#2 DK signature confirmed BAD

v0.3.3
closed
Other (4)
5
2014-06-30
2009-01-27
Daniel Frunza
No

I implement version 1.0.1 and 0.3.3 ( actually on server ) on a domain bat i have every time received an
Authentication System: Domain Keys
Result: DK signature confirmed BAD
Description: Signature verification failed, message may have been
tampered with or corrupted
Reporting host: sendmail.net
Compiling is set with
/usr/local/ssl/bin/openssl version
OpenSSL 0.9.8j 07 Jan 2009
in Makefile.m4
APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include ')
APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib ')
for dk-filter, devtools/Site and libdk
The private key have folder owner dkim with 0700 and file is with 0600
Key pair is 1024.

Signature in mail is
X-DomainKeys: Sendmail DomainKeys Filter v0.3.3 server.agrotransport.ro n0R9X38a027352
DomainKey-Signature: a=rsa-sha1; s=mail; d=agrotransport.ro; c=simple; q=dns;
b=Eh5aHhyao/OTqkyY0UcaRsjdPfe9PU9AVXYeo8xGaQ7Z/5RkN9L2nQPtl/0rtwdKM
coGnBXfv5R0GOKrJTTm0jORwImjiTIfqZZ7jvPfo71ojqL0JmovAUY7EyvbIqJF2vzH
5Z7/JTzHLDcBoV2d+6XLfUAv3I4w+3mj9q93/jc=

Discussion

  • v0.3.3 which you appear to be running is very old and buggy, so I'm not surprised it doesn't work. Please try it again with v1.0.1 installed.

    You should also consider switching to DKIM, since that's the standard going forward and the code in that filter is far more stable.

     
    • assigned_to: nobody --> sm-msk
    • milestone: --> v0.3.3
    • status: open --> pending
     
  • Daniel Frunza
    Daniel Frunza
    2009-01-28

    Thanks for reply.
    I recompile dk-milter 1.0.1, edit devtools/Site/site.config.m4, dk-filter/Makefile.m4, libdk/Makefile.m4 and add path to new version of ssl 0.9.8
    APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include ')
    APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib ')
    start dk-filter with
    /usr/bin/dk-filter -H -h -l -p inet:8890@localhost -d agrotransport.ro -s /var/db/domainkeys/mail.key.pem -S mail -u dkim -i /etc/dk_filter_a.cf
    but, the result is
    Authentication System: DomainKeys Identified Mail
    Result: DKIM signature confirmed GOOD
    Description: Signature verified, message arrived intact
    Reporting host: sendmail.net
    More information: http://mipassoc.org/dkim/
    Sendmail milter: https://sourceforge.net/projects/dkim-milter/

    Authentication System: Domain Keys
    Result: DK signature confirmed BAD
    Description: Signature verification failed, message may have been
    tampered with or corrupted
    Reporting host: sendmail.net
    More information: http://antispam.yahoo.com/domainkeys
    Sendmail milter: https://sourceforge.net/projects/domainkeys-milter/
    I mention that i already use dkim, but dkim only verifying Yahoo Domainkey, i want to sign mail for Domainkey Yahoo verification and that's why i want to use also dk-milter. Or, is any other solution to sign mail for yahoo with dkim-milter?

     
  • Daniel Frunza
    Daniel Frunza
    2009-01-28

    • status: pending --> open
     
  • Daniel Frunza
    Daniel Frunza
    2009-01-28

    If is necessary, i add part of header sent to sa-test@sendmail.net

    X-DomainKeys: Sendmail DomainKeys Filter v1.0.1 server.agrotransport.ro n0S7VmRB007432
    DomainKey-Signature: a=rsa-sha1; s=mail; d=agrotransport.ro; c=simple; q=dns;
    h=received:x-authentication-warning:received:message-id:date:
    subject:from:to:user-agent:mime-version:content-type:
    content-transfer-encoding:x-priority:importance;
    b=TKNwrZBfvE6mdepL/20CdwBnBWtubb7u2XMP8UmHuKaZYJEfDGFk70vIYOaIuL7Ig
    +laFMJ/hMp0guEpt7xmTBSAzj+fMPLpHrt3Hwgo9tUX+Avag9aIw6e9BF0zv8J1i5dF
    PNMPm5eznHAHJWUk/qQpDJefRNyfRuPBf+qGdJ0=

     
  • Your signature will be reported BAD if the message changed between the time it was signed and the time it got to Yahoo! or whatever verifier receives it.

    Your message can be changed by a number of things. Assuming you're using sendmail as your MTA, the "masquerade" features of the MTA will cause problems, as will any filter you have running which modifies the message by adding or changing headers or the body. If you send mail with extra spaces in certain headers, the MTA will remove them, which can break the signature. You need to make sure none of these are happening.

    You could also try changing your canonicalization mode to "nofws" which can withstand some of the minor changes like adjustments to spacing in the header of your message.

    If that still fails, you'll need to get a verifier set up which will return the signed form to you so that you can compare it to the local copy of your signed form. If you're still stuck after trying the above, I (or someone on the dk-milter-discuss list) can probably help you out.

     
    • status: open --> pending
     
  • Daniel Frunza
    Daniel Frunza
    2009-01-28

    Finally, i can sign with dk-filter, main problem was SquirrelMail.

     
  • Daniel Frunza
    Daniel Frunza
    2009-01-28

    • status: pending --> open
     
  • Daniel Frunza
    Daniel Frunza
    2009-01-28

    Supplemental information:
    - use -H option on startup of dk-filter to see what is included in the signature.
    - verify what destination verifier see ( look at the "h" argument and the rows included in the mail header that you sent and compare if its the same ).
    - if you use different millter with sendmail ( SPF, antivirus, spamassassin ) put dk-filter at the end of list.

     
  • Resolved by user.

     
    • status: open --> closed