Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#10 DKIM signature failing

closed
opendkim (10)
5
2013-01-07
2012-10-31
Joe Miller
No

I've installed opendkim on Centos 6.3. It's running via postfix. I've managed to get the dkim signature working, and have created the corresponding dns entry to match it.
My problem is that the verification is still not working. I've checked the process using http://www.brandonchecketts.com/ and get the following:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=northernculture.co.uk; s=default; t=1351695375;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
b=ODeZFiK/4Lzi4TFNCfQW1AVzkzY1bmT5ZowL1eJbw2boOgDl3QzBuACYHwpUhIVYy
Qcd4Tz+tq4Uai4Nih+ZL0rqThZqOanVFDV29mctSlF/PH4bxhqNOClTxy+TbePlK2T
MFKRyDsJ0R0KnTHtkIKrfBaKUKRIsDNd4upl6e7E=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=northernculture.co.uk; s=default; t=1351695373;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
b=RlrcloolpmIYd/MJ9uLHP/0MKJKMUtXwmd1iwfGuxl6TwAKUoLuye7cGXQH4oxHDV
yFiKjVQGjZqc01CnrF1QLShSyyxd2rg1abPkbGJ/n8W/+4UyhZwrz7ccMq/WCZgSif
O+3auNejlDzPcp8HCUPtkS4oj7m6J+U97C3faSEU=

Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/simple
d= Domain: northernculture.co.uk
s= Selector: default
q= Protocol:
bh= frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=
h= Signed Headers: Date:From:To
b= Data: ODeZFiK/4Lzi4TFNCfQW1AVzkzY1bmT5ZowL1eJbw2boOgDl3QzBuACYHwpUhIVYy
Qcd4Tz+tq4Uai4Nih+ZL0rqThZqOanVFDV29mctSlF/PH4bxhqNOClTxy+TbePlK2T
MFKRyDsJ0R0KnTHtkIKrfBaKUKRIsDNd4upl6e7E=
Public Key DNS Lookup

Building DNS Query for default._domainkey.northernculture.co.uk
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCobNbY44t/jIXZxXCmN78OalxvteJ3ufOD071iKiXbiSoNPEahaf4iVH7fT9K1NxSq2OYgXrUGWi2VWFJxFqo9XnHBZBN1xU4iPjd4oS5FOcIXSvAmT4kr9WosJ+whkSLem4hAqR8S4Iw9ie3VV2huxGpDcWymxJbwZbfotjxSbQIDAQAB
Validating Signature

result = fail
Details: bad RSA signature

I'm at a loss to work out where this is going wrong. Can anyone suggest where I can look for a solution?

Discussion

  • opendkim comes with a tool called opendkim-testkey that can be used to confirm that the private key with which you're signing and the public key you have in the DNS match up. Give it a try with your setup and see what it tells you.

    You can also try emailing an autoresponder (see opendkim/README for a list of some) to see if they verify your signed mail.

     
    • status: open --> pending
     
    • summary: Dkim signature failing --> DKIM signature failing
     
  • Joe Miller
    Joe Miller
    2012-11-01

    • status: pending --> open
     
  • Joe Miller
    Joe Miller
    2012-11-01

    Hi, thanks for your help. I've tried opendkim-testkey, it shows no errors. I've tried this command;
    opendkim-testkey -d northernculture.co.uk -s default -k /etc/opendkim/keys/northernculture.co.uk/default.private -v -v to specify the private key file, and this opendkim-testkey -d northernculture.co.uk -s default -k -v -v which should use the keytable that I've set up.
    Here are some autoresponder replies:

    autorespond+dkim@dk.elandsys.com says
    **************************************************************************************
    **************************************************************************************
    DKIM Signature validation: permerror
    DKIM Author Domain Signing Practices: "dkim=unknown"

    ADSP is not required for DKIM signature validation.
    Information about DKIM is available at http://www.elandsys.com/resources/mail/dkim/opendkim.html
    Information about ADSP is available at http://www.elandsys.com/resources/mail/dkim/opendkim.html

    Information about dkim-milter is available at http://www.elandsys.com/resources/sendmail/dkim.html

    Information about DomainKeys is available at http://www.elandsys.com/resources/sendmail/domainkeys.html

    Original message:
    Received: from mail.northernculture.co.uk (mail.northernculture.co.uk [31.222.190.92])
    by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id qA175iPi012680
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
    for <autorespond+dkim@dk.elandsys.com>; Thu, 1 Nov 2012 00:05:51 -0700 (PDT)
    Authentication-Results: mx.elandsys.com; dkim=permerror
    reason="verification error: signature timestamp in the future"
    header.i=@northernculture.co.uk header.b=MncRRps7;
    dkim-adsp=unknown (insecure policy)
    Received: from localhost (unknown [127.0.0.1])
    by mail.northernculture.co.uk (Postfix) with ESMTP id E6E754269E
    for <autorespond+dkim@dk.elandsys.com>; Thu, 1 Nov 2012 07:08:59 +0000 (UTC)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
    d=northernculture.co.uk; s=default; t=1351753740;
    bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
    b=MncRRps7LT4lfi5WJL+sOAEO+0X629EUBnRHbNv7Ticg/BrcibK2a0QtMohmcxDaa
    aBm4Xw93KpZ4uKgID54ALESFZuQtC/89JIvoQ331pDzcqQV/DT9T2wHBSCIMroTYeH
    kH4RCkHL1U+t+OpOgiHicninZFpi7CBEn/ae7hK4=
    X-Virus-Scanned: amavisd-new at mail.northernculture.co.uk
    Received: from mail.northernculture.co.uk ([127.0.0.1])
    by localhost (mail.northernculture.co.uk [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id auygqKWoQ1D1 for <autorespond+dkim@dk.elandsys.com>;
    Thu, 1 Nov 2012 07:08:58 +0000 (UTC)
    Received: from [192.168.1.70] (host86-174-120-39.range86-174.btcentralplus.com [86.174.120.39])
    (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
    (No client certificate requested)
    by mail.northernculture.co.uk (Postfix) with ESMTPSA id 2EBF24269D
    for <autorespond+dkim@dk.elandsys.com>; Thu, 1 Nov 2012 07:08:57 +0000 (UTC)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
    d=northernculture.co.uk; s=default; t=1351753738;
    bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
    b=WO8NgQpp+/jJGxbrJJRQBnNq2cym/CN1CmWYsp1KfExqq+AUabn6aqg1P3PgfzB8f
    7moZe1wZ3x0NAhex2JhRbW5zJB0A0A2Ws/jD45oGJa/JuCusn7ByoJYdwjInj3UsSB
    ux1LE0hGdCVglbmVweE1IkuxUJDOMiL0H3iRB65c=
    Message-ID: <50921F3F.6030805@northernculture.co.uk>
    Date: Thu, 01 Nov 2012 07:05:35 +0000
    From: Joe Miller <admin@northernculture.co.uk>
    User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
    MIME-Version: 1.0
    To: autorespond+dkim@dk.elandsys.com
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    **************************************************************************************
    **************************************************************************************

    dktest@exhalus.net says:
    **************************************************************************************
    **************************************************************************************
    .mechanism DomainKeys
    information: http://antispam.yahoo.com/domainkeys
    reflector spec: rfc4870
    auth result: neutral (no signature)
    .mechanism DomainKeys Identified Mail
    information: http://dkim.org
    reflector spec: rfc4871
    draft-allman-dkim-ssp-01
    auth result: suspicious (multiple invalid signatures)
    **************************************************************************************
    **************************************************************************************

    check-auth@verifier.port25.com says:
    **************************************************************************************
    **************************************************************************************
    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    ==========================================================
    Details:
    ==========================================================

    HELO hostname: mail.northernculture.co.uk
    Source IP: 31.222.190.92
    mail-from: admin@northernculture.co.uk

    ----------------------------------------------------------
    SPF check details:
    ----------------------------------------------------------
    Result: pass
    ID(s) verified: smtp.mailfrom=admin@northernculture.co.uk
    DNS record(s):
    northernculture.co.uk. SPF (no records)
    northernculture.co.uk. 86400 IN TXT "v=spf1 mx ip4:31.222.190.9 ptr:mail.northernculture.co.uk mx:mail.northernculture.co.uk -all"
    northernculture.co.uk. 3600 IN MX 10 mail.northernculture.co.uk.
    mail.northernculture.co.uk. 3600 IN A 31.222.190.92

    ----------------------------------------------------------
    DomainKeys check details:
    ----------------------------------------------------------
    Result: neutral (message not signed)
    ID(s) verified: header.From=admin@northernculture.co.uk
    DNS record(s):

    ----------------------------------------------------------
    DKIM check details:
    ----------------------------------------------------------
    Result: pass (matches From: admin@northernculture.co.uk)
    ID(s) verified: header.d=northernculture.co.uk
    Canonicalized Headers:
    date:Thu,'20'01'20'Nov'20'2012'20'07:05:19'20'+0000'0D''0A'
    from:Joe'20'Miller'20'<admin@northernculture.co.uk>'0D''0A'
    to:check-auth@verifier.port25.com'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=northernculture.co.uk;'20's=default;'20't=1351753729;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Date:From:To;'20'b=

    Canonicalized Body:
    '0D''0A'

    DNS record(s):
    default._domainkey.northernculture.co.uk. 86400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/ADuqMPgIq6egTn0RL1+8AJMPfsPm/ukcdquFqxeHpic3sfH1HOepMw5eHMrv0zhyESeTmMf+Rxjmd5o6/kC3qwyM+1RS+NXr3zwke8k/2j2CH9wJ78WBjZJu2woVb0nogeKcdTYoGeMPRHV+detwqBwPbsrc3tIhzT1MZ1qv5QIDAQAB"

    NOTE: DKIM checking has been performed based on the latest DKIM specs
    (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
    older versions. If you are using Port25's PowerMTA, you need to use
    version 3.2r11 or later to get a compatible version of DKIM.

    ----------------------------------------------------------
    DKIM check details:
    ----------------------------------------------------------
    Result: pass (matches From: admin@northernculture.co.uk)
    ID(s) verified: header.d=northernculture.co.uk
    Canonicalized Headers:
    date:Thu,'20'01'20'Nov'20'2012'20'07:05:19'20'+0000'0D''0A'
    from:Joe'20'Miller'20'<admin@northernculture.co.uk>'0D''0A'
    to:check-auth@verifier.port25.com'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=northernculture.co.uk;'20's=default;'20't=1351753722;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Date:From:To;'20'b=

    Canonicalized Body:
    '0D''0A'

    DNS record(s):
    default._domainkey.northernculture.co.uk. 86400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/ADuqMPgIq6egTn0RL1+8AJMPfsPm/ukcdquFqxeHpic3sfH1HOepMw5eHMrv0zhyESeTmMf+Rxjmd5o6/kC3qwyM+1RS+NXr3zwke8k/2j2CH9wJ78WBjZJu2woVb0nogeKcdTYoGeMPRHV+detwqBwPbsrc3tIhzT1MZ1qv5QIDAQAB"

    NOTE: DKIM checking has been performed based on the latest DKIM specs
    (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
    older versions. If you are using Port25's PowerMTA, you need to use
    version 3.2r11 or later to get a compatible version of DKIM.

    ----------------------------------------------------------
    Sender-ID check details:
    ----------------------------------------------------------
    Result: pass
    ID(s) verified: header.From=admin@northernculture.co.uk
    DNS record(s):
    northernculture.co.uk. SPF (no records)
    northernculture.co.uk. 86400 IN TXT "v=spf1 mx ip4:31.222.190.9 ptr:mail.northernculture.co.uk mx:mail.northernculture.co.uk -all"
    northernculture.co.uk. 3600 IN MX 10 mail.northernculture.co.uk.
    mail.northernculture.co.uk. 3600 IN A 31.222.190.92

    ----------------------------------------------------------
    SpamAssassin check details:
    ----------------------------------------------------------
    SpamAssassin v3.3.1 (2010-03-16)

    Result: ham (1.4 points, 5.0 required)

    pts rule name description
    ---- ---------------------- --------------------------------------------------
    -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
    -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
    [score: 0.0000]
    -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
    domain
    0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
    -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    1.8 MISSING_SUBJECT Missing Subject: header
    2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
    Subject: text

    ==========================================================
    Explanation of the possible results (from RFC 5451)
    ==========================================================
    <snip>
    ==========================================================
    Original Email
    ==========================================================
    Return-Path: <admin@northernculture.co.uk>
    Received: from mail.northernculture.co.uk (31.222.190.92) by verifier.port25.com id hi8fjm11u9cq for <check-auth@verifier.port25.com>; Thu, 1 Nov 2012 03:05:31 -0400 (envelope-from <admin@northernculture.co.uk>)
    Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=admin@northernculture.co.uk
    Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=admin@northernculture.co.uk
    Authentication-Results: verifier.port25.com; dkim=pass (matches From: admin@northernculture.co.uk) header.d=northernculture.co.uk
    Authentication-Results: verifier.port25.com; dkim=pass (matches From: admin@northernculture.co.uk) header.d=northernculture.co.uk
    Authentication-Results: verifier.port25.com; sender-id=pass header.From=admin@northernculture.co.uk
    Received: from localhost (unknown [127.0.0.1])
    by mail.northernculture.co.uk (Postfix) with ESMTP id 75FA84269D
    for <check-auth@verifier.port25.com>; Thu, 1 Nov 2012 07:08:49 +0000 (UTC)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
    d=northernculture.co.uk; s=default; t=1351753729;
    bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
    b=kS0UCL3HlAJz7uONk0Z1Q4hOpMK9DL/F92xK56cDxEqeoU8ZVCIrx6antM71jeGJn
    fpWFQl09R2O5zvWZSa+VgtSWh2m/7Ccbq8bEc/Hx+WiQB6LIQ/oHCh40UgCcOG36g2
    Yergb2xZURfQqgDMRJiciC6N6qWcBimc8a3VrTPM=
    X-Virus-Scanned: amavisd-new at mail.northernculture.co.uk
    Received: from mail.northernculture.co.uk ([127.0.0.1])
    by localhost (mail.northernculture.co.uk [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id DJwkMsbVjzM5 for <check-auth@verifier.port25.com>;
    Thu, 1 Nov 2012 07:08:43 +0000 (UTC)
    Received: from [192.168.1.70] (host86-174-120-39.range86-174.btcentralplus.com [86.174.120.39])
    (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
    (No client certificate requested)
    by mail.northernculture.co.uk (Postfix) with ESMTPSA id B17424269B
    for <check-auth@verifier.port25.com>; Thu, 1 Nov 2012 07:08:42 +0000 (UTC)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
    d=northernculture.co.uk; s=default; t=1351753722;
    bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
    b=oWbpj++q/gQ0Lo3iJGWfBiJVwKuPKoGZcyrXze+KRzn3JdectyJU0Rb+tkJ5yXDl8
    IAjdRzP5ytXT2uUVheU9UmYJsyi+fdUC98fBR+xyXZfTaqxleXTB+MipDPFyCp7qdZ
    LwAPeFp/vSBTMxEDbdAT1Ll9QW3o/VYpNyNXW0Iw=
    Message-ID: <50921F2F.4090801@northernculture.co.uk>
    Date: Thu, 01 Nov 2012 07:05:19 +0000
    From: Joe Miller <admin@northernculture.co.uk>
    User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
    MIME-Version: 1.0
    To: check-auth@verifier.port25.com
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    **************************************************************************************
    **************************************************************************************

    Now I'm even more confused! none of them seem to agree on the verification. Some say it failed, one says it passed, and neither agree what it's failed on. Any ideas? I'm going to try and find out why I've got two signatures, and see if I can correct that. If successful, I'll rerun the autoresponders and post back.

    Many thanks for your help

     
  • Joe Miller
    Joe Miller
    2012-11-01

    Ok, I think I'm sorted now. I've corrected the double signing, and retried all autoresponders, and reset the system time. The problem seems to be if I send an empty email; postfix seems to add stuff to the body of the email, maybe a blank line? anyway, if I send emails with subject line and something in the body they all pass.
    Thanks again for your help, much appreciated.

     
  • Simply adding blank lines to a message shouldn't cause problems, because DKIM anticipates those and thus it's not enough to break a signature.

    I'll close this now since you say all is well. Please open another support request if needed.

     
    • assigned_to: nobody --> cm-msk
    • status: open --> closed