Excellent. Thank you, Thomas! At 03:31 AM 11/7/2010, Thomas Eckardt wrote:
> >And more importantly, they can be generated > >with signatures generated using known > >No this is not possible, because the body is used to generate the >signature every time. The 'Header-Tag' tells the DKIM only, which header >lines should be added to the signature in addition to the body. > >Thomas > > > >Von: Scott MacLean <[email protected]> >An: ASSP development mailing list <[email protected]> >Datum: 06.11.2010 16:08 >Betreff: Re: [Assp-test] Antwort: Two DKIM problems > > > >I should have mentioned - my concern in deleting the message-id from >the signature, is that it is the only truly unique data in the >signature. Removing it and leaving only From, To, Subject, >Mime-Version and Content Type means messages can be generated with >identical signatures. And more importantly, they can be generated >with signatures generated using known, controlled data, which can be >utilized to break the private key. > >At 10:56 AM 11/6/2010, Scott MacLean wrote: > > >OK, I can see how that will fix it. Is there any opportunity to have > >ASSP take over the functionality of adding missing message-id's > >before it generates the DKIM signature, in order to solve this > >problem while still retaining the message-id as part of the DKIM >signature? > > > >At 03:19 AM 11/6/2010, Thomas Eckardt wrote: > > > > >Scott, > > > > > > >Any idea where I should be looking next, Thomas? > > > > > >If not all clients are generating a Message-ID (which is not RFC >conform) > > >, you have to remove the Message-ID tag from the Headers signing >policy. > > > > > >change from: > > > > > > Algorithm=rsa-sha1 > > > Method=relaxed/relaxed > > > Headers=Message-ID:From:Subject:To:MIME-Version:Content-Type > > > KeyFile=c:/assp/certs/server-key.pem > > > Mode=DKIM > > > > > >to: > > > > > > Algorithm=rsa-sha1 > > > Method=relaxed/relaxed > > > Headers=From:Subject:To:MIME-Version:Content-Type > > > KeyFile=c:/assp/certs/server-key.pem > > > Mode=DKIM > > > > > >RFC says, that if a server receives a MIME mail without a MessageID he >has > > >to add one. If a Message-ID is found he should not change it. > > >In your case the signature is build using an empty (or what ever) > > >Message-ID to build the signature. If now the next server in chain gets > > >the mail, he will add a Message-ID and the resulting rsa-sha1 hash for >the > > >Header-Tags will be changed and the next server in chain, who checks >the > > >DKIM, will produce the error about the failed signature. > > > > > >Thomas > > > > > > > > > > > > > > >Von: Scott MacLean <[email protected]> > > >An: ASSP development mailing list <[email protected]> > > >Datum: 05.11.2010 21:33 > > >Betreff: Re: [Assp-test] Antwort: Two DKIM problems > > > > > > > > > > > >OK, I've done a LOT of research today to find out what is causing > > >this problem, and it appears I've found the problem. > > > > > >I started noticing that mail being sent by some mail clients through > > >my server would produce DKIM-signed messages that validated > > >correctly, while mail being sent by other mail clients (i.e. Eudora, > > >my phone, some web mail applications) would produce DKIM-signed > > >messages that failed to validate. > > > > > >Doing a bunch of testing and looking at the message headers, I > > >narrowed down what the difference is: The DKIM validation fails on > > >email sent by those mail clients that do NOT include a message-ID as > > >part of their message header. Two clients I have found that do not > > >send a message-ID: Eudora, and the Palm Pre phone. > > > > > >If the client generates and includes a message-ID as part of the > > >message header, the DKIM validation passes. If it does not generate > > >the message-ID header, and allows ASSP to insert it, the DKIM >validation > > >fails. > > > > > >I have DoMsgIDSig enabled. I tried turning it off, but it made no > > >difference: the messages coming from clients that do not insert the > > >message-id still failed DKIM validation. > > > > > >Any idea where I should be looking next, Thomas? > > > > > > > > >At 06:35 AM 11/5/2010, Thomas Eckardt wrote: > > > > > > > >So your server has to use a 'FROM:' address with @hollsco.com ! > > > > > > > >Sorry - the 'mail from:' address (envelope sender) is the one that is > > >used > > > >to detect if a DKIM signature should be added or not - not the >'FROM:' > > > >address that is in the header . > > > > > > > > > > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > > > > ><[email protected]> to: [email protected] > > > > >DKIM: self signature check: result: pass - detail: pass > > > > > > > >If this is shown in the log, ASSP has successfuly checked the created > > > >signature using your DNS records! There is nothing more I can do. > > > > > > > >Thomas > > > > > > > > > > > > > > > >Von: Scott MacLean <[email protected]> > > > >An: ASSP development mailing list ><[email protected]> > > > >Datum: 04.11.2010 16:04 > > > >Betreff: Re: [Assp-test] Antwort: Two DKIM problems > > > > > > > > > > > > > > > > > > > >At 05:10 AM 11/4/2010, Thomas Eckardt wrote: > > > > > > > > > >The second problem > > > > > > > > > >ASSP is looking for the email address of the sender - a DKIM >signature > > > > >will be added if a valid DKIM configuration is found for the >sending > > > > >domain. So your server has to use a 'FROM:' address with >@hollsco.com ! > > > > > > > >The email definitely has a FROM address. Here is an example header: > > > > > > > >Return-Path: [email protected] > > > >Delivered-To: [email protected] > > > >Received: from mail.frogstar.com ([192.168.0.160]) > > > > by mail.frogstar.com > > > > ; Thu, 4 Nov 2010 02:19:37 -0400 > > > >Received: from fs1.netbound.com ([67.159.45.157] helo=frogstar.com) >by > > > > mail.frogstar.com with ESMTP (2.0.2); 4 Nov 2010 02:19:36 -0400 > > > >Received: from FS1 ([192.168.0.161]) by frogstar.com with Microsoft > > > >SMTPSVC(6.0.3790.4675); > > > > Thu, 4 Nov 2010 02:19:36 -0400 > > > >From: "Domain Admin" <[email protected]> > > > >To: "Domain Admin" <[email protected]> > > > >Subject: Subject of message > > > >Date: Thu, 04 Nov 2010 02:19:36 -0400 > > > >Message-ID: > > > ><frog.89255cfc63.frog.5924a9e48a.frog.59249a2c46.20101104-02193663-...@fs1> > > > >MIME-Version: 1.0 > > > >Content-Type: text/html > > > >Return-Path: [email protected] > > > >X-OriginalArrivalTime: 04 Nov 2010 06:19:36.0634 (UTC) > > > >FILETIME=[412DC9A0:01CB7BE8] > > > > > > > > > > > >This email, when routed through the IIS SMTP server, does not get a > > > >DKIM header added. However, the same email, sent directly to ASSP > > > >instead of through the IIS SMTP server, gets the DKIM header added > > > >correctly: > > > > > > > > > > > >Return-Path: [email protected] > > > >Delivered-To: [email protected] > > > >Received: from mail.frogstar.com ([192.168.0.160]) > > > > by mail.frogstar.com > > > > ; Thu, 4 Nov 2010 02:52:29 -0400 > > > >DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=domain.com; > > > > h=Message-ID:From:Subject:To:MIME-Version:Content-Type; s=alpha; > > > > bh=Ub+UOLDhHFPhUsX++81Ve9689E4=; > > > >b=Frgb9rvA7adGunn0pDVpHMk+FY6cHveJI2ADVvdrAG2s3TPGcFtFQ9zqopJqsP7Cr > > > > > >pW8eRDtMgxxwE8WbE8ZlIgv/KfAoOwN8n0sdB+vC5sLBQUXMfMzUq/BLu7hx4CSjMHw4i2RPDO2dQcqyfJsotsmDscWKsdS+lbOBDAkiYI= > > > >Received: from FS1 ([67.159.45.157] helo=FS1) by mail.frogstar.com >with > > > >ESMTP > > > > (2.0.2); 4 Nov 2010 02:52:28 -0400 > > > >From: "Domain Admin" <[email protected]> > > > >To: "Domain Admin" <[email protected]> > > > >Subject: Subject of message > > > >Date: Thu, 04 Nov 2010 02:52:29 -0400 > > > >Message-ID: ><frog.392696d6fb.frog.992676ddb2.frog.99248f6996.20101104-02522915-1...@fs1> > > > >MIME-Version: 1.0 > > > >Content-Type: text/html > > > > > > > > > > > > > > > > > >The first one is > > > > > > > > > > > > > > >Set 'DKIMlogging' to diagnostic. In this case assp will do an >complete > > > > >reverse check for every created signature. Tell me what assp is >logging > > > > >about this. > > > > > > > >I did so, and it is showing the signature is OK: > > > > > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > > > ><[email protected]> to: [email protected] > > > >recipient accepted: [email protected] > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > > > ><[email protected]> to: [email protected] > > > >[Plugin] calling plugin ASSP_AFC > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] [MessageOK] 12.34.56.78 > > > ><[email protected]> to: [email protected] > > > >message ok [relaxed test] -> d:/assp/notspam/13130.eml > > > >Nov-04-10 10:20:23 [Worker_1] DKIM: Selector = alpha > > > >Nov-04-10 10:20:23 [Worker_1] DKIM: Domain = hollsco.com > > > >Nov-04-10 10:20:23 [Worker_1] DKIM: KeyFile = > > > >d:/assp/certs/dkim_private_key_alpha.pem > > > >Nov-04-10 10:20:23 [Worker_1] DKIM: Method = relaxed/relaxed > > > >Nov-04-10 10:20:23 [Worker_1] DKIM: Headers = > > > >Message-ID:From:Subject:To:MIME-Version:Content-Type > > > >Nov-04-10 10:20:23 [Worker_1] DKIM: Mode = DKIM > > > >Nov-04-10 10:20:23 [Worker_1] DKIM: Algorithm = rsa-sha1 > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > > > ><[email protected]> to: [email protected] > > > >info: successful added DKIM-Signature > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > > > ><[email protected]> to: [email protected] > > > >DKIM: self signature check: result: pass - detail: pass > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > > > ><[email protected]> to: [email protected] > > > >finished message - received size: 0 Byte - sent size: 1.70 kByte > > > >Nov-04-10 10:20:23 [Worker_1] Disconnected: 12.34.56.78 - command > > > >list was 'EHLO,AUTH,RSET,MAIL FROM,RCPT TO,DATA,QUIT' - used 11 > > > >SocketCalls > > > > > > > >However the response still shows a fail: > > > > > > > >The results are as follows: > > > > > > > >DKIM Signature validation: fail (verification failed) > > > >DKIM Author Domain Signing Practices: "dkim=all" > > > > > > > >ADSP is not required for DKIM signature validation. > > > > > > > > > > > >So I suspect the problem may be on the DNS side, in that the > > > >receiving mail server is not getting the key properly from DNS in > > > >order to validate the signature? > > > >------------------------------------------------------------------- > > > ----------- > > > >The Next 800 Companies to Lead America's Growth: New Video Whitepaper > > > >David G. Thomson, author of the best-selling book "Blueprint to a > > > >Billion" shares his insights and actions to help propel your > > > >business during the next growth cycle. Listen Now! > > > >http://p.sf.net/sfu/SAP-dev2dev > > > >_______________________________________________ > > > >Assp-test mailing list > > > >[email protected] > > > >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > > > > > > > > > > > > > >DISCLAIMER: > > > >******************************************************* > > > >This email and any files transmitted with it may be confidential, >legally > > > >privileged and protected in law and are intended solely for the use >of > > >the > > > > > > > >individual to whom it is addressed. > > > >This email was multiple times scanned for viruses. There should be no > > > >known virus in this email! > > > >******************************************************* > > > > > > > > > > > > > > > >------------------------------------------------------------------- > > > ----------- > > > >The Next 800 Companies to Lead America's Growth: New Video Whitepaper > > > >David G. Thomson, author of the best-selling book "Blueprint to a > > > >Billion" shares his insights and actions to help propel your > > > >business during the next growth cycle. Listen Now! > > > >http://p.sf.net/sfu/SAP-dev2dev > > > >_______________________________________________ > > > >Assp-test mailing list > > > >[email protected] > > > >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > >------------------------------------------------------------------- > > ----------- > > >The Next 800 Companies to Lead America's Growth: New Video Whitepaper > > >David G. Thomson, author of the best-selling book "Blueprint to a > > >Billion" shares his insights and actions to help propel your > > >business during the next growth cycle. Listen Now! > > >http://p.sf.net/sfu/SAP-dev2dev > > >_______________________________________________ > > >Assp-test mailing list > > >[email protected] > > >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > > > > > > > > >DISCLAIMER: > > >******************************************************* > > >This email and any files transmitted with it may be confidential, >legally > > >privileged and protected in law and are intended solely for the use of >the > > > > > >individual to whom it is addressed. > > >This email was multiple times scanned for viruses. There should be no > > >known virus in this email! > > >******************************************************* > > > > > > > > > > > >------------------------------------------------------------------- > > ----------- > > >The Next 800 Companies to Lead America's Growth: New Video Whitepaper > > >David G. Thomson, author of the best-selling book "Blueprint to a > > >Billion" shares his insights and actions to help propel your > > >business during the next growth cycle. Listen Now! > > >http://p.sf.net/sfu/SAP-dev2dev > > >_______________________________________________ > > >Assp-test mailing list > > >[email protected] > > >https://lists.sourceforge.net/lists/listinfo/assp-test > > > >------------------------------------------------------------------- > ----------- > >The Next 800 Companies to Lead America's Growth: New Video Whitepaper > >David G. Thomson, author of the best-selling book "Blueprint to a > >Billion" shares his insights and actions to help propel your > >business during the next growth cycle. Listen Now! > >http://p.sf.net/sfu/SAP-dev2dev > >_______________________________________________ > >Assp-test mailing list > >[email protected] > >https://lists.sourceforge.net/lists/listinfo/assp-test > >------------------------------------------------------------------------------ >The Next 800 Companies to Lead America's Growth: New Video Whitepaper >David G. Thomson, author of the best-selling book "Blueprint to a >Billion" shares his insights and actions to help propel your >business during the next growth cycle. Listen Now! >http://p.sf.net/sfu/SAP-dev2dev >_______________________________________________ >Assp-test mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > >DISCLAIMER: >******************************************************* >This email and any files transmitted with it may be confidential, legally >privileged and protected in law and are intended solely for the use of the > >individual to whom it is addressed. >This email was multiple times scanned for viruses. There should be no >known virus in this email! >******************************************************* > > > >------------------------------------------------------------------------------ >The Next 800 Companies to Lead America's Growth: New Video Whitepaper >David G. Thomson, author of the best-selling book "Blueprint to a >Billion" shares his insights and actions to help propel your >business during the next growth cycle. Listen Now! >http://p.sf.net/sfu/SAP-dev2dev >_______________________________________________ >Assp-test mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
