#10 DKIM signature failing
I've installed opendkim on Centos 6.3. It's running via postfix. I've managed to get the dkim signature working, and have created the corresponding dns entry to match it.
My problem is that the verification is still not working. I've checked the process using http://www.brandonchecketts.com/ and get the following:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=northernculture.co.uk; s=default; t=1351695375;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
b=ODeZFiK/4Lzi4TFNCfQW1AVzkzY1bmT5ZowL1eJbw2boOgDl3QzBuACYHwpUhIVYy
Qcd4Tz+tq4Uai4Nih+ZL0rqThZqOanVFDV29mctSlF/PH4bxhqNOClTxy+TbePlK2T
MFKRyDsJ0R0KnTHtkIKrfBaKUKRIsDNd4upl6e7E=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=northernculture.co.uk; s=default; t=1351695373;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
b=RlrcloolpmIYd/MJ9uLHP/0MKJKMUtXwmd1iwfGuxl6TwAKUoLuye7cGXQH4oxHDV
yFiKjVQGjZqc01CnrF1QLShSyyxd2rg1abPkbGJ/n8W/+4UyhZwrz7ccMq/WCZgSif
O+3auNejlDzPcp8HCUPtkS4oj7m6J+U97C3faSEU=
Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/simple
d= Domain: northernculture.co.uk
s= Selector: default
q= Protocol:
bh= frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=
h= Signed Headers: Date:From:To
b= Data: ODeZFiK/4Lzi4TFNCfQW1AVzkzY1bmT5ZowL1eJbw2boOgDl3QzBuACYHwpUhIVYy
Qcd4Tz+tq4Uai4Nih+ZL0rqThZqOanVFDV29mctSlF/PH4bxhqNOClTxy+TbePlK2T
MFKRyDsJ0R0KnTHtkIKrfBaKUKRIsDNd4upl6e7E=
Public Key DNS Lookup
Building DNS Query for default._domainkey.northernculture.co.uk
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCobNbY44t/jIXZxXCmN78OalxvteJ3ufOD071iKiXbiSoNPEahaf4iVH7fT9K1NxSq2OYgXrUGWi2VWFJxFqo9XnHBZBN1xU4iPjd4oS5FOcIXSvAmT4kr9WosJ+whkSLem4hAqR8S4Iw9ie3VV2huxGpDcWymxJbwZbfotjxSbQIDAQAB
Validating Signature
result = fail
Details: bad RSA signature
I'm at a loss to work out where this is going wrong. Can anyone suggest where I can look for a solution?
opendkim comes with a tool called opendkim-testkey that can be used to confirm that the private key with which you're signing and the public key you have in the DNS match up. Give it a try with your setup and see what it tells you.
You can also try emailing an autoresponder (see opendkim/README for a list of some) to see if they verify your signed mail.
Hi, thanks for your help. I've tried opendkim-testkey, it shows no errors. I've tried this command;
opendkim-testkey -d northernculture.co.uk -s default -k /etc/opendkim/keys/northernculture.co.uk/default.private -v -v to specify the private key file, and this opendkim-testkey -d northernculture.co.uk -s default -k -v -v which should use the keytable that I've set up.
Here are some autoresponder replies:
autorespond+dkim@dk.elandsys.com says
**************************************************************************************
**************************************************************************************
DKIM Signature validation: permerror
DKIM Author Domain Signing Practices: "dkim=unknown"
ADSP is not required for DKIM signature validation.
Information about DKIM is available at http://www.elandsys.com/resources/mail/dkim/opendkim.html
Information about ADSP is available at http://www.elandsys.com/resources/mail/dkim/opendkim.html
Information about dkim-milter is available at http://www.elandsys.com/resources/sendmail/dkim.html
Information about DomainKeys is available at http://www.elandsys.com/resources/sendmail/domainkeys.html
Original message:
Received: from mail.northernculture.co.uk (mail.northernculture.co.uk [31.222.190.92])
by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id qA175iPi012680
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <autorespond+dkim@dk.elandsys.com>; Thu, 1 Nov 2012 00:05:51 -0700 (PDT)
Authentication-Results: mx.elandsys.com; dkim=permerror
reason="verification error: signature timestamp in the future"
header.i=@northernculture.co.uk header.b=MncRRps7;
dkim-adsp=unknown (insecure policy)
Received: from localhost (unknown [127.0.0.1])
by mail.northernculture.co.uk (Postfix) with ESMTP id E6E754269E
for <autorespond+dkim@dk.elandsys.com>; Thu, 1 Nov 2012 07:08:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=northernculture.co.uk; s=default; t=1351753740;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
b=MncRRps7LT4lfi5WJL+sOAEO+0X629EUBnRHbNv7Ticg/BrcibK2a0QtMohmcxDaa
aBm4Xw93KpZ4uKgID54ALESFZuQtC/89JIvoQ331pDzcqQV/DT9T2wHBSCIMroTYeH
kH4RCkHL1U+t+OpOgiHicninZFpi7CBEn/ae7hK4=
X-Virus-Scanned: amavisd-new at mail.northernculture.co.uk
Received: from mail.northernculture.co.uk ([127.0.0.1])
by localhost (mail.northernculture.co.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id auygqKWoQ1D1 for <autorespond+dkim@dk.elandsys.com>;
Thu, 1 Nov 2012 07:08:58 +0000 (UTC)
Received: from [192.168.1.70] (host86-174-120-39.range86-174.btcentralplus.com [86.174.120.39])
(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
(No client certificate requested)
by mail.northernculture.co.uk (Postfix) with ESMTPSA id 2EBF24269D
for <autorespond+dkim@dk.elandsys.com>; Thu, 1 Nov 2012 07:08:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=northernculture.co.uk; s=default; t=1351753738;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
b=WO8NgQpp+/jJGxbrJJRQBnNq2cym/CN1CmWYsp1KfExqq+AUabn6aqg1P3PgfzB8f
7moZe1wZ3x0NAhex2JhRbW5zJB0A0A2Ws/jD45oGJa/JuCusn7ByoJYdwjInj3UsSB
ux1LE0hGdCVglbmVweE1IkuxUJDOMiL0H3iRB65c=
Message-ID: <50921F3F.6030805@northernculture.co.uk>
Date: Thu, 01 Nov 2012 07:05:35 +0000
From: Joe Miller <admin@northernculture.co.uk>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: autorespond+dkim@dk.elandsys.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
**************************************************************************************
**************************************************************************************
dktest@exhalus.net says:
**************************************************************************************
**************************************************************************************
.mechanism DomainKeys
information: http://antispam.yahoo.com/domainkeys
reflector spec: rfc4870
auth result: neutral (no signature)
.mechanism DomainKeys Identified Mail
information: http://dkim.org
reflector spec: rfc4871
draft-allman-dkim-ssp-01
auth result: suspicious (multiple invalid signatures)
**************************************************************************************
**************************************************************************************
check-auth@verifier.port25.com says:
**************************************************************************************
**************************************************************************************
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
==========================================================
Details:
==========================================================
HELO hostname: mail.northernculture.co.uk
Source IP: 31.222.190.92
mail-from: admin@northernculture.co.uk
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mailfrom=admin@northernculture.co.uk
DNS record(s):
northernculture.co.uk. SPF (no records)
northernculture.co.uk. 86400 IN TXT "v=spf1 mx ip4:31.222.190.9 ptr:mail.northernculture.co.uk mx:mail.northernculture.co.uk -all"
northernculture.co.uk. 3600 IN MX 10 mail.northernculture.co.uk.
mail.northernculture.co.uk. 3600 IN A 31.222.190.92
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: header.From=admin@northernculture.co.uk
DNS record(s):
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: pass (matches From: admin@northernculture.co.uk)
ID(s) verified: header.d=northernculture.co.uk
Canonicalized Headers:
date:Thu,'20'01'20'Nov'20'2012'20'07:05:19'20'+0000'0D''0A'
from:Joe'20'Miller'20'<admin@northernculture.co.uk>'0D''0A'
to:check-auth@verifier.port25.com'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=northernculture.co.uk;'20's=default;'20't=1351753729;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Date:From:To;'20'b=
Canonicalized Body:
'0D''0A'
DNS record(s):
default._domainkey.northernculture.co.uk. 86400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/ADuqMPgIq6egTn0RL1+8AJMPfsPm/ukcdquFqxeHpic3sfH1HOepMw5eHMrv0zhyESeTmMf+Rxjmd5o6/kC3qwyM+1RS+NXr3zwke8k/2j2CH9wJ78WBjZJu2woVb0nogeKcdTYoGeMPRHV+detwqBwPbsrc3tIhzT1MZ1qv5QIDAQAB"
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: pass (matches From: admin@northernculture.co.uk)
ID(s) verified: header.d=northernculture.co.uk
Canonicalized Headers:
date:Thu,'20'01'20'Nov'20'2012'20'07:05:19'20'+0000'0D''0A'
from:Joe'20'Miller'20'<admin@northernculture.co.uk>'0D''0A'
to:check-auth@verifier.port25.com'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=northernculture.co.uk;'20's=default;'20't=1351753722;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=Date:From:To;'20'b=
Canonicalized Body:
'0D''0A'
DNS record(s):
default._domainkey.northernculture.co.uk. 86400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/ADuqMPgIq6egTn0RL1+8AJMPfsPm/ukcdquFqxeHpic3sfH1HOepMw5eHMrv0zhyESeTmMf+Rxjmd5o6/kC3qwyM+1RS+NXr3zwke8k/2j2CH9wJ78WBjZJu2woVb0nogeKcdTYoGeMPRHV+detwqBwPbsrc3tIhzT1MZ1qv5QIDAQAB"
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result: pass
ID(s) verified: header.From=admin@northernculture.co.uk
DNS record(s):
northernculture.co.uk. SPF (no records)
northernculture.co.uk. 86400 IN TXT "v=spf1 mx ip4:31.222.190.9 ptr:mail.northernculture.co.uk mx:mail.northernculture.co.uk -all"
northernculture.co.uk. 3600 IN MX 10 mail.northernculture.co.uk.
mail.northernculture.co.uk. 3600 IN A 31.222.190.92
----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.3.1 (2010-03-16)
Result: ham (1.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
1.8 MISSING_SUBJECT Missing Subject: header
2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
Subject: text
==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================
<snip>
==========================================================
Original Email
==========================================================
Return-Path: <admin@northernculture.co.uk>
Received: from mail.northernculture.co.uk (31.222.190.92) by verifier.port25.com id hi8fjm11u9cq for <check-auth@verifier.port25.com>; Thu, 1 Nov 2012 03:05:31 -0400 (envelope-from <admin@northernculture.co.uk>)
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=admin@northernculture.co.uk
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=admin@northernculture.co.uk
Authentication-Results: verifier.port25.com; dkim=pass (matches From: admin@northernculture.co.uk) header.d=northernculture.co.uk
Authentication-Results: verifier.port25.com; dkim=pass (matches From: admin@northernculture.co.uk) header.d=northernculture.co.uk
Authentication-Results: verifier.port25.com; sender-id=pass header.From=admin@northernculture.co.uk
Received: from localhost (unknown [127.0.0.1])
by mail.northernculture.co.uk (Postfix) with ESMTP id 75FA84269D
for <check-auth@verifier.port25.com>; Thu, 1 Nov 2012 07:08:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=northernculture.co.uk; s=default; t=1351753729;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
b=kS0UCL3HlAJz7uONk0Z1Q4hOpMK9DL/F92xK56cDxEqeoU8ZVCIrx6antM71jeGJn
fpWFQl09R2O5zvWZSa+VgtSWh2m/7Ccbq8bEc/Hx+WiQB6LIQ/oHCh40UgCcOG36g2
Yergb2xZURfQqgDMRJiciC6N6qWcBimc8a3VrTPM=
X-Virus-Scanned: amavisd-new at mail.northernculture.co.uk
Received: from mail.northernculture.co.uk ([127.0.0.1])
by localhost (mail.northernculture.co.uk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id DJwkMsbVjzM5 for <check-auth@verifier.port25.com>;
Thu, 1 Nov 2012 07:08:43 +0000 (UTC)
Received: from [192.168.1.70] (host86-174-120-39.range86-174.btcentralplus.com [86.174.120.39])
(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
(No client certificate requested)
by mail.northernculture.co.uk (Postfix) with ESMTPSA id B17424269B
for <check-auth@verifier.port25.com>; Thu, 1 Nov 2012 07:08:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=northernculture.co.uk; s=default; t=1351753722;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; h=Date:From:To;
b=oWbpj++q/gQ0Lo3iJGWfBiJVwKuPKoGZcyrXze+KRzn3JdectyJU0Rb+tkJ5yXDl8
IAjdRzP5ytXT2uUVheU9UmYJsyi+fdUC98fBR+xyXZfTaqxleXTB+MipDPFyCp7qdZ
LwAPeFp/vSBTMxEDbdAT1Ll9QW3o/VYpNyNXW0Iw=
Message-ID: <50921F2F.4090801@northernculture.co.uk>
Date: Thu, 01 Nov 2012 07:05:19 +0000
From: Joe Miller <admin@northernculture.co.uk>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: check-auth@verifier.port25.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
**************************************************************************************
**************************************************************************************
Now I'm even more confused! none of them seem to agree on the verification. Some say it failed, one says it passed, and neither agree what it's failed on. Any ideas? I'm going to try and find out why I've got two signatures, and see if I can correct that. If successful, I'll rerun the autoresponders and post back.
Many thanks for your help
Ok, I think I'm sorted now. I've corrected the double signing, and retried all autoresponders, and reset the system time. The problem seems to be if I send an empty email; postfix seems to add stuff to the body of the email, maybe a blank line? anyway, if I send emails with subject line and something in the body they all pass.
Thanks again for your help, much appreciated.
Simply adding blank lines to a message shouldn't cause problems, because DKIM anticipates those and thus it's not enough to break a signature.
I'll close this now since you say all is well. Please open another support request if needed.