From: Peter W. <pw...@ch...> - 2008-02-05 13:46:32
|
Greetings, I'm working on implementing DomainKeys for our company, and we're using dk-milter to sign our outgoing email. After some fiddling around, I was able to send out signed emails and have them verified by Yahoo and by the verifier app at http://senderid.espcoalition.org/. However, I didn't get this working until I added the -H flag, which to my understanding adds a list of the headers used in the signature, to the signature header itself. Without that flag, Yahoo was saying that my signature was "bad". Any idea why having the -H flag would make my signature "good"? Also, it seems to me that the -H flag is forcing Milter insert messages to be written to the syslog, even though we are not using the -l flag. Is there any reason for that? We're running dk-filter 0.6.0 with Sendmail 8.13.8. Thanks, Peter |
From: SM <sm...@re...> - 2008-02-05 14:07:26
|
Hi Peter, At 05:46 05-02-2008, Peter Wood wrote: >I'm working on implementing DomainKeys for our company, and we're using >dk-milter to sign our outgoing email. After some fiddling around, I was >able to send out signed emails and have them verified by Yahoo and by >the verifier app at http://senderid.espcoalition.org/. However, I didn't >get this working until I added the -H flag, which to my understanding >adds a list of the headers used in the signature, to the signature >header itself. Without that flag, Yahoo was saying that my signature was >"bad". Any idea why having the -H flag would make my signature "good"? Your MS Exchange server is inserting a Return-Path header which causes the "bad" signature. Use the "-o" parameter to omit that header when signing. >Also, it seems to me that the -H flag is forcing Milter insert messages >to be written to the syslog, even though we are not using the -l flag. >Is there any reason for that? That insert message is generated by sendmail and not by dk-filter. Regards, -sm |
From: Peter W. <pw...@ch...> - 2008-02-05 14:48:12
|
Hello, > Your MS Exchange server is inserting a Return-Path header which > causes the "bad" signature. Use the "-o" parameter to omit that > header when signing. We're using Sendmail, not Exchange, for the messages in question. In any case, I added "-o Return-Path" to the dk-filter startup arguments, restarted Sendmail and domainkeys, and Yahoo is still saying that our signature is bad. If I add the -H option back to the dk-filter startup arguments, the signature turns out good, regardless of whether -o Return-Path is present. Here's the DomainKey signature header, as seen with the -H option on and the -o Return-Path option off. This signature is "good". (Authentication-Results: mta219.mail.mud.yahoo.com from=christianbook.com; domainkeys=pass (ok)) DomainKey-Signature: a=rsa-sha1; s=relay; d=christianbook.com; c=nofws; q=dns; h=from:to:subject; b=qZ7/cmEppm7lqiKJZtgPPfjWy2HqGUiD4sKX2jBHHPEoFaDrbSt1R9hSGzMnORu7F RvAA4wdB5AYOzkwlGfiZY/80toOg90nssFGEGVR49HjB+ItKZSz+7IvqAMjhK6h Here's the signature with -H turned on and -o Return-Path turned on. This signature is also "good". (Authentication-Results: mta195.mail.mud.yahoo.com from=christianbook.com; domainkeys=pass (ok)) DomainKey-Signature: a=rsa-sha1; s=relay; d=christianbook.com; c=nofws; q=dns; h=from:to:subject; b=qZ7/cmEppm7lqiKJZtgPPfjWy2HqGUiD4sKX2jBHHPEoFaDrbSt1R9hSGzMnORu7F RvAA4wdB5AYOzkwlGfiZY/80toOg90nssFGEGVR49HjB+ItKZSz+7IvqAMjhK6h Here's the signature with -H turned off and -o Return-Path turned off. This signature is "bad". (Authentication-Results: mta251.mail.re2.yahoo.com from=christianbook.com; domainkeys=fail (bad sig)) DomainKey-Signature: a=rsa-sha1; s=relay; d=christianbook.com; c=nofws; q=dns; b=qZ7/cmEppm7lqiKJZtgPPfjWy2HqGUiD4sKX2jBHHPEoFaDrbSt1R9hSGzMnORu7F RvAA4wdB5AYOzkwlGfiZY/80toOg90nssFGEGVR49HjB+ItKZSz+7IvqAMjhK6h Here's the signature with -H turned off and -o Return-Path turned on. This signature is also "bad". (Authentication-Results: mta127.mail.re4.yahoo.com from=christianbook.com; domainkeys=fail (bad sig)) DomainKey-Signature: a=rsa-sha1; s=relay; d=christianbook.com; c=nofws; q=dns; b=qZ7/cmEppm7lqiKJZtgPPfjWy2HqGUiD4sKX2jBHHPEoFaDrbSt1R9hSGzMnORu7F RvAA4wdB5AYOzkwlGfiZY/80toOg90nssFGEGVR49HjB+ItKZSz+7IvqAMjhK6h > > >Also, it seems to me that the -H flag is forcing Milter > insert messages > >to be written to the syslog, even though we are not using > the -l flag. > >Is there any reason for that? > > That insert message is generated by sendmail and not by dk-filter. Is it possible to configure sendmail not to log the Milter inserts, while still logging other events? Thanks, Peter |
From: Murray S. K. <ms...@se...> - 2008-02-05 18:49:35
|
What "-H" does is include the list of headers that were signed so the verifier can reproduce the message correctly. Otherwise, all headers below the DomainKeys signature are assumed to have been part of the signed message. Thus, if you sign a message and then something between you and the verifier appends or inserts a header below the signature, the message they get and the message you sent won't be the same and the signature will be considered "bad. So given what you're reporting, my guess is something down the line (probably at your site) is adding a header post-signing and that's what's making verification fail. |
From: SM <sm...@re...> - 2008-02-05 16:23:03
|
Hi Peter, At 06:48 05-02-2008, Peter Wood wrote: >We're using Sendmail, not Exchange, for the messages in question. In any >case, I added "-o Return-Path" to the dk-filter startup arguments, >restarted Sendmail and domainkeys, and Yahoo is still saying that our >signature is bad. If I add the -H option back to the dk-filter startup >arguments, the signature turns out good, regardless of whether -o >Return-Path is present. Send me a DomainKey signed email off-list. >Here's the DomainKey signature header, as seen with the -H option on and In such cases, we need to see the full headers to determine what may be wrong. You only provided the DomainKey signature header. >Is it possible to configure sendmail not to log the Milter inserts, >while still logging other events? Yes. You can lower the milter log level with confMILTER_LOG_LEVEL. Regards, -sm |
From: Peter W. <pw...@ch...> - 2008-02-06 15:07:37
|
I think we're just going to leave the -H flag in so that we don't have to worry about what headers are added. And we'll take a look at the MILTER_LOG_LEVEL and some other options in order to suppress the logging a bit. My main concern was that it seemed that the -H flag was causing it, which is incorrect. Thanks, Peter > -----Original Message----- > From: dk-...@li... > [mailto:dk-...@li...] On > Behalf Of SM > Sent: Tuesday, February 05, 2008 11:18 AM > To: General discussion and usage issues > Subject: RE: Signatures not recognized without -H flag? > > > Hi Peter, > At 06:48 05-02-2008, Peter Wood wrote: > >We're using Sendmail, not Exchange, for the messages in question. In > >any case, I added "-o Return-Path" to the dk-filter startup > arguments, > >restarted Sendmail and domainkeys, and Yahoo is still saying > that our > >signature is bad. If I add the -H option back to the > dk-filter startup > >arguments, the signature turns out good, regardless of whether -o > >Return-Path is present. > > Send me a DomainKey signed email off-list. > > >Here's the DomainKey signature header, as seen with the -H option on > >and > > In such cases, we need to see the full headers to determine what may > be wrong. You only provided the DomainKey signature header. > > >Is it possible to configure sendmail not to log the Milter inserts, > >while still logging other events? > > Yes. You can lower the milter log level with confMILTER_LOG_LEVEL. > > Regards, > -sm > > > -------------------------------------------------------------- > ----------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/d> irect/01/ > > _______________________________________________ > > dk-milter-discuss mailing list dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss > |
From: SM <sm...@re...> - 2008-02-06 18:59:32
|
At 05:46 05-02-2008, Peter Wood wrote: >I'm working on implementing DomainKeys for our company, and we're using >dk-milter to sign our outgoing email. After some fiddling around, I was >able to send out signed emails and have them verified by Yahoo and by >the verifier app at http://senderid.espcoalition.org/. However, I didn't >get this working until I added the -H flag, which to my understanding >adds a list of the headers used in the signature, to the signature >header itself. Without that flag, Yahoo was saying that my signature was >"bad". Any idea why having the -H flag would make my signature "good"? As a follow-up, the signature is "bad" because a header is inserted after the message is signed by dk-milter. Regards, -sm |