From: Scott G. <sgr...@bo...> - 2004-11-25 23:28:02
|
I'm seeing weird authentication now.... Seems my keys are failing for no reason. Email from yahoo gives me this: Authentication-Results: borgnet.us; domainkeys=fail That isnt eactly right since the domain should be yahoo.com not borgnet.us Now I send a email to yahoo and it gives me this: Authentication-Results: mta114.mail.dcn.yahoo.com from=borgnet.us; domainkeys=fail (bad sig) Now that shows yahoo's mta and my domain and my keys fail there also...... What gives ? Scott |
From: Scott G. <sgr...@bo...> - 2004-11-25 23:34:38
|
On Thursday 25 November 2004 15:27, Scott Grayban wrote: > I'm seeing weird authentication now.... Seems my keys are failing for no = reason. >=20 > Email from yahoo gives me this: >=20 > Authentication-Results: borgnet.us; domainkeys=3Dfail >=20 > That isnt eactly right since the domain should be yahoo.com not borgnet.us >=20 > Now I send a email to yahoo and it gives me this: >=20 > Authentication-Results: mta114.mail.dcn.yahoo.com from=3Dborgnet.us; doma= inkeys=3Dfail (bad sig) >=20 > Now that shows yahoo's mta and my domain and my keys fail there also...... >=20 > What gives ? >=20 > Scott >=20 hmmm yahoo uses nofws and I use simple for the -c canonicalization --- woul= d that be the issue? |
From: SM <sm...@re...> - 2004-11-26 02:34:40
|
Hi Scott, At 15:34 25-11-2004, Scott Grayban wrote: > > Now I send a email to yahoo and it gives me this: > > > > Authentication-Results: mta114.mail.dcn.yahoo.com > from=borgnet.us; domainkeys=fail (bad sig) Is your Antivirus inserting a header after the email is "signed"? If so, the domainkeys verification will fail at the receiver's end. >hmmm yahoo uses nofws and I use simple for the -c canonicalization --- >would that be the issue? That should not be a problem as dk-milter supports nofws and simple canonicalization. Regards, -sm |
From: Robert A. <ro...@an...> - 2004-11-26 00:25:22
|
On Thu, 25 Nov 2004, 15:27 GMT-08 Scott Grayban wrote: > I'm seeing weird authentication now.... Seems my keys are failing for no reason. > Email from yahoo gives me this: > Authentication-Results: borgnet.us; domainkeys=fail > That isnt eactly right since the domain should be yahoo.com not borgnet.us > Now I send a email to yahoo and it gives me this: > Authentication-Results: mta114.mail.dcn.yahoo.com > from=borgnet.us; domainkeys=fail (bad sig) > Now that shows yahoo's mta and my domain and my keys fail there also...... > What gives ? > Scott # dig _domainkey.borgnet.us txt | grep -v ^\; | grep TXT _domainkey.borgnet.us. 38189 IN TXT "g=\; k=rsa\; t=y\; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALIUPFFeSpImFsHMgUf5FU6bvvgh/aNNk3yPCBsDv37ZeDT7WCRCmLwpSPyIeUYog79mc9L8zFaHQ8z2CBh2z8sCAwEAAQ==" Not sure if this result is related to your problem, but shouldn't that TXT record only contain the policy for your domain, but not the key itself? Your domain does not seem to have any policy record and - please correct me if I'm wrong - this is required, isn't it? rob. |
From: Scott G. <sgr...@bo...> - 2004-11-26 00:50:58
|
On Thursday 25 November 2004 16:25, Robert Allerstorfer wrote: >=20 > # dig _domainkey.borgnet.us txt | grep -v ^\; | grep TXT > _domainkey.borgnet.us. 38189 IN TXT "g=3D\; k=3Drsa\; t=3Dy\;= p=3DMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALIUPFFeSpImFsHMgUf5FU6bvvgh/aNNk3yPCB= sDv37ZeDT7WCRCmLwpSPyIeUYog79mc9L8zFaHQ8z2CBh2z8sCAwEAAQ=3D=3D" >=20 > Not sure if this result is related to your problem, but shouldn't that > TXT record only contain the policy for your domain, but not the key > itself? Your domain does not seem to have any policy record and - > please correct me if I'm wrong - this is required, isn't it? >=20 > rob. Nope -- my TXT entry is correct. I also use multi-keys for multi-domains The TXT contains the k type which is rsa and the public key which the p=3D And my public key is: [root@borgnet keys]# cat borgnet.us.public =2D----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALIUPFFeSpImFsHMgUf5FU6bvvgh/aNN k3yPCBsDv37ZeDT7WCRCmLwpSPyIeUYog79mc9L8zFaHQ8z2CBh2z8sCAwEAAQ=3D=3D =2D----END PUBLIC KEY----- So its all correct..... just sometihng isnt checking out right and my hunch= its the -c param yahoo uses nofws and i use simple. Should be way to auto detect it the type it needs when checking the keys if= thats the case. Scott |
From: Robert A. <ro...@an...> - 2004-11-26 12:06:29
|
On Thu, 25 Nov 2004, 16:50 GMT-08 Scott Grayban wrote: > On Thursday 25 November 2004 16:25, Robert Allerstorfer wrote: >> >> # dig _domainkey.borgnet.us txt | grep -v ^\; | grep TXT >> _domainkey.borgnet.us. 38189 IN TXT "g=\; k=rsa\; >> t=y\; >> p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALIUPFFeSpImFsHMgUf5FU6bvvgh/aNNk3yPCBsDv37ZeDT7WCRCmLwpSPyIeUYog79mc9L8zFaHQ8z2CBh2z8sCAwEAAQ==" >> [...] Your domain does not seem to have any policy record and - >> please correct me if I'm wrong - this is required, isn't it? > Nope -- my TXT entry is correct. Are you sure? So which policy record does your domain have set? According to the current DK draft, the only allowed tags are o, t, r and n. But you have g, k and p. This policy record is in error. rob. |
From: SM <sm...@re...> - 2004-11-26 02:24:32
|
Hi Scott, At 15:27 25-11-2004, Scott Grayban wrote: >I'm seeing weird authentication now.... Seems my keys are failing for no >reason. >Email from yahoo gives me this: > >Authentication-Results: borgnet.us; domainkeys=fail This header presents the results of a sender authentication to the recipient. borgnet.us, in the above case, is the host doing the verification. Regards, -sm |
From: Scott G. <sgr...@bo...> - 2004-11-26 03:46:11
|
On Thursday 25 November 2004 18:23, SM wrote: > > Now I send a email to yahoo and it gives me this: > > > > Authentication-Results: mta114.mail.dcn.yahoo.com=20 > from=3Dborgnet.us; domainkeys=3Dfail (bad sig) > Is your Antivirus inserting a header after the email is "signed"? If so,= =20 > the domainkeys verification will fail at the receiver's end. According to the -H settings the anti-virus is set before the key is: DomainKey-Signature: a=3Drsa-sha1; s=3Dborgnet.us; d=3Dborgnet.us; c=3Dsimp= le; q=3Ddns; h=3Dreceived:date:from:mime-version:to:subject:message-id:cont= ent-id:content-type:x-antivirus; b=3DNWrutUaKn6aI5AcToq9AToVh4/I4JxtFlh/F+Y= zm5amVDROjMTkTmxfGMCnDPaSpL OdRtZ8GuR5apeJ026EVmA=3D=3D > hmmm yahoo uses nofws and I use simple for the -c canonicalization ---=20 > would that be the issue? > That should not be a problem as dk-milter supports nofws and simple=20 > canonicalization. Ok > I'm seeing weird authentication now.... Seems my keys are failing for no = reason. > Email from yahoo gives me this: > Authentication-Results: borgnet.us; domainkeys=3Dfail > That isnt eactly right since the domain should be yahoo.com not borgnet.us > Now I send a email to yahoo and it gives me this: > Authentication-Results: mta114.mail.dcn.yahoo.com > from=3Dborgnet.us; domainkeys=3Dfail (bad sig) > Now that shows yahoo's mta and my domain and my keys fail there also...... > >I'm seeing weird authentication now.... Seems my keys are failing for no= =20 > >reason. > >Email from yahoo gives me this: > > > >Authentication-Results: borgnet.us; domainkeys=3Dfail >=20 > This header presents the results of a sender authentication to the=20 > recipient. borgnet.us, in the above case, is the host doing the verifica= tion. >=20 But according to what yahoo shows when they get my email it shows my domain= its getting the keys for: > Authentication-Results: mta114.mail.dcn.yahoo.com from=3Dborgnet.us; doma= inkeys=3Dfail (bad sig) So If I'm sending from yahoo to here the Authentication-Results should show: Authentication-Results: from=3Dyahoo.com; domainkeys=3D????? Not borgnet.us as yahoo is doing... |
From: SM <sm...@re...> - 2004-11-26 06:19:29
|
Hi Scott, At 19:45 25-11-2004, Scott Grayban wrote: >According to the -H settings the anti-virus is set before the key is: >DomainKey-Signature: a=rsa-sha1; s=borgnet.us; d=borgnet.us; c=simple; >q=dns; >h=received:date:from:mime-version:to:subject:message-id:content-id:content-type:x-antivirus; >b=NWrutUaKn6aI5AcToq9AToVh4/I4JxtFlh/F+Yzm5amVDROjMTkTmxfGMCnDPaSpL >OdRtZ8GuR5apeJ026EVmA== I didn't notice that you were using the -H setting. Can you remove the x-antivirus header from that setting and test? >But according to what yahoo shows when they get my email it shows my >domain its getting the keys for: > > Authentication-Results: mta114.mail.dcn.yahoo.com from=borgnet.us; > domainkeys=fail (bad sig) From the above, the DK verification was performed by host "mta114.mail.dcn.yahoo.com". The "from" would be the domain signing the mail. >So If I'm sending from yahoo to here the Authentication-Results should show: >Authentication-Results: from=yahoo.com; domainkeys=????? > >Not borgnet.us as yahoo is doing... If the borgnet.us host is running dk-milter to do the DK verification, then the Authentication-Results: header would show: Authentication-Results: borgnet.us; domainkeys=result The hostname is inserted in that header to tell us who did the verification. Notice that there is no "from=" before the hostname doing the verification. Regards, -sm |
From: Scott G. <sgr...@bo...> - 2004-11-26 15:12:54
|
On Friday 26 November 2004 03:05, Robert Allerstorfer wrote: > On Thu, 25 Nov 2004, 16:50 GMT-08 Scott Grayban wrote: >=20 > > On Thursday 25 November 2004 16:25, Robert Allerstorfer wrote: > >>=20 > >> # dig _domainkey.borgnet.us txt | grep -v ^\; | grep TXT > >> _domainkey.borgnet.us. 38189 IN TXT "g=3D\; k=3Drsa\; > >> t=3Dy\; > >> p=3DMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALIUPFFeSpImFsHMgUf5FU6bvvgh/aNNk3= yPCBsDv37ZeDT7WCRCmLwpSPyIeUYog79mc9L8zFaHQ8z2CBh2z8sCAwEAAQ=3D=3D" >=20 > >> [...] Your domain does not seem to have any policy record and - > >> please correct me if I'm wrong - this is required, isn't it? >=20 > > Nope -- my TXT entry is correct. >=20 > Are you sure? So which policy record does your domain have set? > According to the current DK draft, the only allowed tags are o, t, r > and n. But you have g, k and p. This policy record is in error. >=20 > rob. >=20 [root@borgnet dk-filter]# ./gentxt.csh borgnet.us borgnet.us borgnet.us._domainkey IN TXT "g=3D; k=3Drsa; t=3Dy; p=3DMFwwDQYJKoZIhvcNAQE= BBQADSwAwSAJBAL+z60HX+EIholHbkG02nJlqJu1wwhLoZ77C3IusU16yqxpkzaU0Sr6XhynPfN= U/+R/YUew11EexBsDjetH70JcCAwEAAQ=3D=3D" ; ----- DomainKey for borgnet.us so I guess the gentxt program is wrong ? |
From: SM <sm...@re...> - 2004-11-26 17:40:42
|
Hi Scott, At 07:12 26-11-2004, Scott Grayban wrote: >[root@borgnet dk-filter]# ./gentxt.csh borgnet.us borgnet.us >borgnet.us._domainkey IN TXT "g=; k=rsa; t=y; >p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL+z60HX+EIholHbkG02nJlqJu1wwhLoZ77C3IusU16yqxpkzaU0Sr6XhynPfNU/+R/YUew11EexBsDjetH70JcCAwEAAQ==" >; ----- DomainKey for borgnet.us > >so I guess the gentxt program is wrong ? No, the gentxt program is not wrong. That is the DNS record to use for the selector. Regards, -sm |
From: Scott G. <sgr...@bo...> - 2004-11-26 15:34:30
|
On Thursday 25 November 2004 22:18, SM wrote: > Hi Scott, > At 19:45 25-11-2004, Scott Grayban wrote: > >According to the -H settings the anti-virus is set before the key is: > >DomainKey-Signature: a=3Drsa-sha1; s=3Dborgnet.us; d=3Dborgnet.us; c= =3Dsimple;=20 > >q=3Ddns;=20 > >h=3Dreceived:date:from:mime-version:to:subject:message-id:content-id:con= tent-type:x-antivirus;=20 > >b=3DNWrutUaKn6aI5AcToq9AToVh4/I4JxtFlh/F+Yzm5amVDROjMTkTmxfGMCnDPaSpL=20 > >OdRtZ8GuR5apeJ026EVmA=3D=3D >=20 > I didn't notice that you were using the -H setting. Can you remove the=20 > x-antivirus header from that setting and test? >=20 > >But according to what yahoo shows when they get my email it shows my=20 > >domain its getting the keys for: > > > Authentication-Results: mta114.mail.dcn.yahoo.com from=3Dborgnet.us;= =20 > > domainkeys=3Dfail (bad sig) >=20 > From the above, the DK verification was performed by host=20 > "mta114.mail.dcn.yahoo.com". The "from" would be the domain signing the = mail. >=20 > >So If I'm sending from yahoo to here the Authentication-Results should s= how: > >Authentication-Results: from=3Dyahoo.com; domainkeys=3D????? > > > >Not borgnet.us as yahoo is doing... >=20 > If the borgnet.us host is running dk-milter to do the DK verification, th= en=20 > the Authentication-Results: header would show: >=20 > Authentication-Results: borgnet.us; domainkeys=3Dresult >=20 > The hostname is inserted in that header to tell us who did the=20 > verification. Notice that there is no "from=3D" before the hostname doin= g=20 > the verification. >=20 > Regards, > -sm=20 >=20 >=20 Removed the anti-virus checking and it still gives a bad sig. Something is = very broke. I even generated a new key. I thought this was working once before. Scott |
From: SM <sm...@re...> - 2004-11-26 17:40:34
|
Hi Scott, At 07:34 26-11-2004, Scott Grayban wrote: >Removed the anti-virus checking and it still gives a bad sig. Something is >very broke. Please refer to Robert's email. He may have found something. Can you please send a test email to aut...@dk... and send me the output off-list? Regards, -sm |
From: Robert A. <ro...@an...> - 2004-11-26 15:48:29
|
On Fri, 26 Nov 2004, 07:12 GMT-08 Scott Grayban wrote: > On Friday 26 November 2004 03:05, Robert Allerstorfer wrote: >> According to the current DK draft, the only allowed tags are o, t, r >> and n. But you have g, k and p. This policy record is in error. > [root@borgnet dk-filter]# ./gentxt.csh borgnet.us borgnet.us > borgnet.us._domainkey IN TXT "g=; k=rsa; t=y; > p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL+z60HX+EIholHbkG02nJlqJu1wwhLoZ77C3IusU16yqxpkzaU0Sr6XhynPfNU/+R/YUew11EexBsDjetH70JcCAwEAAQ==" > ; ----- DomainKey for borgnet.us > so I guess the gentxt program is wrong ? this entry is correct but this is not the policy record. Your domain must have both one policy record and at least one public key record: ; policy record for the domain 'borgnet.us': _domainkey IN TXT "t=y; o=~;" ; public key record for the separator 'borgnet.us._domainkey.borgnet.us': borgnet.us._domainkey IN TXT "t=y; g=; k=rsa; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL+z60HX+EIholHbkG02nJlqJu1wwhLoZ77C3IusU16yqxpkzaU0Sr6XhynPfNU/+R/YUew11EexBsDjetH70JcCAwEAAQ==" rob. |
From: Scott G. <sgr...@bo...> - 2004-11-26 16:31:42
|
On Friday 26 November 2004 06:48, Robert Allerstorfer wrote: > On Fri, 26 Nov 2004, 07:12 GMT-08 Scott Grayban wrote: >=20 > > On Friday 26 November 2004 03:05, Robert Allerstorfer wrote: >=20 > >> According to the current DK draft, the only allowed tags are o, t, r > >> and n. But you have g, k and p. This policy record is in error. >=20 > > [root@borgnet dk-filter]# ./gentxt.csh borgnet.us borgnet.us > > borgnet.us._domainkey IN TXT "g=3D; k=3Drsa; t=3Dy; > > p=3DMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL+z60HX+EIholHbkG02nJlqJu1wwhLoZ77= C3IusU16yqxpkzaU0Sr6XhynPfNU/+R/YUew11EexBsDjetH70JcCAwEAAQ=3D=3D" > > ; ----- DomainKey for borgnet.us >=20 > > so I guess the gentxt program is wrong ? >=20 > this entry is correct but this is not the policy record. Your domain > must have both one policy record and at least one public key record: >=20 > ; policy record for the domain 'borgnet.us': > _domainkey IN TXT "t=3Dy; o=3D~;" >=20 > ; public key record for the separator > 'borgnet.us._domainkey.borgnet.us': > borgnet.us._domainkey IN TXT "t=3Dy; g=3D; k=3Drsa; p=3DMFwwDQ= YJKoZIhvcNAQEBBQADSwAwSAJBAL+z60HX+EIholHbkG02nJlqJu1wwhLoZ77C3IusU16yqxpkz= aU0Sr6XhynPfNU/+R/YUew11EexBsDjetH70JcCAwEAAQ=3D=3D" >=20 > rob. >=20 Where is the info about this policy record? And I use the FFR_Multikey sinc= e I host multiple domains. I dont want that affected. And if the policy is required then the gentxt.csh needs to be re-written be= cause its not mentioned anyplace about needing a policy. Scott |
From: SM <sm...@re...> - 2004-11-26 17:40:41
|
Hi Robert, At 06:48 26-11-2004, Robert Allerstorfer wrote: >this entry is correct but this is not the policy record. Your domain >must have both one policy record and at least one public key record: Nice catch. This tags for the policy records are optional btw. If the policy records does not exist, the recipient system assume the default values. Regards, -sm |
From: Scott G. <sgr...@bo...> - 2004-11-27 02:53:01
|
On Friday 26 November 2004 09:29 am, SM wrote: > Hi Robert, > At 06:48 26-11-2004, Robert Allerstorfer wrote: > >this entry is correct but this is not the policy record. Your domain > >must have both one policy record and at least one public key record: >=20 > Nice catch. This tags for the policy records are optional btw. If the=20 > policy records does not exist, the recipient system assume the default va= lues. >=20 > Regards, > -sm=20 Nov 27 02:51:21 borgnet sendmail[26668]: iAR2gnJJ026668: collect: premature= EOM: Connection reset by ns1.qubic.net Nov 27 02:51:21 borgnet sendmail[26668]: iAR2gnJJ026668: SYSERR(root): coll= ect: I/O error on connection from ns1.qubic.net, from=3D<daemon@ns1.qubic.n= et> Nov 27 02:51:21 borgnet sendmail[26668]: iAR2gnJJ026668: from=3D<daemon@ns1= =2Equbic.net>, size=3D5451, class=3D0, nrcpts=3D1, proto=3DESMTP, daemon=3D= MTA, relay=3DIDENT:ro...@ns... [208.185.248.67] Uhhhhhhh wtf??? |
From: Robert A. <ro...@an...> - 2004-11-27 01:43:21
|
Hi SM, > Nice catch. This tags for the policy records are optional btw. If the > policy records does not exist, the recipient system assume the default values. Thanks for pointing that out. If I understood it right, every domain must have a Policy statement - [from Draft-01] "in particular, whether a domain is participating in DomainKeys, whether they are testing and whether it signs all outbound email". At the moment, the policy statement is set as TXT record in the _domainkey.MYDOMAIN domain. "If the policy TXT record does not exist, recipient systems MUST assume the default values." But, if the policy TXT record exists and contains tags not allowed there, verifying systems may fail. Scott's policy record is still in error. This shows both the result of the dig call mentioned in my original post and this web based test utility: http://domainkeys.sourceforge.net/cgi-bin/check_policy?domain=borgnet.us => "Testing borgnet.us Policy TXT=g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMrl8e9mUYGKKv2TlNLQK5woYBWY6/0NtyM2N8IcA9xffpqqClg9w7X0F8XGXcVNZiKbS8iUeY5/DMzo/JnYIxsCAwEAAQ== This policy record is in error: Unexpected tag(s): p,k,g" best, rob. |
From: Scott G. <sgr...@bo...> - 2004-11-27 02:33:38
|
On Friday 26 November 2004 05:43 pm, Robert Allerstorfer wrote: > Hi SM, >=20 > > Nice catch. This tags for the policy records are optional btw. If the > > policy records does not exist, the recipient system assume the default = values. >=20 > Thanks for pointing that out. If I understood it right, every domain > must have a Policy statement - [from Draft-01] "in particular, whether a > domain is participating in DomainKeys, whether they are testing and > whether it signs all outbound email". At the moment, the policy > statement is set as TXT record in the _domainkey.MYDOMAIN domain. >=20 > "If the policy TXT record does not exist, recipient systems MUST > assume the default values." >=20 > But, if the policy TXT record exists and contains tags not allowed > there, verifying systems may fail. Scott's policy record is still in > error. This shows both the result of the dig call mentioned in my > original post and this web based test utility: >=20 > http://domainkeys.sourceforge.net/cgi-bin/check_policy?domain=3Dborgnet.us >=20 > =3D> >=20 > "Testing borgnet.us > Policy TXT=3Dg=3D; k=3Drsa; t=3Dy; p=3DMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM= rl8e9mUYGKKv2TlNLQK5woYBWY6/0NtyM2N8IcA9xffpqqClg9w7X0F8XGXcVNZiKbS8iUeY5/D= Mzo/JnYIxsCAwEAAQ=3D=3D > This policy record is in error: Unexpected tag(s): p,k,g" >=20 > best, > rob. >=20 >=20 This makes no sense. If gentxt creates the dns entry then why is the tags p= ,k,g not right? I thought it was generating it right? Adding o=3D~; to my records made no difference. Maybe I should just disable the dk-filter until everything is working corre= ctly and better docs are written. All I can say is it was working until recently. Previous tests confirmed that. Scott |
From: SM <sm...@re...> - 2004-11-27 03:14:33
|
Hi Robert, At 17:43 26-11-2004, Robert Allerstorfer wrote: >But, if the policy TXT record exists and contains tags not allowed >there, verifying systems may fail. Scott's policy record is still in >error. This shows both the result of the dig call mentioned in my >original post and this web based test utility: Yes, that would cause the verification to fail. Scott should remove the _domainkey.borgnet.us DNS record and test DK. Regards, -sm |
From: Scott G. <sgr...@bo...> - 2004-11-27 03:36:34
|
On Friday 26 November 2004 07:14 pm, SM wrote: > Hi Robert, > At 17:43 26-11-2004, Robert Allerstorfer wrote: > >But, if the policy TXT record exists and contains tags not allowed > >there, verifying systems may fail. Scott's policy record is still in > >error. This shows both the result of the dig call mentioned in my > >original post and this web based test utility: >=20 > Yes, that would cause the verification to fail. Scott should remove the= =20 > _domainkey.borgnet.us DNS record and test DK. >=20 > Regards, > -sm=20 >=20 I have disabled the dk-filter. When the docs are written correctly and all = the second guessing is done I'll install the filter again. Until then I'll just watch the releases and doc's until a stable release is= done. Just to frustrating now. Scott |
From: Scott G. <sgr...@bo...> - 2004-11-27 02:09:50
|
On Friday 26 November 2004 09:39 am, SM wrote: > Please refer to Robert's email. =A0He may have found something. >=20 > Can you please send a test email to aut...@dk... and se= nd=20 > me the output off-list? >=20 Sent 2 emails and got nothing back. As far as Roberts email I'm not sure he is getting at. Should the gentxt be generating something it's not? The url to check the polic is saying the whole TXT key is wrong. I give up......... |
From: SM <sm...@re...> - 2004-11-27 03:24:15
|
Hi Scott, At 18:09 26-11-2004, Scott Grayban wrote: >Sent 2 emails and got nothing back. The SMTP session is hanging at your end during the DATA phase. >Should the gentxt be generating something it's not? Where did you get the record for _domainkey.borgnet.us? >The url to check the polic is saying the whole TXT key is wrong. Yes it looks wrong. I suggest leaving out that policy record for now. Regards, -sm |
From: Scott G. <sgr...@bo...> - 2004-11-27 03:42:08
|
On Friday 26 November 2004 07:23 pm, SM wrote: > Hi Scott, > At 18:09 26-11-2004, Scott Grayban wrote: > >Sent 2 emails and got nothing back. >=20 > The SMTP session is hanging at your end during the DATA phase. >=20 > >Should the gentxt be generating something it's not? >=20 > Where did you get the record for _domainkey.borgnet.us? >=20 > >The url to check the polic is saying the whole TXT key is wrong. >=20 > Yes it looks wrong. I suggest leaving out that policy record for now. >=20 > Regards, > -sm=20 >=20 I'm getting the everything exactly how the current docs explain to do. In the INSTAL this is what is says: (b) Manually generate a public and private key: (i) % openssl genrsa -out rsa.private 512 (ii) % openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM (iii) Add a TXT DNS record containing the base64 encoding of your public key, which is everything between the BEGIN and END lines in the rsa.public file generated above, with spaces and newlines removed. It should be in this form: "g=3D; k=3Drsa; t=3Dy; p=3DMFwwDQYJ...AwEAAQ=3D=3D" ...using, of course, your own public key's base64 data. The name= of the TXT record should be SELECTOR._domainkey.example.com (where "SELECTOR" is the name you chose and "example.com" is your domain name). You might want to set a short TTL on this record. Reload your nameserver so that the record gets published. For a transla= tion of the parameter and value pairs shown here, see the draft spec; basically this just announces an RSA public key and also declares that your site is using this key in test mode so nobody should ta= ke any real action based on success or failure of the use of this ke= y to verify a message. Then gentxt.csh says this: [root@borgnet dk-filter]# ./gentxt.csh usage: ./gentxt.csh selector [domain] [root@borgnet dk-filter]# ./gentxt.csh borgnet borgnet.us borgnet._domainkey IN TXT "g=3D; k=3Drsa; t=3Dy; p=3DMFwwDQYJKoZIhvcNAQEBBQ= ADSwAwSAJBANvktIxxmZ7gM+bIIiFq4ryL1MkZ+d+hCpfC3rQu15PNxAf5lTlaFP9jVk43N6X/u= 8VoLv1kazfgBEnRGGHAHUcCAwEAAQ=3D=3D" ; ----- DomainKey for borgnet.us So I add everything link it says and it used to work with no problems. Now it seems it has all changed. So I give up...... Scott |
From: SM <sm...@re...> - 2004-11-27 16:20:01
|
At 19:41 26-11-2004, Scott Grayban wrote: >I'm getting the everything exactly how the current docs explain to do. > > (iii) Add a TXT DNS record containing the base64 encoding of your public > key, which is everything between the BEGIN and END lines in the > rsa.public file generated above, with spaces and newlines removed. > It should be in this form: > > "g=; k=rsa; t=y; p=MFwwDQYJ...AwEAAQ==" > > ...using, of course, your own public key's base64 data. The > name of > the TXT record should be SELECTOR._domainkey.example.com (where > >Then gentxt.csh says this: > >[root@borgnet dk-filter]# ./gentxt.csh >usage: ./gentxt.csh selector [domain] >[root@borgnet dk-filter]# ./gentxt.csh borgnet borgnet.us >borgnet._domainkey IN TXT "g=; k=rsa; t=y; >p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANvktIxxmZ7gM+bIIiFq4ryL1MkZ+d+hCpfC3rQu15PNxAf5lTlaFP9jVk43N6X/u8VoLv1kazfgBEnRGGHAHUcCAwEAAQ==" >; ----- DomainKey for borgnet.us > >So I add everything link it says and it used to work with no problems. The above is correct. However, you also had a DNS TXT record for _domainkey.borgnet.us which was incorrect. Here is your last DK signature: DomainKey-Signature: a=rsa-sha1; s=borgnet.us.private; d=borgnet.us; c=simple; q=dns; b=pxb9jbeXs4uC0ROywEgpNL/OtB0PIhGDM3kx/IWoySPruHA7SdeRsV0pQ4NubBxbn hMCRmm40/BOx2CjTRJvZQ== Your selector is set as "borgnet.us.private". It should have been borgnet only. Regards, -sm |