Re: [Assp-test] Antwort: Two DKIM problems

[Thomas Eckardt]

Scott,

>Any idea where I should be looking next, Thomas?

If not all clients are generating a Message-ID (which is not RFC conform) 
, you have to remove the Message-ID tag from the Headers signing policy.

change from:

   Algorithm=rsa-sha1
   Method=relaxed/relaxed
   Headers=Message-ID:From:Subject:To:MIME-Version:Content-Type
   KeyFile=c:/assp/certs/server-key.pem
   Mode=DKIM 

to:

   Algorithm=rsa-sha1
   Method=relaxed/relaxed
   Headers=From:Subject:To:MIME-Version:Content-Type
   KeyFile=c:/assp/certs/server-key.pem
   Mode=DKIM 

RFC says, that if a server receives a MIME mail without a MessageID he has 
to add one. If a Message-ID is found he should not change it.
In your case the signature is build using an empty (or what ever) 
Message-ID to build the signature. If now the next server in chain gets 
the mail, he will add a Message-ID and the resulting rsa-sha1 hash for the 
Header-Tags will be changed and the next server in chain, who checks the 
DKIM, will produce the error about the failed signature.

Thomas




Von:    Scott MacLean <a...@hollsco.com>
An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum:  05.11.2010 21:33
Betreff:        Re: [Assp-test] Antwort:  Two DKIM problems



OK, I've done a LOT of research today to find out what is causing 
this problem, and it appears I've found the problem.

I started noticing that mail being sent by some mail clients through 
my server would produce DKIM-signed messages that validated 
correctly, while mail being sent by other mail clients (i.e. Eudora, 
my phone, some web mail applications) would produce DKIM-signed 
messages that failed to validate.

Doing a bunch of testing and looking at the message headers, I 
narrowed down what the difference is: The DKIM validation fails on 
email sent by those mail clients that do NOT include a message-ID as 
part of their message header. Two clients I have found that do not 
send a message-ID: Eudora, and the Palm Pre phone.

If the client generates and includes a message-ID as part of the 
message header, the DKIM validation passes. If it does not generate 
the message-ID header, and allows ASSP to insert it, the DKIM validation 
fails.

I have DoMsgIDSig enabled. I tried turning it off, but it made no 
difference: the messages coming from clients that do not insert the 
message-id still failed DKIM validation.

Any idea where I should be looking next, Thomas?


At 06:35 AM 11/5/2010, Thomas Eckardt wrote:

> >So your server has to use a 'FROM:' address with @hollsco.com !
>
>Sorry - the 'mail from:' address (envelope sender) is the one that is 
used
>to detect if a DKIM signature should be added or not - not the 'FROM:'
>address that is in the header .
>
>
> >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78
> ><tests...@hollsco.com> to: autorespond+dkim-rela...@dk.elandsys.com
> >DKIM: self signature check: result: pass - detail: pass
>
>If this is shown in the log, ASSP has successfuly checked the created
>signature using your DNS records! There is nothing more I can do.
>
>Thomas
>
>
>
>Von:    Scott MacLean <a...@hollsco.com>
>An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
>Datum:  04.11.2010 16:04
>Betreff:        Re: [Assp-test] Antwort:  Two DKIM problems
>
>
>
>
>At 05:10 AM 11/4/2010, Thomas Eckardt wrote:
>
> > >The second problem
> >
> >ASSP is looking for the email address of the sender - a DKIM signature
> >will be added if a valid DKIM configuration is found for the sending
> >domain. So your server has to use a 'FROM:' address with @hollsco.com !
>
>The email definitely has a FROM address. Here is an example header:
>
>Return-Path: i...@domain.com
>Delivered-To: i...@domain.com
>Received: from mail.frogstar.com ([192.168.0.160])
>    by mail.frogstar.com
>    ; Thu, 4 Nov 2010 02:19:37 -0400
>Received: from fs1.netbound.com ([67.159.45.157] helo=frogstar.com) by
>    mail.frogstar.com with ESMTP (2.0.2); 4 Nov 2010 02:19:36 -0400
>Received: from FS1 ([192.168.0.161]) by frogstar.com with Microsoft
>SMTPSVC(6.0.3790.4675);
>     Thu, 4 Nov 2010 02:19:36 -0400
>From: "Domain Admin" <i...@domain.com>
>To: "Domain Admin" <i...@domain.com>
>Subject: Subject of message
>Date: Thu, 04 Nov 2010 02:19:36 -0400
>Message-ID: 
<frog.89255cfc63.frog.5924a9e48a.frog.59249a2c46.20101104-02193663-...@fs1>
>MIME-Version: 1.0
>Content-Type: text/html
>Return-Path: i...@domain.com
>X-OriginalArrivalTime: 04 Nov 2010 06:19:36.0634 (UTC)
>FILETIME=[412DC9A0:01CB7BE8]
>
>
>This email, when routed through the IIS SMTP server, does not get a
>DKIM header added. However, the same email, sent directly to ASSP
>instead of through the IIS SMTP server, gets the DKIM header added
>correctly:
>
>
>Return-Path: i...@domain.com
>Delivered-To: i...@domain.com
>Received: from mail.frogstar.com ([192.168.0.160])
>    by mail.frogstar.com
>    ; Thu, 4 Nov 2010 02:52:29 -0400
>DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=domain.com;
>    h=Message-ID:From:Subject:To:MIME-Version:Content-Type; s=alpha;
>    bh=Ub+UOLDhHFPhUsX++81Ve9689E4=;
>b=Frgb9rvA7adGunn0pDVpHMk+FY6cHveJI2ADVvdrAG2s3TPGcFtFQ9zqopJqsP7CrpW8eRDtMgxxwE8WbE8ZlIgv/KfAoOwN8n0sdB+vC5sLBQUXMfMzUq/BLu7hx4CSjMHw4i2RPDO2dQcqyfJsotsmDscWKsdS+lbOBDAkiYI=
>Received: from FS1 ([67.159.45.157] helo=FS1) by mail.frogstar.com with
>ESMTP
>   (2.0.2); 4 Nov 2010 02:52:28 -0400
>From: "Domain Admin" <i...@domain.com>
>To: "Domain Admin" <i...@domain.com>
>Subject: Subject of message
>Date: Thu, 04 Nov 2010 02:52:29 -0400
>Message-ID: <frog.99248f6996.20101104-02522915-1...@fs1>
>MIME-Version: 1.0
>Content-Type: text/html
>
>
>
> > >The first one is
> >
> >
> >Set 'DKIMlogging' to diagnostic. In this case assp will do an complete
> >reverse check for every created signature. Tell me what assp is logging
> >about this.
>
>I did so, and it is showing the signature is OK:
>
>Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78
><tests...@hollsco.com> to: autorespond+dkim-rela...@dk.elandsys.com
>recipient accepted: autorespond+dkim-rela...@dk.elandsys.com
>Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78
><tests...@hollsco.com> to: autorespond+dkim-rela...@dk.elandsys.com
>[Plugin] calling plugin ASSP_AFC
>Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] [MessageOK] 12.34.56.78
><tests...@hollsco.com> to: autorespond+dkim-rela...@dk.elandsys.com
>message ok [relaxed test] -> d:/assp/notspam/13130.eml
>Nov-04-10 10:20:23 [Worker_1] DKIM: Selector = alpha
>Nov-04-10 10:20:23 [Worker_1] DKIM: Domain = hollsco.com
>Nov-04-10 10:20:23 [Worker_1] DKIM: KeyFile =
>d:/assp/certs/dkim_private_key_alpha.pem
>Nov-04-10 10:20:23 [Worker_1] DKIM: Method = relaxed/relaxed
>Nov-04-10 10:20:23 [Worker_1] DKIM: Headers =
>Message-ID:From:Subject:To:MIME-Version:Content-Type
>Nov-04-10 10:20:23 [Worker_1] DKIM: Mode = DKIM
>Nov-04-10 10:20:23 [Worker_1] DKIM: Algorithm = rsa-sha1
>Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78
><tests...@hollsco.com> to: autorespond+dkim-rela...@dk.elandsys.com
>info: successful added DKIM-Signature
>Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78
><tests...@hollsco.com> to: autorespond+dkim-rela...@dk.elandsys.com
>DKIM: self signature check: result: pass - detail: pass
>Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78
><tests...@hollsco.com> to: autorespond+dkim-rela...@dk.elandsys.com
>finished message - received size: 0 Byte - sent size: 1.70 kByte
>Nov-04-10 10:20:23 [Worker_1] Disconnected: 12.34.56.78  - command
>list was 'EHLO,AUTH,RSET,MAIL FROM,RCPT TO,DATA,QUIT' - used 11
>SocketCalls
>
>However the response still shows a fail:
>
>The results are as follows:
>
>DKIM Signature validation: fail (verification failed)
>DKIM Author Domain Signing Practices: "dkim=all"
>
>ADSP is not required for DKIM signature validation.
>
>
>So I suspect the problem may be on the DNS side, in that the
>receiving mail server is not getting the key properly from DNS in
>order to validate the signature?
>------------------------------------------------------------------------------
>The Next 800 Companies to Lead America's Growth: New Video Whitepaper
>David G. Thomson, author of the best-selling book "Blueprint to a
>Billion" shares his insights and actions to help propel your
>business during the next growth cycle. Listen Now!
>http://p.sf.net/sfu/SAP-dev2dev
>_______________________________________________
>Assp-test mailing list
>Assp-test@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>DISCLAIMER:
>*******************************************************
>This email and any files transmitted with it may be confidential, legally
>privileged and protected in law and are intended solely for the use of 
the
>
>individual to whom it is addressed.
>This email was multiple times scanned for viruses. There should be no
>known virus in this email!
>*******************************************************
>
>
>
>------------------------------------------------------------------------------
>The Next 800 Companies to Lead America's Growth: New Video Whitepaper
>David G. Thomson, author of the best-selling book "Blueprint to a
>Billion" shares his insights and actions to help propel your
>business during the next growth cycle. Listen Now!
>http://p.sf.net/sfu/SAP-dev2dev
>_______________________________________________
>Assp-test mailing list
>Assp-test@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test