At 08:37 26-08-2009, Allan E. Johannesen wrote:
I recently started siging our email with DKIM and started using a dkim filter
for our inbound mail.
We are a university and I got a complaint from certain parents who became
unable to email their son, a student here.
The parents also tried emailing our helpdesk, which also failed. This appears
in our logs:
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611:
from=<parent(_at_)bellsouth(_dot_)net>, size=3440, class=0, nrcpts=1,
msgid=<888823(_dot_)25503(_dot_)qm(_at_)web180614(_dot_)mail(_dot_)sp1(_dot_)yahoo(_dot_)com>,
proto=SMTP,
daemon=MTA, relay=web180614.mail.sp1.yahoo.com [68.180.196.150]
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add:
header: X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add:
header: Received-SPF: Neutral (SMTP.WPI.EDU: 68.180.196.150 is
neither permitted\n\tnor denied by domain of
parent(_at_)bellsouth(_dot_)net)\n\treceiver=SMTP.WPI.EDU;
client-ip=68.180.196.150;\n\tenvelope-from=<parent(_at_)bellsouth(_dot_)net>;
helo=web180614.mail.sp1.yahoo.com;
Aug 24 11:33:47 SMTP dkim-filter[11907]: n7OFXfCD009611: key
retrieval failed (s=s1024, d=bellsouth.net):
`s1024._domainkey.bellsouth.net' record not found
The public key cannot be retrieved.
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert
(1): header: Authentication-Results: SMTP.WPI.EDU;
dkim=neutral\n\theader(_dot_)i=(_at_)bellsouth(_dot_)net; x-dkim-adsp=none
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert
(1): header: X-DKIM: Sendmail DKIM Filter v2.8.3 SMTP.WPI.EDU n7OFXfCD009611
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter: data,
reject=451 4.3.2 Please try again later
Configure your milter for it not temporarily fail if there is a DNS
issue (On-DNSError accept).
The parents claimed they were unable to get any help from Yahoo or BellSouth
about this issue. Those helpdesk people claimed that the problem was here at
WPI.
As you asked an operational question, I'll provide you with the
operational answer which is to fix the problem at your end. :-)
I thought that the parents had gotten onto yahoo by mistake and were sending a
bellsouth message, causing the trouble, but I found a mention of "netscape
mail" on the bellsouth.net Internet mail FAQ, and that leads me to
suspect that
maybe Yahoo is really officially carrying BellSouth customers' email. Maybe
that's a bad guess of mine.
Yes.
A message from them to me had this header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=bellsouth.net; s=s1024; t=1251295577;
bh=AWurPyCfrWyL7Q4VoVf/3EwEKj++xepXQ72Z/H6SNU0=;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=NtTZuqgdUa6AbMvBYLAcplSRLag1MYv64CaLP9tngtSO4p7uuclGatImb9L7aRHaLFlXH1LXPHPDH7DN05y4/JwxZSyg1lJND9iaNejALpGTeyuBSSE1NjBWAhh97Z1vpSWVEqvZL6x7q7JmBJVxy8dMrpqdRg92ahgXJgUYJc0=
The problem is that bellsouth.net has no selector named s1024. However,
yahoo.com does:
# dig s1024._domainkey.yahoo.com txt
; <<>> DiG 9.3.4-P1 <<>> s1024._domainkey.yahoo.com txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39073
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;s1024._domainkey.yahoo.com. IN TXT
;; ANSWER SECTION:
s1024._domainkey.yahoo.com. 86400 IN TXT "k=rsa\; t=y\;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm"
"JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB\;
n=A 1024 bit key\;"
So, my question is about how our DKIM filter is supposed to know to check
yahoo.com when given a domain of bellsouth.com in the DKIM-Signature
DKIM filter is working correctly as it is using the correct selector
and domain to retrieve the public key. This is either a case of the
wrong domain being used to DKIM sign the message or a DNS misconfiguration.
Is there a newer version than dkim-milter-2.8.3 which might
understand some new
magic about how to translate domain names given in the DKIM header?
You do not need to do that.
Is this just a configuration problem at Yahoo? I thought they were
a leader in
the Domainkeys/DKIM area and it would seem strange if they didn't understand
their own protocol.
This is a configuration issue at the DKIM signer's end. I tried to
report the problem to Bellsouth. As I did not get any response, I
fixed the problem at my end.
Regards,
-sm
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops