For your first question, look at the LocalADSP setting in your dkim-filter.conf configuration file (and its corresponding man page).

 

For your second question, I contacted Yahoo! to investigate this.  It turns out that dkim-milter’s library (libdkim) and also older versions of OpenDKIM’s library (libopendkim) contained a bug in relaxed body canonicalization, which is the mode Yahoo! uses.  OpenDKIM v1.2.0 contained a fix for this.  As they upgrade their servers to contain that patch, older software without the fix will begin getting verification errors from Yahoo!.  This is probably what you’ve been observing.


To date, dkim-milter has not been patched to include the fix.

 

-MSK

 

From: Howard Leadmon [mailto:howard@leadmon.net]
Sent: Wednesday, March 17, 2010 11:00 AM
To: dkim-milter-discuss@lists.sourceforge.net
Subject: [dkim-milter-discuss] Couple Questions..

 

  I have had dkim-milter (as well as dk-milter) running for a while on my server, and on a couple clients servers, and have a couple questions hopefully someone can help with.

 

 First, and maybe I am just overlooking it, but is there a way in the configuration of dkim-milter to say, if mail is received saying it’s from xx.com domain (replace xx with your choice), then it must have a valid DKIM signature, and if not to reject/trash can the mail??

 

 I guess for example, I know Yahoo.com now supports DKIM, but we get tons of SPAM saying it’s from Yahoo.com, but in reality it’s from various hacked machines around the world, not yahoo.   Of course they don’t  include a DKIM signature, they just try and fake they are from yahoo.   So is there a setting so I can say if mail is being sent to me, and it says it’s from Yahoo.com, to then check for a DKIM signature (as I know real Yahoo mail will have one), and if it has an invalid signature, or no signature at all, then to trash can/reject the message.

 

 Issue in point, I have a client that keeps trying to bounce invalid rejects for SPAM being faked as from Yahoo back to yahoo saying it’s to invalid users on their server, but then Yahoo is blacking listing them for hammering them with reject messages.   So it just seemed that I should be able to use DKIM to eliminate that issue, any suggestions?

 

 

 

 Second question, I know as stated above that Yahoo is doing DKIM and DK signatures in their email, but  when I get a message in from Yahoo, it tells me the DK signature is good, but that the DKIM signature is bad.   If I send a message back to my Yahoo account, it tells me that my signatures are good.    Am I munging up Yahoo’s header without knowing it, or are they really sending out broken DKIM which is almost hard to believe.   I will include a header below, and see if anyone can help give me a clue on this one..

 

Return-Path: <wb3ffv@yahoo.com>

X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on vorlon.leadmon.net

X-Spam-Level:

X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,

            DKIM_SIGNED,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_NONE,T_DKIM_INVALID,

            T_RP_MATCHES_RCVD autolearn=no version=3.3.0

Received: from web55305.mail.re4.yahoo.com (web55305.mail.re4.yahoo.com [206.190.58.184])

            by mail.leadmon.net (8.14.4/8.14.4/LNSG+SCOP+PSBL+LUBL+NJABL+SBL+DSBL+SORBS+CBL+RHSBL) with SMTP id o2GFTNRm021714

            for <howard@leadmon.net>; Tue, 16 Mar 2010 11:29:29 -0400 (EDT)

            (envelope-from wb3ffv@yahoo.com)

X-DKIM: Sendmail DKIM Filter v2.8.3 mail.leadmon.net o2GFTNRm021714

Authentication-Results: mail.leadmon.net; dkim=neutral

            (verification failed) header.i=@yahoo.com; x-dkim-adsp=none

X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 mail.leadmon.net o2GFTNRm021714

Authentication-Results: mail.leadmon.net; domainkeys=pass (testing) header.From=wb3ffv@yahoo.com

X-SenderID: Sendmail Sender-ID Filter v1.0.0 mail.leadmon.net o2GFTNRm021714

Authentication-Results: mail.leadmon.net; sender-id=none header.from=wb3ffv@yahoo.com; spf=none smtp.mfrom=wb3ffv@yahoo.com

Received: (qmail 60648 invoked by uid 60001); 16 Mar 2010 15:29:20 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;

            t=1268753360; bh=JecJQZ5crTJyCPPwhSdwHjvKlZ0J1eRmAioIi0cHFko=;

            h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Versio

            n:Content-Type;

            b=EFVEgrcR7xIkP2xmyZAOVMKuDGmz+I4PuDe0De7hHylz10HkeD/kSHM1726KapUxDyCLxEMCm

            xV/raxVZ1jd3JP6p5Px2cV4oMa5AKuA8gksffACxDlq4+Z04Ir6rFBm6L/Rh7TyTxdgdIRcsVSz

            OG1k5suwToUVgm2owbiKO8M=

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;

            h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Versio

            n:Content-Type;

            b=VqgR7lfgVono8S220TD5VtFEleOm7ghh4Qw0eJNuLR3AqqLnw7o27l6bDhVzjfvDOSFkmDECK

            ziIG3yS+3lFxO+qYdZNZPU+JKxR36grtBFc69NFIEcphgY8zIGWANYhIxZlhUYtzv1VUYFWYgBt

            APk5SPfDL7CF7aK2Ie022OM=;

Message-ID: <236850.59527.qm@web55305.mail.re4.yahoo.com>

X-YMail-OSG: Lk0c8nUVM1mZ_7Xj8gFaO7l902oEAsl6844PMAYUeKDotcGlsSnDhn9tCPNJnV2

            Q83dVpRU3JBpA1WqU24A4bcwfnkWLi5YfzoBMxN0mxjLxj8BKE3_nOybhP3FW0V5zkaZ2gyJAv3

            8Z_ZS8AH2jgy4rQgZwRuv0kR.BBFbyriRat4zOu7IvOCWxn8MAqx9jhxv1938pTvnLS33I2HLiv

            pa59zO.6yDMCjJycjxU7hM1RD3Z9zkTEVSvytx.ui520N96rt1yG1gckPpbSZTIrVBKtNGXuw1j

            urYEvZqVqyVWl4E02mz5pKxHhfZaTg--

Received: from [173.13.218.153] by web55305.mail.re4.yahoo.com via HTTP;

            Tue, 16 Mar 2010 08:29:20 PDT

X-Mailer: YahooMailRC/324.3 YahooMailWebService/0.8.100.260964

Date: Tue, 16 Mar 2010 08:29:20 -0700 (PDT)

From: Howard Leadmon <wb3ffv@yahoo.com>

Subject: testing...

To: howard@leadmon.net

MIME-Version: 1.0

Content-Type: text/plain;

            charset=us-ascii

X-TM-AS-Product-Ver: CSC-0-6.0.1038-17252

X-TM-AS-Result: No--1.87-4.50-31-1

X-Virus-Scanned: clamav-milter 0.95.3 at vorlon.leadmon.net

X-Virus-Status: Clean

 

 

 

 If I am doing something that is munging up the header, any ideas on fixing it, as for sure I’d like to have DKIM working well.

 

Thanks for any input, always appreciated…

 

 

---

Howard Leadmon - howard@leadmon.net