From: Tony E. <to...@he...> - 2007-10-06 08:39:52
|
Hi list, I'm running dkim-milter 2.3.0Beta[8|9] on two Red Hat-derived sites. My dkim-filter binary incorporates libdk and attempts to verify Domainkey-signed signatures. At the moment at my two sites all Yahoo!, Inc.-signed signatures are failing tests; dkim-filter reports: Oct 5 19:31:47 tru dkim-filter[14615]: 7B91918DAB2 SSL error:04077068:rsa routines:RSA_verify:bad signature Oct 5 19:31:47 tru dkim-filter[14615]: 7B91918DAB2: no signature data The 7B91918DAB2 refers to a Postfix 2.4.5 queue number. When I look at the signature in the headers of that message, I get: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=XmX2/6AclOUCrnMBt5Kp87hDU/yVY3qyhnknT0MJyXwdHSfNjSTTuHDv/LMBgCmCTUEXwTX+ARbldxRuMQ6cqRNorQSZ3cODJR5eSd5YgnVWb2bBVf8Euxz3UeEfOA4tC7F69ZEhwhAV7kjavUk+Y4CxOB0wNcwJgC/KSxYRQ4Q=; (Sorry for the folding.) AFAICS the 's=s1024;' shouldn't be there. This should be 'S=s1024'. This I glean from 'man dk-filter'. Indeed, 'dig s1024._domainkey.yahoo.com txt' returns a valid record. So which is wrong, libdk or Yahoo!, Inc.? Thanks, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Murray S. K. <ms...@se...> - 2007-10-06 14:35:22
|
On Sat, 6 Oct 2007, Tony Earnshaw wrote: > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; > h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; > b=XmX2/6AclOUCrnMBt5Kp87hDU/yVY3qyhnknT0MJyXwdHSfNjSTTuHDv/LMBgCmCTUEXwTX+ARbldxRuMQ6cqRNorQSZ3cODJR5eSd5YgnVWb2bBVf8Euxz3UeEfOA4tC7F69ZEhwhAV7kjavUk+Y4CxOB0wNcwJgC/KSxYRQ4Q=; > > (Sorry for the folding.) > > AFAICS the 's=s1024;' shouldn't be there. This should be 'S=s1024'. This > I glean from 'man dk-filter'. Indeed, 'dig s1024._domainkey.yahoo.com > txt' returns a valid record. > > So which is wrong, libdk or Yahoo!, Inc.? There's no tag in the DomainKeys specification (see RFC4870) called "S". Like in DKIM, "s" is how you identify in the signature header which selector (key) to use. Thus, the header you cited looks fine to me. I sent a message to myself at my home domain, running the same dkim-filter with libdk you are. The signature looked like this: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=jWs+QOnepApssILFSrc0sx5kQkt6c+NowJVE8SKZdQ3wCyN/p4D4j18fwNRFECeYEv+Hp5yWSwO40c54ljARkSDH2TLiqTaz/dticegl+Cb+X3t+5WZV58kXXOCuahJBlZaL8u4lZz3Zvf9Ah4d7s96CKXuL3AbTiDPOSA1ISEw=; Same selector as your sample, and it verified fine: Authentication-Results: medusa.blackops.org; domainkeys=pass (testing) header.from=msk...@ya... |
From: Tony E. <to...@he...> - 2007-10-06 22:45:24
|
Murray S. Kucherawy skrev, on 06-10-2007 16:35: [...] > I sent a message to myself at my home domain, running the same dkim-filter > with libdk you are. The signature looked like this: > > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; > s=s1024; d=yahoo.com; > h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; > b=jWs+QOnepApssILFSrc0sx5kQkt6c+NowJVE8SKZdQ3wCyN/p4D4j18fwNRFECeYEv+Hp5yWSwO40c54ljARkSDH2TLiqTaz/dticegl+Cb+X3t+5WZV58kXXOCuahJBlZaL8u4lZz3Zvf9Ah4d7s96CKXuL3AbTiDPOSA1ISEw=; > > Same selector as your sample, and it verified fine: > > Authentication-Results: medusa.blackops.org; domainkeys=pass (testing) header.from=msk...@ya... Hmmm ... --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |