.

A message from them to me had this header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net;
s=s1024; t=1251295577; bh=AWurPyCfrWyL7Q4VoVf/3EwEKj++xepXQ72Z/H6SNU0=;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-
Reply-To:MIME-Version:Content-Type;
b=NtTZuqgdUa6AbMvBYLAcplSRLag1MYv64CaLP9tngtSO4p7uuclGatImb9L7aRHaLFlXH
1LXPHPDH7DN05y4/JwxZSyg1lJND9iaNejALpGTeyuBSSE1NjBWAhh97Z1vpSWVEqvZL6x7
q7JmBJVxy8dMrpqdRg92ahgXJgUYJc0=

The problem is that bellsouth.net has no selector named s1024.
However,
yahoo.com does:
[...]

So, my question is about how our DKIM filter is supposed to know to
check
yahoo.com when given a domain of bellsouth.com in the DKIM-Signature

Is there a newer version than dkim-milter-2.8.3 which might understand
some new
magic about how to translate domain names given in the DKIM header?


My guess is Yahoo! is providing mailbox service for Bellsouth.  They send mail 
on behalf of bellsouth.net and are signing that mail with DKIM, but are 
changing the "d=" to match the sending domain while still using their own keys. 
 This causes verifiers to (correctly!) go to bellsouth.net's DNS servers to get 
the key but, as you've observed, it's not there, which makes verification 
impossible.

There's no magic to apply here.  The verifier is doing what the signer told it 
to do, but what the signer said is unfortunately invalid.

Your best bet until this gets straightened out is to relax what the filter does 
in response to key retrieval failures.  Check the documentation for the filter 
you're using for assistance.

-MSK


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [dkim-ops] Yahoo/BellSouth configuration, Allan E. Johannesen
Next by Date:  Re: [dkim-ops] Yahoo/BellSouth configuration, Allan E. Johannesen
Previous by Thread:  [dkim-ops] Yahoo/BellSouth configuration, Allan E. Johannesen
Next by Thread:  Re: [dkim-ops] Yahoo/BellSouth configuration, Allan E. Johannesen
Indexes:  [Date] [Thread] [Top] [All Lists]