Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#697583: opendkim: reports "insecure key" in all AR headers
138 views
Skip to first unread message
Teodor
Jan 7, 2013, 4:30:03 AM1/7/13
to
Package: opendkim
Version: 2.6.8-3
Severity: normal
Hi,
I've done multiple tests and both 1024 and 2048-bit keys ar reported
"insecure key" in the Authentication-Results: header.
| Authentication-Results: smtp.DOMAIN; dkim=pass
| reason="2048-bit key; insecure key"
| header.d=gmail.com header.i=@gmail.com header.b=0jmPjoQc;
| dkim-adsp=pass; dkim-atps=neutral
Cheers
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages opendkim depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-37
ii libdb5.1 5.1.29-5
ii libldap-2.4-2 2.4.31-1
ii liblua5.1-0 5.1.5-4
ii libmilter1.0.1 8.14.4-2.1
ii libopendkim7 2.6.8-3
ii libssl1.0.0 1.0.1c-4
ii libunbound2 1.4.17-2
ii libvbr2 2.6.8-3
ii lsb-base 4.1+Debian8
opendkim recommends no packages.
Versions of packages opendkim suggests:
ii opendkim-tools 2.6.8-3
-- Configuration Files:
/etc/opendkim.conf changed:
Syslog yes
SyslogSuccess yes
UMask 002
Domain mu******.com
KeyFile /etc/mail/dkim_pa******.key
Selector pa******
Canonicalization relaxed/relaxed
SubDomains yes
OversignHeaders From
On-BadSignature tempfail
On-DNSError accept
Socket inet:8891@[127.0.0.1]
MilterDebug 3
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Version: 2.6.8-3
Severity: normal
Hi,
I've done multiple tests and both 1024 and 2048-bit keys ar reported
"insecure key" in the Authentication-Results: header.
| Authentication-Results: smtp.DOMAIN; dkim=pass
| reason="2048-bit key; insecure key"
| header.d=gmail.com header.i=@gmail.com header.b=0jmPjoQc;
| dkim-adsp=pass; dkim-atps=neutral
Cheers
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages opendkim depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-37
ii libdb5.1 5.1.29-5
ii libldap-2.4-2 2.4.31-1
ii liblua5.1-0 5.1.5-4
ii libmilter1.0.1 8.14.4-2.1
ii libopendkim7 2.6.8-3
ii libssl1.0.0 1.0.1c-4
ii libunbound2 1.4.17-2
ii libvbr2 2.6.8-3
ii lsb-base 4.1+Debian8
opendkim recommends no packages.
Versions of packages opendkim suggests:
ii opendkim-tools 2.6.8-3
-- Configuration Files:
/etc/opendkim.conf changed:
Syslog yes
SyslogSuccess yes
UMask 002
Domain mu******.com
KeyFile /etc/mail/dkim_pa******.key
Selector pa******
Canonicalization relaxed/relaxed
SubDomains yes
OversignHeaders From
On-BadSignature tempfail
On-DNSError accept
Socket inet:8891@[127.0.0.1]
MilterDebug 3
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Scott Kitterman
Jan 8, 2013, 2:00:02 AM1/8/13
to
On Monday, January 07, 2013 02:21:24 AM you wrote:
> Package: opendkim
> Version: 2.6.8-3
> Severity: normal
>
> Hi,
>
> I've done multiple tests and both 1024 and 2048-bit keys ar reported
> "insecure key" in the Authentication-Results: header.
>
> | Authentication-Results: smtp.DOMAIN; dkim=pass
> |
> | reason="2048-bit key; insecure key"
> | header.d=gmail.com header.i=@gmail.com header.b=0jmPjoQc;
> | dkim-adsp=pass; dkim-atps=neutral
I've discussed this with upstream and they agree it's confusing. Insecure in
> Package: opendkim
> Version: 2.6.8-3
> Severity: normal
>
> Hi,
>
> I've done multiple tests and both 1024 and 2048-bit keys ar reported
> "insecure key" in the Authentication-Results: header.
>
> | Authentication-Results: smtp.DOMAIN; dkim=pass
> |
> | reason="2048-bit key; insecure key"
> | header.d=gmail.com header.i=@gmail.com header.b=0jmPjoQc;
> | dkim-adsp=pass; dkim-atps=neutral
this context is meant to refer to "not secured by DNSSEC", not anything to do
with the key itself. I'm not sure what they'll change it too, but I think it
well get clarified.
Scott K
0 new messages