Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#695145: opendkim: DKIM signature verification is failing
180 views
Skip to first unread message
Julien Lesaint
Dec 4, 2012, 11:00:02 AM12/4/12
to
Package: opendkim
Version: 2.6.8-3
Severity: important
Hello,
While setting up opendkim on my system I've noticed the following during
the signature verification:
Dec 4 16:37:34 anna opendkim[17205]: 20330159F64: mail-ye0-f181.google.com [209.85.213.181] not internal
Dec 4 16:37:34 anna opendkim[17205]: 20330159F64: not authenticated
Dec 4 16:37:34 anna opendkim[17205]: 20330159F64: signature=Vu82MmQr domain=gmail.com selector=gmail.com result="no signature error"
The selector mentionned in the syslog record is wrong, and the verification
result is always "no signature error"...
The signature which was being verified is the following:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
bh=kZlhbDnnJhBXoM6pk+S8McermM7wB9qhzhKe02y84bU=;
b=Vu82MmQrn3TOlTGNwW+UWR3cRHoklnKnP0yG4PIN6FDE3BxTN9V+dX1oTk8D2i+Ykm
I3fviG7SIZ/Ze+zVSistdUamvo/tV7mpHob/JJuHvojo5q6YTWGWoAkMCz7sQd5wC+IM
27ThG+WqN057DvCjQne3ILa4CgpyfhugfrMfypi6lkYoyECpUboETY4e9PCpkzAcjuKa
Z0XwP+8GGZBan/lOkaft4z7GyWi7guhpM/W8UeT1eack5zWT0+EiSLwj4rpNFTZTOYE+
/6pbk8Yf/zlx1X1m86MYJNZf0L6c+OAXuHlb0tdbG7UnCBSD4twVQOKBZWAPohxmn+Hl
FDuQ==
You can see the selector is not "gmail.com". This is happening
with any domain, not just gmail.com.
Can you please have a look ? Is this a known issue ? Am I missing
something ?
Thank you.
--
Julien Lesaint
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 3.2.6
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages opendkim depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-37
ii libdb5.1 5.1.29-5
ii libldap-2.4-2 2.4.31-1
ii liblua5.1-0 5.1.5-4
ii libmilter1.0.1 8.14.4-2.1
ii libopendkim7 2.6.8-3
ii libssl1.0.0 1.0.1c-4
ii libunbound2 1.4.18-1
ii libvbr2 2.6.8-3
ii lsb-base 4.1+Debian9
opendkim recommends no packages.
Versions of packages opendkim suggests:
ii opendkim-tools 2.6.8-3
-- Configuration Files:
/etc/opendkim.conf changed:
Syslog yes
UMask 002
Canonicalization relaxed/relaxed
SubDomains yes
OversignHeaders From
DisableADSP yes
InternalHosts file:/etc/postfix/dkim/InternalHosts
LogResults yes
LogWhy yes
SignHeaders mime-version,sender,in-reply-to,references,from,date,subject,to,content-type
Socket inet:10...@127.0.0.1
SenderHeaders Sender,From
KeyTable file:/etc/postfix/dkim/KeyTable
SigningTable refile:/etc/postfix/dkim/SigningTable
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Version: 2.6.8-3
Severity: important
Hello,
While setting up opendkim on my system I've noticed the following during
the signature verification:
Dec 4 16:37:34 anna opendkim[17205]: 20330159F64: mail-ye0-f181.google.com [209.85.213.181] not internal
Dec 4 16:37:34 anna opendkim[17205]: 20330159F64: not authenticated
Dec 4 16:37:34 anna opendkim[17205]: 20330159F64: signature=Vu82MmQr domain=gmail.com selector=gmail.com result="no signature error"
The selector mentionned in the syslog record is wrong, and the verification
result is always "no signature error"...
The signature which was being verified is the following:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
bh=kZlhbDnnJhBXoM6pk+S8McermM7wB9qhzhKe02y84bU=;
b=Vu82MmQrn3TOlTGNwW+UWR3cRHoklnKnP0yG4PIN6FDE3BxTN9V+dX1oTk8D2i+Ykm
I3fviG7SIZ/Ze+zVSistdUamvo/tV7mpHob/JJuHvojo5q6YTWGWoAkMCz7sQd5wC+IM
27ThG+WqN057DvCjQne3ILa4CgpyfhugfrMfypi6lkYoyECpUboETY4e9PCpkzAcjuKa
Z0XwP+8GGZBan/lOkaft4z7GyWi7guhpM/W8UeT1eack5zWT0+EiSLwj4rpNFTZTOYE+
/6pbk8Yf/zlx1X1m86MYJNZf0L6c+OAXuHlb0tdbG7UnCBSD4twVQOKBZWAPohxmn+Hl
FDuQ==
You can see the selector is not "gmail.com". This is happening
with any domain, not just gmail.com.
Can you please have a look ? Is this a known issue ? Am I missing
something ?
Thank you.
--
Julien Lesaint
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 3.2.6
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages opendkim depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-37
ii libdb5.1 5.1.29-5
ii libldap-2.4-2 2.4.31-1
ii liblua5.1-0 5.1.5-4
ii libmilter1.0.1 8.14.4-2.1
ii libopendkim7 2.6.8-3
ii libssl1.0.0 1.0.1c-4
ii libunbound2 1.4.18-1
ii libvbr2 2.6.8-3
ii lsb-base 4.1+Debian9
opendkim recommends no packages.
Versions of packages opendkim suggests:
ii opendkim-tools 2.6.8-3
-- Configuration Files:
/etc/opendkim.conf changed:
Syslog yes
UMask 002
Canonicalization relaxed/relaxed
SubDomains yes
OversignHeaders From
DisableADSP yes
InternalHosts file:/etc/postfix/dkim/InternalHosts
LogResults yes
LogWhy yes
SignHeaders mime-version,sender,in-reply-to,references,from,date,subject,to,content-type
Socket inet:10...@127.0.0.1
SenderHeaders Sender,From
KeyTable file:/etc/postfix/dkim/KeyTable
SigningTable refile:/etc/postfix/dkim/SigningTable
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Julien Lesaint
Dec 4, 2012, 12:20:01 PM12/4/12
to
Hello,
In addition, in the case of a public key not published in DNS, we have
the following:
Dec 4 17:45:40 anna opendkim[17205]: 06529159F64: mx2.freebsd.org
[69.147.83.53] not internal
Dec 4 17:45:40 anna opendkim[17205]: 06529159F64: not authenticated
Dec 4 17:45:40 anna opendkim[17205]: 06529159F64: signature=TDOfVcMW
domain=freebsd.org selector=freebsd.org result="key not found in DNS"
The selector reported in syslog is still wrong, but the information in
the "result" field is accurate.
Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freebsd.org; s=dkim;
t=1354633167; bh=+d2q6xbqxwG47ndoI46kc+MYhTYvp8G/NVKXntnJ95A=;
h=Date:From:To:Subject;
b=TDOfVcMW/SUBzcIO3CrFP3yFWyUV4XRdJrgKezhTNAxcXHFWv8kQpqaBqacoLtcNO
82C/p5KOvetdsRe3ZvO3yZYp9saUCfBUyr1debdUBUL4QXlLiTKiUA3ge35gqw2iiS
3JIny5/L36oHiWflFZGWBbC+7jL0vkDCG3Zc0nqE=
DNS check:
; <<>> DiG 9.7.3 <<>> txt dkim._domainkey.freebsd.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27573
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dkim._domainkey.freebsd.org. IN TXT
;; AUTHORITY SECTION:
freebsd.org. 3408 IN SOA ns0.freebsd.org.
hostmaster.freebsd.org. 2012120301 1800 900 604800 3600
Regards,
--
Julien Lesaint.
In addition, in the case of a public key not published in DNS, we have
the following:
Dec 4 17:45:40 anna opendkim[17205]: 06529159F64: mx2.freebsd.org
[69.147.83.53] not internal
Dec 4 17:45:40 anna opendkim[17205]: 06529159F64: not authenticated
Dec 4 17:45:40 anna opendkim[17205]: 06529159F64: signature=TDOfVcMW
domain=freebsd.org selector=freebsd.org result="key not found in DNS"
The selector reported in syslog is still wrong, but the information in
the "result" field is accurate.
Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freebsd.org; s=dkim;
t=1354633167; bh=+d2q6xbqxwG47ndoI46kc+MYhTYvp8G/NVKXntnJ95A=;
h=Date:From:To:Subject;
b=TDOfVcMW/SUBzcIO3CrFP3yFWyUV4XRdJrgKezhTNAxcXHFWv8kQpqaBqacoLtcNO
82C/p5KOvetdsRe3ZvO3yZYp9saUCfBUyr1debdUBUL4QXlLiTKiUA3ge35gqw2iiS
3JIny5/L36oHiWflFZGWBbC+7jL0vkDCG3Zc0nqE=
DNS check:
; <<>> DiG 9.7.3 <<>> txt dkim._domainkey.freebsd.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27573
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dkim._domainkey.freebsd.org. IN TXT
;; AUTHORITY SECTION:
freebsd.org. 3408 IN SOA ns0.freebsd.org.
hostmaster.freebsd.org. 2012120301 1800 900 604800 3600
Regards,
--
Julien Lesaint.
Julien Lesaint
Jan 2, 2013, 11:50:01 AM1/2/13
to
Hello,
I think i've been confused by this result message "no signature error".
It could be interpreted in two different ways:
- [no signature] error -> there is no signature, this is an error
- no [signature error] -> there is no error in the signature -> it's valid !
This should be changed to "valid signature", "signature verification
successful" or anything else more explicit ! The issue with the wrong
selector reported in syslogs is still present.
Thanks.
I think i've been confused by this result message "no signature error".
It could be interpreted in two different ways:
- [no signature] error -> there is no signature, this is an error
- no [signature error] -> there is no error in the signature -> it's valid !
This should be changed to "valid signature", "signature verification
successful" or anything else more explicit ! The issue with the wrong
selector reported in syslogs is still present.
Thanks.
0 new messages