Re: [exim] DKIM fail

Top Page
Delete this message
Reply to this message
Author: David Saez
Date:  
To: exim-users
Subject: Re: [exim] DKIM fail
Hi

I'm using Exim 4.77 and have to avoid rejecting any mail when dkim fails as
we get a lot of "verification failed - signature did not verify" for
domains like
yahoo, google, aol, paypal, ...

> Hi,
> today i enabled signning with DKIM in Exim 4.76 - here is my route config:
>
> remote_smtp:
>    driver = smtp
>    dkim_domain = aira.cz
>    dkim_selector = x
>    dkim_private_key= /etc/exim/keys/dkim.private.key
>    dkim_canon = relaxed

>
>
> and DNS's RR for domain:
>
>
> x._domainkey.aira.cz.   100     IN      TXT     "v=DKIM1\; t=y\; k=rsa\;
> p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANMJ4yzdbmkkz5Ktt

>
>
> Dc0xt79I7Uxf9Raqd3Nvlfw8EB5zoMnYgdcdpTRlhluDJ7wnrYqNV8
>
>
> S71Zq4Z50jdBNnJtne1xjuYTnfdsQwfr/h3NEdUdFDuNOn1XNNAmmvWwQPwIDAQAB"
>
>
> domainkey.aira.cz.     300     IN      TXT     "t=y\; o=~\;"

>
> _adsp._domainkey.aira.cz. 300   IN      TXT     "dkim=unknown"

>
>
>
> When i check DKIM's with send emails on address:
> dkim-test@??? and check-auth@???,
> about half of emails fail. On the end this mail i atteched two debug
> from return emails from dkim-test@???. But when I
> tried send emails on my second mail server, so he verified DKIMs for all
> emails successfully.
>
> My OS on server is stable Gentoo x86 with openssl-1.0.0d
>
> Have you same idea, why dkim so often fails?
>
> Thank you, and sorry for my terrible English.
>
>
>
>
> Attached returs email for checker:
>
> Firts email:
>
> ----- Begin Debug Log Output ----
> a: ['v=1', 'a=rsa-sha256', 'q=dns/txt', 'c=relaxed/relaxed',
> 'd=aira.cz', 's=x',
> 'h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID',
> 'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
> 'b=P05WGYppwzu6O2IRkUeNuFGFvrAyZpXONT2G3dLyVgUkRZVxgcaUFTjVktnugoLXAznxnQeZ5MZujCO3LRScm42nf9wAws13Fi2uK/IkcvQgK0OROsvGEwwAFuBOzT53',
> '']
> sig: {'a': 'rsa-sha256', 'c': 'relaxed/relaxed', 'b':
> 'P05WGYppwzu6O2IRkUeNuFGFvrAyZpXONT2G3dLyVgUkRZVxgcaUFTjVktnugoLXAznxnQeZ5MZujCO3LRScm42nf9wAws13Fi2uK/IkcvQgK0OROsvGEwwAFuBOzT53',
> 'd': 'aira.cz', 'h':
> 'Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID',
> 'bh': '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=', 'q': 'dns/txt',
> 's': 'x', 'v': '1'}
> bh: frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=
> body hash mismatch (got frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=,
> expected 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=). Your server is
> not signing messages properly or another server may be modifying the
> body of your messages.
>
> ----- End Debug Log Output ----
>
>
> Second Email:
>
>
> a: ['v=1', 'a=rsa-sha256', 'q=dns/txt', 'c=relaxed/relaxed',
> 'd=aira.cz', 's=x',
> 'h=MIME-Version:Content-Type:Message-ID:Subject:Date:To:From',
> 'bh=Sb8WGoUjJNJtG/FfwmvhQy9uPZoo0vO8ahBE3Rz+wlE=',
> 'b=TMCmawCtQ4LEvies519qMmP96afmNb5esIAqeOzU5zN5bYBL5iVCgf/kYQXCfcEJ65t5xsDFcAF2Br7Us+Gtjh/whZrB8eX6JZgEe+pirbXEVO6u9mB2vWMGcxbaBe6l',
> '']
> sig: {'a': 'rsa-sha256', 'c': 'relaxed/relaxed', 'b':
> 'TMCmawCtQ4LEvies519qMmP96afmNb5esIAqeOzU5zN5bYBL5iVCgf/kYQXCfcEJ65t5xsDFcAF2Br7Us+Gtjh/whZrB8eX6JZgEe+pirbXEVO6u9mB2vWMGcxbaBe6l',
> 'd': 'aira.cz', 'h':
> 'MIME-Version:Content-Type:Message-ID:Subject:Date:To:From', 'bh':
> 'Sb8WGoUjJNJtG/FfwmvhQy9uPZoo0vO8ahBE3Rz+wlE=', 'q': 'dns/txt', 's':
> 'x', 'v': '1'}
> bh: Sb8WGoUjJNJtG/FfwmvhQy9uPZoo0vO8ahBE3Rz+wlE=
> modlen: 96
> include_headers: ['MIME-Version', 'Content-Type', 'Message-ID',
> 'Subject', 'Date', 'To', 'From']
> verify headers: [('mime-version', '1.0\r\n'), ('content-type',
> 'multipart/alternative;
> boundary="_000_3BE0DEED8863E5429BAE4CAEDF6245650273762DC4FEAIRASRVaira_"\r\n'),
> ('message-id',
> '<3BE0DEED8863E5429BAE4CAEDF6245650273762DC4FE@???>\r\n'),
> ('subject', '\r\n'), ('date', 'Thu, 16 Feb 2012 21:44:05 +0100\r\n'),
> ('to', '"dkim@???"
> <dkim@???>\r\n'), ('from', 'Martin Duspiva
> <martin.duspiva@???>\r\n'), ('dkim-signature', 'v=1; a=rsa-sha256;
> q=dns/txt; c=relaxed/relaxed; d=aira.cz; s=x;
> h=MIME-Version:Content-Type:Message-ID:Subject:Date:To:From;
> bh=Sb8WGoUjJNJtG/FfwmvhQy9uPZoo0vO8ahBE3Rz+wlE=; b=;')]
> verify digest: 28 37 44 c4 97 c1 d3 2a e8 e4 92 66 ee f6 1a 56 19 7b 7e
> 23 00 f5 b8 e7 ab a9 25 96 26 2a 78 dd
> dinfo: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 28 37 44
> c4 97 c1 d3 2a e8 e4 92 66 ee f6 1a 56 19 7b 7e 23 00 f5 b8 e7 ab a9 25
> 96 26 2a 78 dd
> sig2: 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 30
> 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 28 37 44 c4 97 c1
> d3 2a e8 e4 92 66 ee f6 1a 56 19 7b 7e 23 00 f5 b8 e7 ab a9 25 96 26 2a
> 78 dd
> TMCmawCtQ4LEvies519qMmP96afmNb5esIAqeOzU5zN5bYBL5iVCgf/kYQXCfcEJ65t5xsDFcAF2Br7Us+Gtjh/whZrB8eX6JZgEe+pirbXEVO6u9mB2vWMGcxbaBe6l
>
> TMCmawCtQ4LEvies519qMmP96afmNb5esIAqeOzU5zN5bYBL5iVCgf/kYQXCfcEJ65t5xsDFcAF2Br7Us+Gtjh/whZrB8eX6JZgEe+pirbXEVO6u9mB2vWMGcxbaBe6l
>
> v: 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 30 31
> 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 48 7f cc d9 0b c9 b4
> b3 0b 14 1c 5d 53 e3 a9 6e 0c 60 75 75 c1 67 d3 55 0c 56 f3 20 99 20 3b 6d
>
>
>
>
>
>
>