I think, thay one shouldn't rejecting mail when dkim fails.........?
On 02/17/2012 06:17 PM, David Saez wrote:
> Hi
>
> I'm using Exim 4.77 and have to avoid rejecting any mail when dkim
> fails as
> we get a lot of "verification failed - signature did not verify" for
> domains like
> yahoo, google, aol, paypal, ...
>
>> Hi,
>> today i enabled signning with DKIM in Exim 4.76 - here is my route
>> config:
>>
>> remote_smtp:
>> driver = smtp
>> dkim_domain = aira.cz
>> dkim_selector = x
>> dkim_private_key= /etc/exim/keys/dkim.private.key
>> dkim_canon = relaxed
>>
>>
>> and DNS's RR for domain:
>>
>>
>> x._domainkey.aira.cz. 100 IN TXT "v=DKIM1\; t=y\; k=rsa\;
>> p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANMJ4yzdbmkkz5Ktt
>>
>>
>> Dc0xt79I7Uxf9Raqd3Nvlfw8EB5zoMnYgdcdpTRlhluDJ7wnrYqNV8
>>
>>
>> S71Zq4Z50jdBNnJtne1xjuYTnfdsQwfr/h3NEdUdFDuNOn1XNNAmmvWwQPwIDAQAB"
>>
>>
>> domainkey.aira.cz. 300 IN TXT "t=y\; o=~\;"
>>
>> _adsp._domainkey.aira.cz. 300 IN TXT "dkim=unknown"
>>
>>
>>
>> When i check DKIM's with send emails on address:
>> dkim-test@??? and check-auth@???,
>> about half of emails fail. On the end this mail i atteched two debug
>> from return emails from dkim-test@???. But when I
>> tried send emails on my second mail server, so he verified DKIMs for all
>> emails successfully.
>>
>> My OS on server is stable Gentoo x86 with openssl-1.0.0d
>>
>> Have you same idea, why dkim so often fails?
>>
>> Thank you, and sorry for my terrible English.
>>
>>
>>
>>
>> Attached returs email for checker:
>>
>> Firts email:
>>
>> ----- Begin Debug Log Output ----
>> a: ['v=1', 'a=rsa-sha256', 'q=dns/txt', 'c=relaxed/relaxed',
>> 'd=aira.cz', 's=x',
>> 'h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID',
>>
>> 'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
>> 'b=P05WGYppwzu6O2IRkUeNuFGFvrAyZpXONT2G3dLyVgUkRZVxgcaUFTjVktnugoLXAznxnQeZ5MZujCO3LRScm42nf9wAws13Fi2uK/IkcvQgK0OROsvGEwwAFuBOzT53',
>>
>> '']
>> sig: {'a': 'rsa-sha256', 'c': 'relaxed/relaxed', 'b':
>> 'P05WGYppwzu6O2IRkUeNuFGFvrAyZpXONT2G3dLyVgUkRZVxgcaUFTjVktnugoLXAznxnQeZ5MZujCO3LRScm42nf9wAws13Fi2uK/IkcvQgK0OROsvGEwwAFuBOzT53',
>>
>> 'd': 'aira.cz', 'h':
>> 'Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID',
>>
>> 'bh': '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=', 'q': 'dns/txt',
>> 's': 'x', 'v': '1'}
>> bh: frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=
>> body hash mismatch (got frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=,
>> expected 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=). Your server is
>> not signing messages properly or another server may be modifying the
>> body of your messages.
>>
>> ----- End Debug Log Output ----
>>
>>
>> Second Email:
>>
>>
>> a: ['v=1', 'a=rsa-sha256', 'q=dns/txt', 'c=relaxed/relaxed',
>> 'd=aira.cz', 's=x',
>> 'h=MIME-Version:Content-Type:Message-ID:Subject:Date:To:From',
>> 'bh=Sb8WGoUjJNJtG/FfwmvhQy9uPZoo0vO8ahBE3Rz+wlE=',
>> 'b=TMCmawCtQ4LEvies519qMmP96afmNb5esIAqeOzU5zN5bYBL5iVCgf/kYQXCfcEJ65t5xsDFcAF2Br7Us+Gtjh/whZrB8eX6JZgEe+pirbXEVO6u9mB2vWMGcxbaBe6l',
>>
>> '']
>> sig: {'a': 'rsa-sha256', 'c': 'relaxed/relaxed', 'b':
>> 'TMCmawCtQ4LEvies519qMmP96afmNb5esIAqeOzU5zN5bYBL5iVCgf/kYQXCfcEJ65t5xsDFcAF2Br7Us+Gtjh/whZrB8eX6JZgEe+pirbXEVO6u9mB2vWMGcxbaBe6l',
>>
>> 'd': 'aira.cz', 'h':
>> 'MIME-Version:Content-Type:Message-ID:Subject:Date:To:From', 'bh':
>> 'Sb8WGoUjJNJtG/FfwmvhQy9uPZoo0vO8ahBE3Rz+wlE=', 'q': 'dns/txt', 's':
>> 'x', 'v': '1'}
>> bh: Sb8WGoUjJNJtG/FfwmvhQy9uPZoo0vO8ahBE3Rz+wlE=
>> modlen: 96
>> include_headers: ['MIME-Version', 'Content-Type', 'Message-ID',
>> 'Subject', 'Date', 'To', 'From']
>> verify headers: [('mime-version', '1.0\r\n'), ('content-type',
>> 'multipart/alternative;
>> boundary="_000_3BE0DEED8863E5429BAE4CAEDF6245650273762DC4FEAIRASRVaira_"\r\n'),
>>
>> ('message-id',
>> '<3BE0DEED8863E5429BAE4CAEDF6245650273762DC4FE@???>\r\n'),
>>
>> ('subject', '\r\n'), ('date', 'Thu, 16 Feb 2012 21:44:05 +0100\r\n'),
>> ('to', '"dkim@???"
>> <dkim@???>\r\n'), ('from', 'Martin Duspiva
>> <martin.duspiva@???>\r\n'), ('dkim-signature', 'v=1; a=rsa-sha256;
>> q=dns/txt; c=relaxed/relaxed; d=aira.cz; s=x;
>> h=MIME-Version:Content-Type:Message-ID:Subject:Date:To:From;
>> bh=Sb8WGoUjJNJtG/FfwmvhQy9uPZoo0vO8ahBE3Rz+wlE=; b=;')]
>> verify digest: 28 37 44 c4 97 c1 d3 2a e8 e4 92 66 ee f6 1a 56 19 7b 7e
>> 23 00 f5 b8 e7 ab a9 25 96 26 2a 78 dd
>> dinfo: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 28 37 44
>> c4 97 c1 d3 2a e8 e4 92 66 ee f6 1a 56 19 7b 7e 23 00 f5 b8 e7 ab a9 25
>> 96 26 2a 78 dd
>> sig2: 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 30
>> 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 28 37 44 c4 97 c1
>> d3 2a e8 e4 92 66 ee f6 1a 56 19 7b 7e 23 00 f5 b8 e7 ab a9 25 96 26 2a
>> 78 dd
>> TMCmawCtQ4LEvies519qMmP96afmNb5esIAqeOzU5zN5bYBL5iVCgf/kYQXCfcEJ65t5xsDFcAF2Br7Us+Gtjh/whZrB8eX6JZgEe+pirbXEVO6u9mB2vWMGcxbaBe6l
>>
>>
>> TMCmawCtQ4LEvies519qMmP96afmNb5esIAqeOzU5zN5bYBL5iVCgf/kYQXCfcEJ65t5xsDFcAF2Br7Us+Gtjh/whZrB8eX6JZgEe+pirbXEVO6u9mB2vWMGcxbaBe6l
>>
>>
>> v: 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 30 31
>> 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 48 7f cc d9 0b c9 b4
>> b3 0b 14 1c 5d 53 e3 a9 6e 0c 60 75 75 c1 67 d3 55 0c 56 f3 20 99 20
>> 3b 6d
>>
>>
>>
>>
>>
>>
>>
>
>