[dkim-milter-discuss] verifying dkim signature and use with outlook express

Discussion:

brandon murphy

2011-03-29 15:00:52 UTC

I am a newbie with dkim and opendkim. I am attempting to setup a test server
using dkim-filter. I have loaded a CentOS5.5 box with sendmail, postfix, and
mailx. sending emails works with just this base setup. I am now attempting
to put dkim-milter on the server. after going through the install setup I am
sending emails to brandon checketts and find that it comes back with

Validating Signature
result = fail
Details: message has been altered

on a test windows box I have setup outlook express and am attempting to
spoof my user/domain name on that to see if sending frmo that will generate
anythings different(it comes back stating that no domain key was found.) my
mail log posts the following:
Mar 29 14:49:52 DKIM dkim-filter[8146]: (unknown-jobid) external host
example.com attempted to send as dkimtest.com
Mar 29 14:49:52 DKIM dkim-filter[8146]: (unknown-jobid) not internal
Mar 29 14:49:52 DKIM dkim-filter[8146]: (unknown-jobid) not authenticated
Mar 29 14:49:52 DKIM dkim-filter[8146]: (unknown-jobid) mode select:
verifying

Note: I changed the names in the mail log to protect company identity.

any help would be greatly appreciated.

Todd Lyons

2011-03-29 17:41:52 UTC

Permalink

I suspect you're using the old version called dkim-milter.
Development on this version was stopped over a year ago and forked
into a new project called "opendkim". The home website is at
www.opendkim.org (it's run on sourceforge with appropriate bug tracker
and file download support). I'd suggest you make sure you're running
the latest version of opendkim to get the latest standards-compliant
code, and join the opendkim-users mailing list.

On Tue, Mar 29, 2011 at 8:00 AM, brandon murphy

Post by brandon murphy
I am a newbie with dkim and opendkim. I am attempting to setup a test server
using dkim-filter. I have loaded a CentOS5.5 box with sendmail, postfix, and

Why both? You'll want to use either sendmail or postfix, but I can
also think of weird corner cases where you might want to use both.
But then again, maybe you're just testing.

Post by brandon murphy
mailx. sending emails works with just this base setup. I am now attempting
to put dkim-milter on the server. after going through the install setup I am
sending emails to brandon checketts and find that it comes back with
Validating Signature
result = fail
Details: message has been altered

If you do any kind of masquerading in sendmail, it can cause problems.
Current opendkim better handles these such cases, if they apply to
you.

Post by brandon murphy
on a test windows box I have setup outlook express and am attempting to
spoof my user/domain name on that to see if sending frmo that will generate
anythings different(it comes back stating that no domain key was found.) my

It's going to use the name in the From: header to decide what key to
use to sign. If you are sending with a spoofed domain, opendkim will
require that domain key, not your current one. Though there are cases
where you can make it sign email from any domain with your domain key,
that's not the recommended mode of usage.

Post by brandon murphy
Mar 29 14:49:52 DKIM dkim-filter[8146]: (unknown-jobid) external host
example.com attempted to send as dkimtest.com
Mar 29 14:49:52 DKIM dkim-filter[8146]: (unknown-jobid) not internal
Mar 29 14:49:52 DKIM dkim-filter[8146]: (unknown-jobid) not authenticated
verifying

It say that it's not internal, and it's not authenticated, so it
decides not to sign, but instead to verify. Normal. Your sending
domain must match (some domain set) and (your IP address must match
some ip block set OR your connection must be authenticated).

Post by brandon murphy
Note: I changed the names in the mail log to protect company identity.

Obfuscation is normally advised against, but in this case it didn't
hurt anything.

--
Regards... Todd
"It is the nature of the human species to reject what is true but
unpleasant and to embrace what is obviously false but comforting."
"You might be a skeptic if you have pedantically argued the topic of pedantry."

Todd Lyons

2011-03-29 17:55:56 UTC

Permalink

Back onlist...

On Tue, Mar 29, 2011 at 10:46 AM, brandon murphy

I am using dkim-milter.
even using open-dkim it brings up these errors.

Ok, that's good to know. Which testing services are you using? Can
you give us a domain and selector so that we may verify that your DNS
is configured properly? If we can't see your dns text records, then
neither can the systems which are doing verification.

I have sendmail preloaded on the server, I stop that service to use postfix.
my apologies for the confusion with that. postfix loaded is straight out the
box postfix. no masquerading is being used to my knowledge.

brandon murphy

2011-03-29 18:07:23 UTC

Permalink

I have tested using outlook express from a windows server in my deve
environment, using mail on the dkim test box, and using alpine

my DNS records show up on brandoncheckett test as such

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dkimtest.reyrey.net;
s=default; t=1301417449;
bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=To:Subject:Message-Id:Date:From;
b=vHrFZQTBl1DOSfvcx0ir5VORt7PRRPL/InG6+Dsq7YXmr6RESygt3NBstPIZawxVW
3CuBZpjCbMSYzyvl0eeJmfNb2kLhDTzx1UWFjI6V8easXqm5UnQNN6WS8ConZFHlQL
UVVkFPjh420mSp3Lw+X81plpKEta3R5KbjKhJq2E=

Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: dkimtest.reyrey.net
s= Selector: default
q= Protocol:
bh= g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=
h= Signed Headers: To:Subject:Message-Id:Date:From
b= Data:
vHrFZQTBl1DOSfvcx0ir5VORt7PRRPL/InG6+Dsq7YXmr6RESygt3NBstPIZawxVW
3CuBZpjCbMSYzyvl0eeJmfNb2kLhDTzx1UWFjI6V8easXqm5UnQNN6WS8ConZFHlQL
UVVkFPjh420mSp3Lw+X81plpKEta3R5KbjKhJq2E=
Public Key DNS Lookup
Building DNS Query for *default._domainkey.dkimtest.reyrey.net*
Retrieved this publickey from DNS: v=DKIM1; g=*; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDERR/0XNoaE7dWr0zvsJCGqMFUGEw4Rlez1u6QZUfNV2YdlxDhNYrB3iibSjvrUnonNZvZDp7dHx943WPuPhXbAbo035nKsn/tDJIRpGPbKZ4LTIe7WEC5LtYYyChMB0fLdqCGwkkI4HF3ofdK+kyAUk/J25CoftFxBH+XhAyKPQIDAQAB
Validating Signature
result = fail
Details: message has been altered

Post by Todd Lyons
Back onlist...
On Tue, Mar 29, 2011 at 10:46 AM, brandon murphy

I am using dkim-milter.
even using open-dkim it brings up these errors.

I have sendmail preloaded on the server, I stop that service to use

postfix.

my apologies for the confusion with that. postfix loaded is straight out

the

box postfix. no masquerading is being used to my knowledge.

Ok, so you're using postfix to do this. I know that recently I've
seen cases where someone had to force postfix to only process a
message through milters once, but I do not recall the exact scenario.
I suggest viewing the opendkim mailing list archives to see if you can
spot anything postfix related that might make sense to you.
--
Regards... Todd
"It is the nature of the human species to reject what is true but
unpleasant and to embrace what is obviously false but comforting."
"You might be a skeptic if you have pedantically argued the topic of pedantry."

Todd Lyons

2011-03-29 18:56:58 UTC

Permalink

On Tue, Mar 29, 2011 at 11:07 AM, brandon murphy

Post by brandon murphy
I have tested using outlook express from a windows server in my deve
environment, using mail on the dkim test box, and using alpine
my DNS records show up on brandoncheckett test as such
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dkimtest.reyrey.net;
s=default; t=1301417449;
bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=To:Subject:Message-Id:Date:From;
b=vHrFZQTBl1DOSfvcx0ir5VORt7PRRPL/InG6+Dsq7YXmr6RESygt3NBstPIZawxVW
3CuBZpjCbMSYzyvl0eeJmfNb2kLhDTzx1UWFjI6V8easXqm5UnQNN6WS8ConZFHlQL
UVVkFPjh420mSp3Lw+X81plpKEta3R5KbjKhJq2E=

With opendkim you can turn on a test mode which encodes all of the
data that was used to sign the email. That would tell us what has
changed from the 5 fields that it signed.
1. To:
2. Subject:
3. Message-Id: ****
4. Date: ****
5. From:

**** Note that if a signature says it signed one of these marked
fields, but your mail client didn't insert it, and the MTA inserts it
_after_ the signature, that will break the signature.

Post by brandon murphy
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: dkimtest.reyrey.net
s= Selector: default
bh= g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=
h= Signed Headers: To:Subject:Message-Id:Date:From
vHrFZQTBl1DOSfvcx0ir5VORt7PRRPL/InG6+Dsq7YXmr6RESygt3NBstPIZawxVW
3CuBZpjCbMSYzyvl0eeJmfNb2kLhDTzx1UWFjI6V8easXqm5UnQNN6WS8ConZFHlQL
UVVkFPjh420mSp3Lw+X81plpKEta3R5KbjKhJq2E=

If you get a version that will insert debugging entries, then your
signature will look like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ivenue.com;
s=test-dk; t=1301411937;
bh=07/Q/EwkrDZO9QBqh0iWjfGS7ouxrqhXySe+7GKiW8g=;
h=Date:Message-Id:From:To:Subject;
z=Date:=20Tue,=2029=20Mar=202011=2008:15:02=20-0700|Message-Id:=20<
***@admin51.ivenue.net>|From:=***@admin
51.ivenue.net=20(Cron=20Daemon)|To:=***@ivenue.com|Subject:
=20Cron=20<***@admin51>=20for=20HEADERS=20in=20/tmp/spamSCOMPhead
ers.log=20/tmp/spamDirectHeaders.log=20/tmp/spamIvenueHeaders.log=
20/disk1/tmp/spamHostPattern.log=20/tmp/spamScoredLogfile.log=3B=2
0do=20[=20-s=20$HEADERS=20]=20&&=20/usr/local/sbin/add_bl_list.pl=
20--file=3D$HEADERS=20--logfile=3D/tmp/addBlacklist.log=20&&=20>=2
0$HEADERS=3B=20done=3B=20nice=20/usr/local/sbin/update_bl_zone.pl=
3B=20nice=20/usr/local/sbin/update_wl_zone.pl|X-Cron-Env:=20<MAILT
O=***@ivenue.com>|X-Cron-Env:=20<SHELL=3D/bin/sh>|X-Cron-En
v:=20<HOME=3D/root>|X-Cron-Env:=20<PATH=3D/usr/bin:/bin>|X-Cron-En
v:=20<LOGNAME=3Droot>|X-Cron-Env:=20<USER=3Droot>|X-Virus-Scanned:
=20clamav-milter=200.97=20at=20lunar.ivenue.com|X-Virus-Status:=20
Clean;
b=HgM0nxsMr65c8xdyGWZ5PV2PETCxcMXdjPmcRroaM9FDIcwXKyJfCa1OV6Favx/Br
Qe81Bg9E8j2K+DtE8NTJQ==

Note the z= setting. It shows exactly what was used to sign the
email. It's enabled in opendkim by adding:

Diagnostics Yes

I am not aware if it was an option in dkim-milter.