OK, I can see how that will fix it. Is there any opportunity to have ASSP take over the functionality of adding missing message-id's before it generates the DKIM signature, in order to solve this problem while still retaining the message-id as part of the DKIM signature?
At 03:19 AM 11/6/2010, Thomas Eckardt wrote: >Scott, > > >Any idea where I should be looking next, Thomas? > >If not all clients are generating a Message-ID (which is not RFC conform) >, you have to remove the Message-ID tag from the Headers signing policy. > >change from: > > Algorithm=rsa-sha1 > Method=relaxed/relaxed > Headers=Message-ID:From:Subject:To:MIME-Version:Content-Type > KeyFile=c:/assp/certs/server-key.pem > Mode=DKIM > >to: > > Algorithm=rsa-sha1 > Method=relaxed/relaxed > Headers=From:Subject:To:MIME-Version:Content-Type > KeyFile=c:/assp/certs/server-key.pem > Mode=DKIM > >RFC says, that if a server receives a MIME mail without a MessageID he has >to add one. If a Message-ID is found he should not change it. >In your case the signature is build using an empty (or what ever) >Message-ID to build the signature. If now the next server in chain gets >the mail, he will add a Message-ID and the resulting rsa-sha1 hash for the >Header-Tags will be changed and the next server in chain, who checks the >DKIM, will produce the error about the failed signature. > >Thomas > > > > >Von: Scott MacLean <[email protected]> >An: ASSP development mailing list <[email protected]> >Datum: 05.11.2010 21:33 >Betreff: Re: [Assp-test] Antwort: Two DKIM problems > > > >OK, I've done a LOT of research today to find out what is causing >this problem, and it appears I've found the problem. > >I started noticing that mail being sent by some mail clients through >my server would produce DKIM-signed messages that validated >correctly, while mail being sent by other mail clients (i.e. Eudora, >my phone, some web mail applications) would produce DKIM-signed >messages that failed to validate. > >Doing a bunch of testing and looking at the message headers, I >narrowed down what the difference is: The DKIM validation fails on >email sent by those mail clients that do NOT include a message-ID as >part of their message header. Two clients I have found that do not >send a message-ID: Eudora, and the Palm Pre phone. > >If the client generates and includes a message-ID as part of the >message header, the DKIM validation passes. If it does not generate >the message-ID header, and allows ASSP to insert it, the DKIM validation >fails. > >I have DoMsgIDSig enabled. I tried turning it off, but it made no >difference: the messages coming from clients that do not insert the >message-id still failed DKIM validation. > >Any idea where I should be looking next, Thomas? > > >At 06:35 AM 11/5/2010, Thomas Eckardt wrote: > > > >So your server has to use a 'FROM:' address with @hollsco.com ! > > > >Sorry - the 'mail from:' address (envelope sender) is the one that is >used > >to detect if a DKIM signature should be added or not - not the 'FROM:' > >address that is in the header . > > > > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > > ><[email protected]> to: [email protected] > > >DKIM: self signature check: result: pass - detail: pass > > > >If this is shown in the log, ASSP has successfuly checked the created > >signature using your DNS records! There is nothing more I can do. > > > >Thomas > > > > > > > >Von: Scott MacLean <[email protected]> > >An: ASSP development mailing list <[email protected]> > >Datum: 04.11.2010 16:04 > >Betreff: Re: [Assp-test] Antwort: Two DKIM problems > > > > > > > > > >At 05:10 AM 11/4/2010, Thomas Eckardt wrote: > > > > > >The second problem > > > > > >ASSP is looking for the email address of the sender - a DKIM signature > > >will be added if a valid DKIM configuration is found for the sending > > >domain. So your server has to use a 'FROM:' address with @hollsco.com ! > > > >The email definitely has a FROM address. Here is an example header: > > > >Return-Path: [email protected] > >Delivered-To: [email protected] > >Received: from mail.frogstar.com ([192.168.0.160]) > > by mail.frogstar.com > > ; Thu, 4 Nov 2010 02:19:37 -0400 > >Received: from fs1.netbound.com ([67.159.45.157] helo=frogstar.com) by > > mail.frogstar.com with ESMTP (2.0.2); 4 Nov 2010 02:19:36 -0400 > >Received: from FS1 ([192.168.0.161]) by frogstar.com with Microsoft > >SMTPSVC(6.0.3790.4675); > > Thu, 4 Nov 2010 02:19:36 -0400 > >From: "Domain Admin" <[email protected]> > >To: "Domain Admin" <[email protected]> > >Subject: Subject of message > >Date: Thu, 04 Nov 2010 02:19:36 -0400 > >Message-ID: ><frog.89255cfc63.frog.5924a9e48a.frog.59249a2c46.20101104-02193663-...@fs1> > >MIME-Version: 1.0 > >Content-Type: text/html > >Return-Path: [email protected] > >X-OriginalArrivalTime: 04 Nov 2010 06:19:36.0634 (UTC) > >FILETIME=[412DC9A0:01CB7BE8] > > > > > >This email, when routed through the IIS SMTP server, does not get a > >DKIM header added. However, the same email, sent directly to ASSP > >instead of through the IIS SMTP server, gets the DKIM header added > >correctly: > > > > > >Return-Path: [email protected] > >Delivered-To: [email protected] > >Received: from mail.frogstar.com ([192.168.0.160]) > > by mail.frogstar.com > > ; Thu, 4 Nov 2010 02:52:29 -0400 > >DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=domain.com; > > h=Message-ID:From:Subject:To:MIME-Version:Content-Type; s=alpha; > > bh=Ub+UOLDhHFPhUsX++81Ve9689E4=; > >b=Frgb9rvA7adGunn0pDVpHMk+FY6cHveJI2ADVvdrAG2s3TPGcFtFQ9zqopJqsP7Cr > pW8eRDtMgxxwE8WbE8ZlIgv/KfAoOwN8n0sdB+vC5sLBQUXMfMzUq/BLu7hx4CSjMHw4i2RPDO2dQcqyfJsotsmDscWKsdS+lbOBDAkiYI= > >Received: from FS1 ([67.159.45.157] helo=FS1) by mail.frogstar.com with > >ESMTP > > (2.0.2); 4 Nov 2010 02:52:28 -0400 > >From: "Domain Admin" <[email protected]> > >To: "Domain Admin" <[email protected]> > >Subject: Subject of message > >Date: Thu, 04 Nov 2010 02:52:29 -0400 > >Message-ID: <frog.992676ddb2.frog.99248f6996.20101104-02522915-1...@fs1> > >MIME-Version: 1.0 > >Content-Type: text/html > > > > > > > > > >The first one is > > > > > > > > >Set 'DKIMlogging' to diagnostic. In this case assp will do an complete > > >reverse check for every created signature. Tell me what assp is logging > > >about this. > > > >I did so, and it is showing the signature is OK: > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > ><[email protected]> to: [email protected] > >recipient accepted: [email protected] > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > ><[email protected]> to: [email protected] > >[Plugin] calling plugin ASSP_AFC > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] [MessageOK] 12.34.56.78 > ><[email protected]> to: [email protected] > >message ok [relaxed test] -> d:/assp/notspam/13130.eml > >Nov-04-10 10:20:23 [Worker_1] DKIM: Selector = alpha > >Nov-04-10 10:20:23 [Worker_1] DKIM: Domain = hollsco.com > >Nov-04-10 10:20:23 [Worker_1] DKIM: KeyFile = > >d:/assp/certs/dkim_private_key_alpha.pem > >Nov-04-10 10:20:23 [Worker_1] DKIM: Method = relaxed/relaxed > >Nov-04-10 10:20:23 [Worker_1] DKIM: Headers = > >Message-ID:From:Subject:To:MIME-Version:Content-Type > >Nov-04-10 10:20:23 [Worker_1] DKIM: Mode = DKIM > >Nov-04-10 10:20:23 [Worker_1] DKIM: Algorithm = rsa-sha1 > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > ><[email protected]> to: [email protected] > >info: successful added DKIM-Signature > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > ><[email protected]> to: [email protected] > >DKIM: self signature check: result: pass - detail: pass > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > ><[email protected]> to: [email protected] > >finished message - received size: 0 Byte - sent size: 1.70 kByte > >Nov-04-10 10:20:23 [Worker_1] Disconnected: 12.34.56.78 - command > >list was 'EHLO,AUTH,RSET,MAIL FROM,RCPT TO,DATA,QUIT' - used 11 > >SocketCalls > > > >However the response still shows a fail: > > > >The results are as follows: > > > >DKIM Signature validation: fail (verification failed) > >DKIM Author Domain Signing Practices: "dkim=all" > > > >ADSP is not required for DKIM signature validation. > > > > > >So I suspect the problem may be on the DNS side, in that the > >receiving mail server is not getting the key properly from DNS in > >order to validate the signature? > >------------------------------------------------------------------- > ----------- > >The Next 800 Companies to Lead America's Growth: New Video Whitepaper > >David G. Thomson, author of the best-selling book "Blueprint to a > >Billion" shares his insights and actions to help propel your > >business during the next growth cycle. Listen Now! > >http://p.sf.net/sfu/SAP-dev2dev > >_______________________________________________ > >Assp-test mailing list > >[email protected] > >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > > > >DISCLAIMER: > >******************************************************* > >This email and any files transmitted with it may be confidential, legally > >privileged and protected in law and are intended solely for the use of >the > > > >individual to whom it is addressed. > >This email was multiple times scanned for viruses. There should be no > >known virus in this email! > >******************************************************* > > > > > > > >------------------------------------------------------------------- > ----------- > >The Next 800 Companies to Lead America's Growth: New Video Whitepaper > >David G. Thomson, author of the best-selling book "Blueprint to a > >Billion" shares his insights and actions to help propel your > >business during the next growth cycle. Listen Now! > >http://p.sf.net/sfu/SAP-dev2dev > >_______________________________________________ > >Assp-test mailing list > >[email protected] > >https://lists.sourceforge.net/lists/listinfo/assp-test > >------------------------------------------------------------------------------ >The Next 800 Companies to Lead America's Growth: New Video Whitepaper >David G. Thomson, author of the best-selling book "Blueprint to a >Billion" shares his insights and actions to help propel your >business during the next growth cycle. Listen Now! >http://p.sf.net/sfu/SAP-dev2dev >_______________________________________________ >Assp-test mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > >DISCLAIMER: >******************************************************* >This email and any files transmitted with it may be confidential, legally >privileged and protected in law and are intended solely for the use of the > >individual to whom it is addressed. >This email was multiple times scanned for viruses. There should be no >known virus in this email! >******************************************************* > > > >------------------------------------------------------------------------------ >The Next 800 Companies to Lead America's Growth: New Video Whitepaper >David G. Thomson, author of the best-selling book "Blueprint to a >Billion" shares his insights and actions to help propel your >business during the next growth cycle. Listen Now! >http://p.sf.net/sfu/SAP-dev2dev >_______________________________________________ >Assp-test mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
