From: oxfordmusic.net <li...@ox...> - 2008-03-14 10:04:27
|
Not sure if this is the right place or if I should post this to [domainkeys-interop]. I have dk-milter 0.6.0 set up with sendmail and it all seems to be signing my messages ok. Only problem is when I try and send to the sa...@se... reflector I get a BAD signature. I have set DKDEBUG to c to save the canonicalized headers on the server and when I diff the failure report from sendmail with the debug output I get this: [root@botley tmp]# diff -b dk.30860.BGle2h failure.txt 12,13d11 < < dktest The differences shown are the body of the email as displayed in the debug output file (I assume it's NOT using this to form the signature). In other words, it looks like the headers are identical. Any ideas what else might be going wrong? I've do a selector and policy check and they both look ok. TIA Andy |
From: Murray S. K. <ms...@se...> - 2008-03-14 12:55:32
|
On Fri, 14 Mar 2008, oxfordmusic.net wrote: > [...] I have set DKDEBUG to c to save the canonicalized headers on the > server With DomainKeys, the headers and body were not canonicalized separately. Thus, you're seeing the canonicalization of the entire message. > and when I diff the failure report from sendmail with the debug output I > get this: > [root@botley tmp]# diff -b dk.30860.BGle2h failure.txt > 12,13d11 > < > < dktest Try it without "-b", since changes to whitespace are significant. What command line arguments are you using to start the filter? |
From: oxfordmusic.net <li...@ox...> - 2008-03-14 14:56:29
|
> On Fri, 14 Mar 2008, oxfordmusic.net wrote: >> [...] I have set DKDEBUG to c to save the canonicalized headers on the >> server > > With DomainKeys, the headers and body were not canonicalized separately. > Thus, you're seeing the canonicalization of the entire message. Does that mean the reflector is only using the headers whereas I'm signing the message on the headers and the body? There was no body content in the canonicalized form of the failed message. > >> and when I diff the failure report from sendmail with the debug output I >> get this: >> [root@botley tmp]# diff -b dk.30860.BGle2h failure.txt >> 12,13d11 >> < >> < dktest > > Try it without "-b", since changes to whitespace are significant. If I try it without "-b" it shows the whole file being different but I put this down to different line endings (my server is RHEL4 and my PC is Win XP). > > What command line arguments are you using to start the filter? > ./dk-filter -l -p /var/run/dk-filter/dk-filter.sock -d mydomain.com -s /etc/mail/domainkeys/hostname.key.pem -S hostname -c nofws -o X-MimeOLE -H I included the "-o X-MimeOLE" because the reflector seemed to be losing the last 2 chars of that header. Andy |
From: Murray S. K. <ms...@se...> - 2008-03-14 15:04:52
|
On Fri, 14 Mar 2008, oxfordmusic.net wrote: > Does that mean the reflector is only using the headers whereas I'm signing > the message on the headers and the body? No, they should be symmetric. The reflector you're testing is even running the same code base you are. > There was no body content in the canonicalized form of the failed message. That's pretty weird. It must've been removed somewhere between you signing and it verifying. >> Try it without "-b", since changes to whitespace are significant. > > If I try it without "-b" it shows the whole file being different but I > put this down to different line endings (my server is RHEL4 and my PC is > Win XP). I'm not clear on why that matters. The signing and verifying are done by your filter which is presumably done on your RHEL4 box. Your PC shouldn't be involved other than to extract the MIME attachment in the debugging reply, if in fact that's what you're receiving. Are you set up with an "r=" in your DK policy record? If not, you aren't receiving the canonicalized message form from the autoresponder, so you're not "diff"ing the right things in order to isolate the problem. |
From: oxfordmusic.net <li...@ox...> - 2008-03-14 15:20:19
|
>> >> If I try it without "-b" it shows the whole file being different but I >> put this down to different line endings (my server is RHEL4 and my PC is >> Win XP). > > I'm not clear on why that matters. The signing and verifying are done by > your filter which is presumably done on your RHEL4 box. Your PC shouldn't > be involved other than to extract the MIME attachment in the debugging > reply, if in fact that's what you're receiving. Well, my email client is on my PC and I'm copying and pasting the failed canonicalized headers from there onto my server to do the diff. The files do seem to be different: [root@botley tmp]# file failure.txt # This is the file created from the headers pasted from the failure email failure.txt: ASCII text [root@botley tmp]# file dk.30860.BGle2h # This is the saved debug output dk.30860.BGle2h: ASCII text, with CRLF line terminators > > Are you set up with an "r=" in your DK policy record? If not, you aren't > receiving the canonicalized message form from the autoresponder, so > you're not "diff"ing the right things in order to isolate the problem. > Yes, I have "r=" set up and I'm getting a "DomainKeys failure report" from the sendmail.net dk-filter autoresponder. Andy |
From: SM <sm...@re...> - 2008-03-14 16:00:38
|
Hi Andy, At 08:21 14-03-2008, oxfordmusic.net wrote: >Yes, I have "r=" set up and I'm getting a "DomainKeys failure report" from >the sendmail.net dk-filter autoresponder. Email me a DK signed message off-list. Regards, -sm |
From: SM <sm...@re...> - 2008-03-14 17:45:08
|
At 08:21 14-03-2008, oxfordmusic.net wrote: > > Are you set up with an "r=" in your DK policy record? If not, you aren't > > receiving the canonicalized message form from the autoresponder, so > > you're not "diff"ing the right things in order to isolate the problem. I have not done a diff. At a guess, it doesn't like that the message is being changed after signing. It may either be a public/private key mismatch or some issue when the signature is generated. Regards, -sm |
From: oxfordmusic.net <li...@ox...> - 2008-03-25 15:37:26
|
> At 08:21 14-03-2008, oxfordmusic.net wrote: >> > Are you set up with an "r=" in your DK policy record? If not, you >> > aren't >> > receiving the canonicalized message form from the autoresponder, so >> > you're not "diff"ing the right things in order to isolate the problem. > > I have not done a diff. At a guess, it doesn't like that the message > is being changed after signing. It may either be a public/private > key mismatch or some issue when the signature is generated. > It looks like it was a key mismatch. Regenerated my key pair and I have finally got a GOOD signature from the sendmail reflector. Thanks for all the help! Are there any more steps? Do I now need to change my policy/selector to remove the flags for test mode? Ta Andy |
From: SM <sm...@re...> - 2008-03-25 16:45:38
|
At 08:38 25-03-2008, oxfordmusic.net wrote: >Are there any more steps? Do I now need to change my policy/selector to >remove the flags for test mode? You can remove the test mode flag if your DK signature verifies correctly. Regards, -sm |