a***@yahoo.com
2010-09-27 00:24:40 UTC
I'm running ubuntu 10.04 with postfix and dkim-filter.
All my configuration checks out ok...or at least I think so. But dkim sig is not
being accepted by yahoo and gmail servers.
My postfix main.cf
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
My /etc/default/dkim-filter
SOCKET="inet:***@localhost" # Ubuntu default - listen on loopback on port 8891
My /etc/dkim-filter.conf
Syslog yes
LogWhy True
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
#UMask 002
# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain example.com
KeyFile /etc/mail/mail.key
Selector mail
InternalHosts /etc/mail/hosts
# Common settings. See dkim-filter.conf(5) for more information.
AutoRestart yes
Background yes
Canonicalization relaxed/relaxed
DNSTimeout 5
Mode sv
SignatureAlgorithm rsa-sha256
SubDomains yes
#ADSPDiscard no
#Version rfc4871
X-Header no
###############################################
# Other (less-standard) configuration options #
###############################################
My InternalHosts file /etc/mail/hosts
127.0.0.1/8
192.168.1.0/24
localhost
example.com
www.example.com
mail.example.com
cerebrus.example.com
umongus.example.com
My Bind9 Dns entries for the example domain
mail._domainkey IN TXT "k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBcAtF+RCk9wpagy3b3Y8566FWZ354fMjlz7ZmYYJzg+GT1ruGl/lvwXZkQTzMyvpGgBM5ShUmopVswN3Cv/+M1UTU8lto1fnTFJb2bu$
_domainkey IN TXT "t=y; o=-"
My Maddog domain dns entries:
mail._domainkey v=DKIM1; g=*; k=rsa; t=y;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdVfaH7HsphCUPCmEiAB
Gx96PvDMrqC0ZQ324gZ5ND3btqtZnVglPlLVicg3LjAzMFmPiuYs7log4xQ2
705G/gicNRlbP4ZjPTL2yqshKy1DNRfw4vSgUpMRfQVfcPeag32geSayoVEm
u+MvAy136jphNnAxr18AUEKJDBycf7iQIDAQAB 1 Hour
_domainkey t=y; o=- 1 Hour
Tests DONE:
mail.log shows
Sep 26 23:51:48 hostname dkim-filter[6880]: 7440A1C72EFF mode select: signing
tests online:
http://domainkeys.sourceforge.net/policycheck.html
Testing example.com
Policy TXT=t=y; o=-
This policy record appears valid.
http://domainkeys.sourceforge.net/selectorcheck.html
mail._domainkey.example.com
TXT Record length = 230
k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdVfaH7HsphCUPCmEiABGx96PvDM
...rqC0ZQ324gZ5ND3btqtZnVglPlLVicg3LjAzMFmPiuYs7log4xQ2705G/gicNRlbP4ZjPTL2yqshKy1D
...NRfw4vSgUpMRfQVfcPeag32geSayoVEmu+MvAy136jphNnAxr18AUEKJDBycf7iQIDAQAB
This selector appears valid.
Tag
Value
Explanation
k rsa The public key algorithm used to verify the signature
p MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCdVfaH7HsphCUPCmEi... Modulus Size=1024
Exponent=65537
t y This Selector is in test mode
EMAIL RESPONSES FROM YAHOO HEADERS:
Received-SPF: pass (mta1259.mail.ac4.yahoo.com: domain of ***@example.com
designates "MY IP" as permitted sender)
X-YMailISG: c.gT32wcZAq6BhWv1Ruvg855nFbd_y5ko.Kp_udqSapMrJKA
_49jz8gJqUMIJbLm7CB1JrGSYyus_6sTpfVpBb_Eamd3vwqlgv2.mcBfIQhn
IHf9p9h26.gUl4Mg8qVCm1sWDZz4ZsFzTul5hOI9MDKEwuKH7PNx_NfppAfE
T5yYi9rUFe8Un5RdTeTj0ExUnwD1t9YG._qzYUX9o.MDd2JawZ.Vxy9.uHYa
fj.ss65SfUrVBJ1myXnc8XQBbCPi6wUV_HgmiTsUyxaLEo3woAP_fPVtuz4C
OqC5sB_Qc9FOzuNnnxYKbUa7lXPLDy.9ALT6BpRt7CeCL0LhJOSwM02g4ikf
4K9sZ2eFGS3uQ_IFJxEt_asaa2lOaFkwooP6YdqAtWwAOjDoDRnE1ecv6MUf
bVhVJGgMksYXb.faMi0EriW1vkBqFu3hcwwQUSbi75TTCWN3ScBbSb1njm5X
2dmWhYkox602qDW4pzXoZIQ2gmNB
X-Originating-IP: [MY IP]
Authentication-Results: mta1259.mail.ac4.yahoo.com from=example.com;
domainkeys=neutral (no sig); from=example.com; dkim=permerror (bad sig)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=zaaam.com; s=mail;
t=1285544437; bh=+RXOTVB28eXhx0k/tu8av/BLmD8wZpkVU5Pa6hB6w4I=;
h=To:Date:Subject:Message-ID:From:MIME-Version:Content-Type;
b=bu3Eqt4KXl2um8ivT6+BHKDLYTibUHK6eTAmYMPW9vDVVyg2lqfzntL06n5bBe4AK
BagYp+tKc8dtY+q+uH4uFHUOHwV03ZrUdcCNMjaFkR+jTUuC8yCrr0kTZSc9GhsVUr
v9MaeaOKra20C9+dgeXhjfTUDvGI1bniquZA/ITc=
EMAIL RESPONSES FROM GMAIL HEADERS:
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
***@example.com designates "MY IP" as permitted sender)
smtp.mail=***@example.com; dkim=hardfail (test mode) header.i=@example.com
Received: from host.example.com (host.example.com [LAN IP]) by host.example.com
(Postfix) with ESMTP id 9C8431C72F00 for <***@gmail.com>; Sun, 26 Sep 2010
23:51:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=zaaam.com; s=mail; t=1285545108;
bh=p8pafqTNhtsModsSazJmcokGeAFPfXlSGnULI/Z7QDU=;
h=To:Date:Subject:Message-ID:From:MIME-Version:Content-Type;
b=UlDd4VZo826VxOkDdNR5ER+3jGjMRiPQoB5lEdPWKSUvbibdqTGQmL5PrIKoZpIqX
c7DGlc504Y1FCQb/pW8M2bYNtrt5nRfJ9XqlfdE9as9ECb44KoqJZCldvBEvCZSCYo
hQEMUT2LeDezo+EtEpgXAmO87pWN8QaxbKY2a9J0=
I'm out of ideas... full day trying and testing this?!?!?! What can be wrong?
All my configuration checks out ok...or at least I think so. But dkim sig is not
being accepted by yahoo and gmail servers.
My postfix main.cf
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
My /etc/default/dkim-filter
SOCKET="inet:***@localhost" # Ubuntu default - listen on loopback on port 8891
My /etc/dkim-filter.conf
Syslog yes
LogWhy True
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
#UMask 002
# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain example.com
KeyFile /etc/mail/mail.key
Selector mail
InternalHosts /etc/mail/hosts
# Common settings. See dkim-filter.conf(5) for more information.
AutoRestart yes
Background yes
Canonicalization relaxed/relaxed
DNSTimeout 5
Mode sv
SignatureAlgorithm rsa-sha256
SubDomains yes
#ADSPDiscard no
#Version rfc4871
X-Header no
###############################################
# Other (less-standard) configuration options #
###############################################
My InternalHosts file /etc/mail/hosts
127.0.0.1/8
192.168.1.0/24
localhost
example.com
www.example.com
mail.example.com
cerebrus.example.com
umongus.example.com
My Bind9 Dns entries for the example domain
mail._domainkey IN TXT "k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBcAtF+RCk9wpagy3b3Y8566FWZ354fMjlz7ZmYYJzg+GT1ruGl/lvwXZkQTzMyvpGgBM5ShUmopVswN3Cv/+M1UTU8lto1fnTFJb2bu$
_domainkey IN TXT "t=y; o=-"
My Maddog domain dns entries:
mail._domainkey v=DKIM1; g=*; k=rsa; t=y;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdVfaH7HsphCUPCmEiAB
Gx96PvDMrqC0ZQ324gZ5ND3btqtZnVglPlLVicg3LjAzMFmPiuYs7log4xQ2
705G/gicNRlbP4ZjPTL2yqshKy1DNRfw4vSgUpMRfQVfcPeag32geSayoVEm
u+MvAy136jphNnAxr18AUEKJDBycf7iQIDAQAB 1 Hour
_domainkey t=y; o=- 1 Hour
Tests DONE:
mail.log shows
Sep 26 23:51:48 hostname dkim-filter[6880]: 7440A1C72EFF mode select: signing
tests online:
http://domainkeys.sourceforge.net/policycheck.html
Testing example.com
Policy TXT=t=y; o=-
This policy record appears valid.
http://domainkeys.sourceforge.net/selectorcheck.html
mail._domainkey.example.com
TXT Record length = 230
k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdVfaH7HsphCUPCmEiABGx96PvDM
...rqC0ZQ324gZ5ND3btqtZnVglPlLVicg3LjAzMFmPiuYs7log4xQ2705G/gicNRlbP4ZjPTL2yqshKy1D
...NRfw4vSgUpMRfQVfcPeag32geSayoVEmu+MvAy136jphNnAxr18AUEKJDBycf7iQIDAQAB
This selector appears valid.
Tag
Value
Explanation
k rsa The public key algorithm used to verify the signature
p MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCdVfaH7HsphCUPCmEi... Modulus Size=1024
Exponent=65537
t y This Selector is in test mode
EMAIL RESPONSES FROM YAHOO HEADERS:
Received-SPF: pass (mta1259.mail.ac4.yahoo.com: domain of ***@example.com
designates "MY IP" as permitted sender)
X-YMailISG: c.gT32wcZAq6BhWv1Ruvg855nFbd_y5ko.Kp_udqSapMrJKA
_49jz8gJqUMIJbLm7CB1JrGSYyus_6sTpfVpBb_Eamd3vwqlgv2.mcBfIQhn
IHf9p9h26.gUl4Mg8qVCm1sWDZz4ZsFzTul5hOI9MDKEwuKH7PNx_NfppAfE
T5yYi9rUFe8Un5RdTeTj0ExUnwD1t9YG._qzYUX9o.MDd2JawZ.Vxy9.uHYa
fj.ss65SfUrVBJ1myXnc8XQBbCPi6wUV_HgmiTsUyxaLEo3woAP_fPVtuz4C
OqC5sB_Qc9FOzuNnnxYKbUa7lXPLDy.9ALT6BpRt7CeCL0LhJOSwM02g4ikf
4K9sZ2eFGS3uQ_IFJxEt_asaa2lOaFkwooP6YdqAtWwAOjDoDRnE1ecv6MUf
bVhVJGgMksYXb.faMi0EriW1vkBqFu3hcwwQUSbi75TTCWN3ScBbSb1njm5X
2dmWhYkox602qDW4pzXoZIQ2gmNB
X-Originating-IP: [MY IP]
Authentication-Results: mta1259.mail.ac4.yahoo.com from=example.com;
domainkeys=neutral (no sig); from=example.com; dkim=permerror (bad sig)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=zaaam.com; s=mail;
t=1285544437; bh=+RXOTVB28eXhx0k/tu8av/BLmD8wZpkVU5Pa6hB6w4I=;
h=To:Date:Subject:Message-ID:From:MIME-Version:Content-Type;
b=bu3Eqt4KXl2um8ivT6+BHKDLYTibUHK6eTAmYMPW9vDVVyg2lqfzntL06n5bBe4AK
BagYp+tKc8dtY+q+uH4uFHUOHwV03ZrUdcCNMjaFkR+jTUuC8yCrr0kTZSc9GhsVUr
v9MaeaOKra20C9+dgeXhjfTUDvGI1bniquZA/ITc=
EMAIL RESPONSES FROM GMAIL HEADERS:
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
***@example.com designates "MY IP" as permitted sender)
smtp.mail=***@example.com; dkim=hardfail (test mode) header.i=@example.com
Received: from host.example.com (host.example.com [LAN IP]) by host.example.com
(Postfix) with ESMTP id 9C8431C72F00 for <***@gmail.com>; Sun, 26 Sep 2010
23:51:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=zaaam.com; s=mail; t=1285545108;
bh=p8pafqTNhtsModsSazJmcokGeAFPfXlSGnULI/Z7QDU=;
h=To:Date:Subject:Message-ID:From:MIME-Version:Content-Type;
b=UlDd4VZo826VxOkDdNR5ER+3jGjMRiPQoB5lEdPWKSUvbibdqTGQmL5PrIKoZpIqX
c7DGlc504Y1FCQb/pW8M2bYNtrt5nRfJ9XqlfdE9as9ECb44KoqJZCldvBEvCZSCYo
hQEMUT2LeDezo+EtEpgXAmO87pWN8QaxbKY2a9J0=
I'm out of ideas... full day trying and testing this?!?!?! What can be wrong?