[Wow, this is really a blast from the past...I remember your name from
back when I was a student at WRHS and we were using first a Spectra 70
and then a KA10 at WPI. But I'm probably dating both of us...]
I'm not entirely happy with all of the defaults for handling DNS
failures. The CONFIGURATION section of the dkim-filter manpage says "In
the interests of minimal initial impact, the defaults for badsignature
and nosignature are accept, and the default for the others is tempfail."
Which means that if it can't access the key record, it'll tempfail the
message, which I don't consider minimal initial impact.
I have my filter (2.8.1 currently) set up to override the defaults for
those failures. Here are my command line arguments:
DKIM_ARGS="-l -d bluepopcorn.net -D -p inet:8890(_at_)localhost -k
/var/db/domainkeys
/buttered.key.pem -s buttered -c relaxed -C
bad=accept,dns=accept,int=accept,no=
accept,sec=accept"
So I'm still accepting the message on any type of failure.
-Jim
Allan E. Johannesen wrote:
I recently started siging our email with DKIM and started using a dkim filter
for our inbound mail.
We are a university and I got a complaint from certain parents who became
unable to email their son, a student here.
The parents also tried emailing our helpdesk, which also failed. This appears
in our logs:
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611:
from=<parent(_at_)bellsouth(_dot_)net>, size=3440, class=0, nrcpts=1,
msgid=<888823(_dot_)25503(_dot_)qm(_at_)web180614(_dot_)mail(_dot_)sp1(_dot_)yahoo(_dot_)com>,
proto=SMTP, daemon=MTA, relay=web180614.mail.sp1.yahoo.com [68.180.196.150]
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: header:
X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: header:
Received-SPF: Neutral (SMTP.WPI.EDU: 68.180.196.150 is neither
permitted\n\tnor denied by domain of
parent(_at_)bellsouth(_dot_)net)\n\treceiver=SMTP.WPI.EDU;
client-ip=68.180.196.150;\n\tenvelope-from=<parent(_at_)bellsouth(_dot_)net>;
helo=web180614.mail.sp1.yahoo.com;
Aug 24 11:33:47 SMTP dkim-filter[11907]: n7OFXfCD009611: key retrieval failed
(s=s1024, d=bellsouth.net): `s1024._domainkey.bellsouth.net' record not found
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert (1):
header: Authentication-Results: SMTP.WPI.EDU;
dkim=neutral\n\theader(_dot_)i=(_at_)bellsouth(_dot_)net; x-dkim-adsp=none
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert (1):
header: X-DKIM: Sendmail DKIM Filter v2.8.3 SMTP.WPI.EDU n7OFXfCD009611
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter: data, reject=451
4.3.2 Please try again later
Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611:
to=<helpdesk(_at_)WPI(_dot_)EDU>, delay=00:00:00, pri=33440, stat=Please try
again later
"parent" is not the addres at bellsouth. It gives "ok" from their mail
server,
so maybe parent is somebody, but it's not them.
The parents claimed they were unable to get any help from Yahoo or BellSouth
about this issue. Those helpdesk people claimed that the problem was here at
WPI.
I thought that the parents had gotten onto yahoo by mistake and were sending a
bellsouth message, causing the trouble, but I found a mention of "netscape
mail" on the bellsouth.net Internet mail FAQ, and that leads me to suspect
that
maybe Yahoo is really officially carrying BellSouth customers' email. Maybe
that's a bad guess of mine.
I turned off the DKIM filter, since I can't see the message until I do that.
A message from them to me had this header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net;
s=s1024; t=1251295577; bh=AWurPyCfrWyL7Q4VoVf/3EwEKj++xepXQ72Z/H6SNU0=;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=NtTZuqgdUa6AbMvBYLAcplSRLag1MYv64CaLP9tngtSO4p7uuclGatImb9L7aRHaLFlXH1LXPHPDH7DN05y4/JwxZSyg1lJND9iaNejALpGTeyuBSSE1NjBWAhh97Z1vpSWVEqvZL6x7q7JmBJVxy8dMrpqdRg92ahgXJgUYJc0=
The problem is that bellsouth.net has no selector named s1024. However,
yahoo.com does:
# dig s1024._domainkey.yahoo.com txt
; <<>> DiG 9.3.4-P1 <<>> s1024._domainkey.yahoo.com txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39073
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;s1024._domainkey.yahoo.com. IN TXT
;; ANSWER SECTION:
s1024._domainkey.yahoo.com. 86400 IN TXT "k=rsa\; t=y\;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm"
"JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB\;
n=A 1024 bit key\;"
So, my question is about how our DKIM filter is supposed to know to check
yahoo.com when given a domain of bellsouth.com in the DKIM-Signature
Is there a newer version than dkim-milter-2.8.3 which might understand some
new
magic about how to translate domain names given in the DKIM header?
Is this just a configuration problem at Yahoo? I thought they were a leader
in
the Domainkeys/DKIM area and it would seem strange if they didn't understand
their own protocol.
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops