#272 Kails to apply sig header after second failed signing attempt
My setup is a bit complex, so hopefully this will fully explain the problem. We host tens of thousands of domains and we have parent/child domain hosting such that we wish to sign with the parent domain always, and a child domain if a key pair is setup. We are using the setup, final, signingTable, and keyTable lua scripts. I am forcing accept in the final script because we cannot allow email to be blocked for any reason, we want it to just pass through signed by the parent key if the child key doesn't exist. When I force the signing at the parent level in the setup script I get a positive result, and I get a positive result for a child domain that has a key, I get both dkim header at the destination. But, when there is no child key available I have no choice but to pass back meaningless strings from the keyTable script because opendkim core dumps if I return nil (this is another bug, but I've seen other complain about that, so I won't say anything more).
I'll attache the actual lua scripting and how are the relevant sendmail log lines and the headers in the received emails (actual domains have been changed to protect the innocent):
With keyed child domain child_domain.com:
Sendmail Logs:
Sep 6 13:57:14 mail2c40 opendkim[28891]: setup.lua => Begin
Sep 6 13:57:14 mail2c40 opendkim[28891]: setup.lua => No HID
Sep 6 13:57:14 mail2c40 opendkim[28891]: setup.lua => HID -> parent_domain.com(force) RET -> 1
Sep 6 13:57:14 mail2c40 opendkim[28891]: setup.lua => End
Sep 6 13:57:14 mail2c40 opendkim[28891]: final.lua => Done!
Sep 6 13:57:14 mail2c40 w86Hug8O029133 abuse.mytestingdom.com [216.55.146.135]: data: w86Hug8O029133: Milter insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=child_domain.com;\n\ts=hmail; t=1536256634;\n\tbh=hWT/xCCqn74D95YGQ7qVYno4+SADQZ7JfoeZshB7AFQ=;\n\th=From:To:Subject:From;\n\tb=IYl3vHxvATkAC8ACZ3LLTmgSqwvVfqlj9M+Ww4j5yzGH23gibVjS4gtWrckJykjCv\n\t wG/1X2DZWCN8gvdCb50LUwlTrUbROLvi7SMcfcfRhOktMS40XzLLLi6Vbi0ndNcCFn\n\t yNdSBdX/kD40FMdPir5mWFrZtXG/AJnnJo2eF8NU=
Sep 6 13:57:14 mail2c40 opendkim[28891]: w86Hug8O029133: DKIM-Signature field added (s=hmail, d=child_domain.com)
Sep 6 13:57:14 mail2c40 w86Hug8O029133 abuse.mytestingdom.com [216.55.146.135]: data: w86Hug8O029133: Milter insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=parent_domain.com; s=hmail;\n\tt=1536256634; bh=hWT/xCCqn74D95YGQ7qVYno4+SADQZ7JfoeZshB7AFQ=;\n\th=From:To:Subject:From;\n\tb=h+VH23KkF+zss+nPk/g6aoy6iHE2kgQazXOt9KiIX9KWmy7U/EtkSnhXV/gzNjqOR\n\t QkOa8SRxO9d+8yXN8/zL935LRtdf+2DBuYskEpag9ncFxspSjnI4Yj7wrMj2KfDrHp\n\t 8voiWdpViRDOwMt26ky8d0tJm57bTe5nQM1ey4AI=
Sep 6 13:57:14 mail2c40 opendkim[28891]: w86Hug8O029133: DKIM-Signature field added (s=hmail, d=parent_domain.com)
Headers at recieving end:
Authentication-Results: mx.google.com;
dkim=pass header.i=@parent_domain.com header.s=hmail header.b=h+VH23Kk;
dkim=pass header.i=@child_domain.com header.s=hmail header.b=IYl3vHxv;
With no-key child domain child_domain.net:
Sendmail Logs:
Sep 6 13:58:30 mail2c40 opendkim[28891]: setup.lua => Begin
Sep 6 13:58:30 mail2c40 opendkim[28891]: setup.lua => No HID
Sep 6 13:58:30 mail2c40 opendkim[28891]: setup.lua => HID -> parent_domain.com(force) RET -> 1
Sep 6 13:58:30 mail2c40 opendkim[28891]: setup.lua => End
Sep 6 13:58:30 mail2c40 opendkim[28891]: final.lua => Done!
Sep 6 13:58:30 mail2c40 opendkim[28891]: w86HvkRv029782: SSL error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
Sep 6 13:58:30 mail2c40 opendkim[28891]: w86HvkRv029782: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed
Authentication-Results: mx.google.com;
(No headers at all, not even the parent_domain.com header that successfully signed)
Now, the man page for opendkim-lua (http://www.opendkim.org/opendkim-lua.3.html) says:
final
... If the message is accepted, any signatures requested earlier will be added to the messages before it is released.
With this I was expecting that the successful signing in the setup script would still be applied, even though a child_domain.com key was not available, but I get no header at all.
The title should say Fails and not Kails