I saw my email comeing back from a listserver scored as dkim failed. (I tested my dkim signatures with sendmail and dkim.org, showed no problems)
the suggestions on the list seem to indicate a different set of default headers be used during signing. (I noticed, at least, that the listserver stripped off x-virus-scanned header, but that seems to be included in the default set for 2.6.2) other suggestions include NOT signing the received headers and using relaxed/relaxed instead of relaxed/simple. any comments? I can see where in compliance issues you would want the dkim signature to fail if they 'add to the body' (but don't all mailling lists add to the body? and if they do 'mung or muck up' your email while passing it through, shouldn't they strip the dkim signatures?? (did this email get signed right? still using other defaults, but I am not signing x-virus-scanned anymore) -------- Original Message -------- Subject: Re: listserver problems? Date: Thu, 18 Dec 2008 14:59:59 +0100 From: Nikola Lečić <[email protected]> To: Michael Scheidell <[email protected]> CC: [email protected] References: <[email protected]> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Thu, 18 Dec 2008 06:47:01 -0500 Michael Scheidell <[email protected]> wrote: > might be generic listserver issues, but I noticed that at least on > freebsd-jail list, it does NOT strip out dkim/domainkeys signatures. > > that might not be to bad, but it does 'mung' the headers, so dkim > signed email passed through freebsd mailing list server comes back as > a forged signature. Three objections to your DKIM signature: (1) Your canonicalization is "relaxed/simple", i.e. the mail is signed with "simple" bodycanon: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=secnap.net; h= That's why you have Authentication-Results: [...] dkim=neutral (body hash did not verify) [email protected] - -- the list software appends some lines at the end of mail. You should use Canonicalization relaxed/relaxed in dkim-filter.conf or milterdkim_flags="-c relaxed/relaxed" in rc.conf if you use Sendmail. (See headers of my mail.) (2) You have "Received" header field included in the signature, while RFC4871 states that it SHOULD NOT be the case: http://tools.ietf.org/html/rfc4871#section-5.5 (3) You do not specify body length (l= in DKIM header). According to http://tools.ietf.org/html/rfc4871#section-3.4.5 it could be a good idea to use it, especially when mailing lists are in question. In total, mailing list owners don't have an obligation to strip DKIM signatures. Instead, other methods can be used on both sides, see section 4.1. HTH - -- Nikola Lečić = Никола Лечић fingerprint : FEF3 66AF C90E EDC3 D878 7CDC 956D F4AB A377 1C9B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iJwEAQEDAAYFAklKV2MACgkQ/MM/0rYIoZhsnwQAowQy2nwd3IVYMtv9p7PVaoGZ FQPpZZse/6PFi3KeegZcbOBFhOcNV3DzATt3z+VXdVYybajRXArj7WJtyEI2shGn ssBmBdkD1bpoRzgf7jNYj6a9w8cVS/BC7gl07GBIhILEGLnpG8bjj7MtWhynj9SB vn8jT/XF4QEKmDJSUwk= =1fpm -----END PGP SIGNATURE----- -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
