Problem with DKIM signature truncature

Hello,

I’m suffering a problem with DKIM signatures for one of my domains.
Note that it works perfectly with my other 5 domains and that the machines are the same, with same configs etc…

It looks like the new line truncate of the DKIM signature happens at a wrong place, making the bh= not being well handled.

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;
d=1234567890-0123456789012.com; h=message-id:date:from:
mime-version:to:subject:content-type; q=dns/txt; s=mymypointe; b
h=/UPutzTqgACydAU1bOPW4Q4sSu8=; b=N0PnOBrrklChSiv4vbt9j4VHkUylXC
AlmJtmRPpFOyruPC3flHD1kAclz1wzRrI83PBYk00wDsKqER5fpE6r2ChdRWHWqR
DkOI/oqXbDcz4S2WI5KsWFU5o+KoguzrxYNz1QebeDpaJ68l/1DoiQx7XQbV6I9s
cBaPuXQXIawB3=

As you can see, I should have bh= on the same line, but I get the “b” at the end of the third line and the h= and the start of the fourth.

This makes DKIM validation fail on my domain (I use the port25.com verifier) :
Authentication-Results: verifier.port25.com; dkim=permerror (Parse error: no ‘=’ found after tag “b”);

Do you have any idea on how I could resolve this problem please ?

Thanks in advance,

Best regards,

Alex

Oops, that definitely looks like a bug. The header-wrapping algorithm is incorrectly splitting the line in the middle of the “bh” tag.

I just posted an update on my site, jason.long.name/dkimproxy. Please download version 0.28 of Mail-DKIM and see if it fixes the problem.

Hello and thanks you for your quick reply and fix :slight_smile:

I did not get the chance to try and apply the fix yet.
This is because I’m suffering huge performance loss since I migrated to dkimproxy. This must be because I want to sign all my mails in both DomainKeys and DKIM.

What would be your recommendation on how to use dkimproxy + postfix to sign my outbound mails with DomainKeys and DKIM please ?
Maximizing --max_servers and --min_servers didn’t help much yet :frowning:

Any config tip please ?

Bummer.

Are you using two instances of dkimproxy.out to sign your messages? You can make dkimproxy add both signatures with a single instance, which may help, but it requires a code change. I’m hoping to provide a configurable interface in a future version that lets you tell it you want two signatures.

Would you say the problem is cpu, memory, disk, or something else?

Are you also running spamassassin on the same system?

Hi, i also have a problem here, i’m using senderid.espcoalition.org/ to test the signed email using DKIM proxy and this is the result i got

[blockquote]
MAIL FROM: luckie[at]unsoed.ac.id

PRA: luckie[at]unsoed.ac.id

SPF-Record-Classic: v=spf1 ip4:222.124.206.68/24 a mx ptr -all

SPF-Record-MFROM Scope: v=spf1 ip4:222.124.206.68/24 a mx ptr -all

SPF-Record-PRA Scope: v=spf1 ip4:222.124.206.68/24 a mx ptr -all

SPF-Method Result: pass(unsoed.ac.id: domain of
unsoed.ac.id designates 222.124.206.68 as permitted sender)

SenderID-MFROM-Method Result: pass(unsoed.ac.id: domain of
unsoed.ac.id designates 222.124.206.68 as permitted sender)

SenderID-PRA-Method Result: pass(unsoed.ac.id: domain of
unsoed.ac.id designates 222.124.206.68 as permitted sender)

DomainKey-Status: bad format: No DomainKey signature found

DKIM-Status: Unrecognized version 1 (This signature appears to be from an older draft of the standard)
Return-Path: luckie[at]unsoed.ac.id
Received: from 222.124.206.68
by 69.56.15.194
for [email protected]; Tue, 7 Aug 2007 08:59:50 -0500
Received: from mail (localhost [127.0.0.1])
by mail (Postfi:evil: with ESMTP id A28B78AC31E
for [email protected]; Tue, 7 Aug 2007 09:55:23 -0400 (EDT)

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=unsoed.ac.id; h=
message-id:date:subject:from:to:mime-version:content-type:
content-transfer-encoding; q=dns/txt; s=m1; bh=/edzoYuyn17WXm8Ke
qcX/R+khdQ=; b=ksLGowOpyEVBq360tgJeqBMVW0uHYE2An6CaMaVtnXl7rWMuX
4rZX2z2FabakZgvWkkTdzPbOgIPO6SBGW/I0MwKqxlvswQCNCt3CNALXiU8tiTQB
Zf9DZNQbw1wTm5cF7kwjudKyYb82EYUydEGBiKS3nH8tZ9zF0oWg8w9gPM=

Received: from mail.unsoed.ac.id (localhost [127.0.0.1])
by mail (Postfi:evil: with ESMTP id 8AF0D8AC31B
for [email protected]; Tue, 7 Aug 2007 09:55:21 -0400 (EDT)
Received: from 222.124.206.68
(SquirrelMail authenticated user luckie[at]unsoed.ac.id)
by mail.unsoed.ac.id with HTTP;
Tue, 7 Aug 2007 09:55:21 -0400 (EDT)
Message-ID: <3024.222.124.206.68.1186494921.squirrel[at]mail.unsoed.ac.id>
Date: Tue, 7 Aug 2007 09:55:21 -0400 (EDT)
Subject: test
From: luckie[at]unsoed.ac.id
To: [email protected]
User-Agent: SquirrelMail/1.4.6
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
X-Priority: 3 (Normal)
Importance: Normal
Content-Transfer-Encoding: quoted-printable

test
[/blockquote]

this looks like DKIM proxy got the wrong signature version? and i really to know how to make both signature since look like yahoo only check for DomainKey signature which result neutral if i send to yahoo at current state because only DKIM signature given out by my postfix mail server.

thanks

Hello Jason,

Yes I use 2 instances of dkimproxy to sign the mails. Here is how I turned it out :

local incoming mails to postfix on port 25 → DK dkimproxy on port 10250 → DKIM dkimproxy on port 11250 → postfix on port 1250 → relay to internet hosts

The first dkimproxy signs in DK then sends it straight to the second dkimproxy signing in DKIM then it queues back the mail to a special postfix spool that relays & deliver the mail on the recipient’s internet host

I tried to tweak both dkimproxies, the best results I had (but horrible results anyway) were for arguments :

–min_spare_servers=10 --min_servers=20 --max_spare_servers=10 --max_servers=100

How could I get a single instance sign in both DK and DKIM please ?

Thanks a lot for your help

EDIT : no, I only use dkimproxy and postfix on the box. These are sending boxes only.

DKIM Signature wrapping bug as stated by Jason. You have to upgrade Mail::DKIM to 0.28 as said on post #2 to correct the problem :slight_smile:

Have fun :wink:

:slight_smile: i’m using the 0.28 version, this is my first try using dkim proxy

I’m getting the same problem, and I already have version 0.28 installed also.

Fixed, well at least yahoo check my mail pass ok ,thats what count :slight_smile: