From: Tomasz C. <ma...@wp...> - 2009-02-13 18:57:40
|
I'm trying to verify my DKIM setup, but it doesn't seem to work. Mails are signed, but when I check them i.e. with spamassassin, I get: [21034] dbg: dkim: signing identity: @mydomain.tld, d=mydomain.tld, a=rsa-sha256, c=simple/simple [21034] dbg: dkim: signature verification result: INVALID (PUBLIC KEY: NOT AVAILABLE) Am I missing anything in my DNS entries? They are below; I use bind9; I replaced the long key with dots so it fits here: default._domainkey.mydomain.tld. 14400 IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0...." _asp._domainkey.mydomain.tld. IN TXT "dkim=all" -- Tomasz Chmielewski http://wpkg.org |
From: Tomasz C. <ma...@wp...> - 2009-02-13 19:18:21
|
Tomasz Chmielewski schrieb: > I'm trying to verify my DKIM setup, but it doesn't seem to work. > > Mails are signed, but when I check them i.e. with spamassassin, I get: > > [21034] dbg: dkim: signing identity: @mydomain.tld, d=mydomain.tld, a=rsa-sha256, c=simple/simple > [21034] dbg: dkim: signature verification result: INVALID (PUBLIC KEY: NOT AVAILABLE) > > > Am I missing anything in my DNS entries? > They are below; I use bind9; I replaced the long key with dots so it fits here: > > default._domainkey.mydomain.tld. 14400 IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0...." > _asp._domainkey.mydomain.tld. IN TXT "dkim=all" Probably what's inserted in an email would be interesting as well: X-DKIM: Sendmail DKIM Filter v2.8.1 mydomain.tld CCF1F980FC DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld; s=mydomain.tld; t=1234549656; bh=4pDpXBY8rCbX8+MfrklZzpQxaUsa3vSPUYjcDR3KAnU=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=AbxD... r... c...k= -- Tomasz Chmielewski http://wpkg.org |
From: SM <sm...@re...> - 2009-02-13 19:49:08
|
At 11:18 13-02-2009, Tomasz Chmielewski wrote: >Probably what's inserted in an email would be interesting as well: > >X-DKIM: Sendmail DKIM Filter v2.8.1 mydomain.tld CCF1F980FC >DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; > d=mydomain.tld; s=mydomain.tld; t=1234549656; > bh=4pDpXBY8rCbX8+MfrklZzpQxaUsa3vSPUYjcDR3KAnU=; > h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: > Content-Transfer-Encoding; > b=AbxD... > r... > c...k= What DKIM selector are you using? Regards, -sm |
From: Tomasz C. <ma...@wp...> - 2009-02-13 19:52:04
|
SM schrieb: > At 11:18 13-02-2009, Tomasz Chmielewski wrote: >> Probably what's inserted in an email would be interesting as well: >> >> X-DKIM: Sendmail DKIM Filter v2.8.1 mydomain.tld CCF1F980FC >> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; >> d=mydomain.tld; s=mydomain.tld; t=1234549656; >> bh=4pDpXBY8rCbX8+MfrklZzpQxaUsa3vSPUYjcDR3KAnU=; >> h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: >> Content-Transfer-Encoding; >> b=AbxD... >> r... >> c...k= > > What DKIM selector are you using? default -- Tomasz Chmielewski http://wpkg.org |
From: Tomasz C. <ma...@wp...> - 2009-02-13 19:59:52
|
Tomasz Chmielewski schrieb: > SM schrieb: >> At 11:18 13-02-2009, Tomasz Chmielewski wrote: >>> Probably what's inserted in an email would be interesting as well: >>> >>> X-DKIM: Sendmail DKIM Filter v2.8.1 mydomain.tld CCF1F980FC >>> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; >>> d=mydomain.tld; s=mydomain.tld; t=1234549656; >>> bh=4pDpXBY8rCbX8+MfrklZzpQxaUsa3vSPUYjcDR3KAnU=; >>> h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: >>> Content-Transfer-Encoding; >>> b=AbxD... >>> r... >>> c...k= >> What DKIM selector are you using? > > default It seems to work if I make the following DNS entry (as I'm getting DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001): mydomain.tld._domainkey.mydomain.tld. IN TXT "v=DKIM1; g=*; k=rsa; p=MIG..." # dkim-testkey -d mydomain.tld -s mydomain.tld # dkim-testkey -d mydomain.tld -s default # dkim-testkey -d mydomain.tld -s blah dkim-testkey: No key And this is beacuse I use "KeyList" in dkim-filter.conf: ## users. The selector used will be the filename portion of "keypath". ## Blank lines are ignored, and the hash ("#") character is interpreted ## as the beginning of a comment. See dkim-filter.conf(5) for more ## information. So I guess, with these settings, everything is fine now? -- Tomasz Chmielewski http://wpkg.org |
From: SM <sm...@re...> - 2009-02-13 20:15:03
|
At 11:52 13-02-2009, Tomasz Chmielewski wrote: >default According to your DKIm-Signature, it's mydomain.tld. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2009-02-13 20:38:31
|
On Fri, 13 Feb 2009, Tomasz Chmielewski wrote: > Probably what's inserted in an email would be interesting as well: > > X-DKIM: Sendmail DKIM Filter v2.8.1 mydomain.tld CCF1F980FC > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; > d=mydomain.tld; s=mydomain.tld; t=1234549656; > bh=4pDpXBY8rCbX8+MfrklZzpQxaUsa3vSPUYjcDR3KAnU=; > h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: > Content-Transfer-Encoding; > b=AbxD... > r... > c...k= Note the selector you're using. That means verifiers are trying to look up mydomain.tld._domainkey.mydomain.tld when looking for your public key. Your key is in the right place in DNS, but your filter is configured incorrectly. You've either got "-s mydomain.tld" on the command line, "Selector mydomain.tld" in the config file, or the filename of your key in the keylist is "mydomain.tld" (possibly with ".private" or ".pem" tacked onto the end). The solution for the first two is to fix the obvious mistake; the solution for the latter is to rename your key file to "default" or "default.private" or "default.pem". |
From: Tomasz C. <ma...@wp...> - 2009-02-13 20:47:10
|
Murray S. Kucherawy schrieb: > On Fri, 13 Feb 2009, Tomasz Chmielewski wrote: >> Probably what's inserted in an email would be interesting as well: >> >> X-DKIM: Sendmail DKIM Filter v2.8.1 mydomain.tld CCF1F980FC >> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; >> d=mydomain.tld; s=mydomain.tld; t=1234549656; >> bh=4pDpXBY8rCbX8+MfrklZzpQxaUsa3vSPUYjcDR3KAnU=; >> h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: >> Content-Transfer-Encoding; >> b=AbxD... >> r... >> c...k= > > Note the selector you're using. That means verifiers are trying to look > up mydomain.tld._domainkey.mydomain.tld when looking for your public key. > > Your key is in the right place in DNS, but your filter is configured > incorrectly. > > You've either got "-s mydomain.tld" on the command line, "Selector > mydomain.tld" in the config file, or the filename of your key in the > keylist is "mydomain.tld" (possibly with ".private" or ".pem" tacked onto > the end). The solution for the first two is to fix the obvious mistake; > the solution for the latter is to rename your key file to "default" or > "default.private" or "default.pem". I use multiple domains. Therefore, I have: KeyList filename in my config file. So I can't have the key file called "default" for all of them, their names have to be unique. Isn't using the domain name in that case the most obvious solution (and everyone will have to look up mydomain.tld._domainkey.mydomain.tld for each domain)? Or, what do you suggest? -- Tomasz Chmielewski http://wpkg.org |
From: SM <sm...@re...> - 2009-02-13 19:49:04
|
At 10:57 13-02-2009, you wrote: >I'm trying to verify my DKIM setup, but it doesn't seem to work. > >Mails are signed, but when I check them i.e. with spamassassin, I get: > >[21034] dbg: dkim: signing identity: @mydomain.tld, d=mydomain.tld, >a=rsa-sha256, c=simple/simple >[21034] dbg: dkim: signature verification result: INVALID (PUBLIC >KEY: NOT AVAILABLE) The public key in DNS is not available. >Am I missing anything in my DNS entries? It's not possible to troubleshoot DNS issues without valid information. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2009-02-13 21:16:57
|
On Fri, 13 Feb 2009, Tomasz Chmielewski wrote: > So I can't have the key file called "default" for all of them, their > names have to be unique. Why not? You could have a "default" selector in each domain, all using the same key if that's what you want. > Isn't using the domain name in that case the most obvious solution (and > everyone will have to look up mydomain.tld._domainkey.mydomain.tld for > each domain)? That will work, if that's what you want to do. But if you want to change the key for one domain later, what would you call it? Replacing the key in the DNS record without renaming it invalidates all signed mail in transit at the time you do so. > Or, what do you suggest? Depends on what you want to do. If each domain should have a unique key called "default", you could have a directory called (for example) /var/dkim-keys which contains a subdirectory for each domain, and put the private key for each domain in a file called "default" in that domain's subdirectory. So: /var/dkim-keys/<domain1>/default /var/dkim-keys/<domain2>/default ...etc. If you have some other scheme, try describing it and I can see about proposing some other alternative. |
From: Tomasz C. <ma...@wp...> - 2009-02-14 13:09:48
|
Murray S. Kucherawy schrieb: > On Fri, 13 Feb 2009, Tomasz Chmielewski wrote: >> So I can't have the key file called "default" for all of them, their >> names have to be unique. > > Why not? You could have a "default" selector in each domain, all using > the same key if that's what you want. How do I make a key that is valid for all domains? dkim‐genkey seems to require -d <domain> option. I tried to use one domain's key for another (same private key for signing, same public key in DNS), but I get: Authentication-Results: my.mta.tld (amavisd-new); dkim=softfail (fail, OpenSSL error: data too large for key size) header.i=@mydomain.tld DKIM-Signature: v=1; a=rsa-sha1; c=; d=mydomain.tld; h=message-id :date:from:mime-version:to:subject:content-type: content-transfer-encoding; s=default; bh=u... 1Wic=; b=Qw+... ... ...Fw= For the first domain, signing and verification works fine. -- Tomasz Chmielewski http://wpkg.org |