At 17:08 01-03-2009, Tony Birnseth, 1st Source IT, LLC wrote: >I have installed the 'sendmail' version of DKIM since I can't find a > lib64 binary specifically for postfix. I made links to get the key > locations to resolve and that seems to be working ok. > I created a regex file to perpend an DKIM Signature: header for every > email sent "from" this system whether that be from the system itself or > on behalf of an authenticated smtp connection (I.e one of the domains I > support)... > I have this option in the main.cf file: > smtpd_sender_restrictions = hash:/etc/postfix/sender_access, > check_client_access pcre:/etc/postfix/ez-merchant-hosting-dkim-header.re > which contains: > /^/ PREPEND DKIM-Signature: v=DKIM1; a=rsa-sha1; t=y; s=ezms1; > d=ez-merchant-hosting.com; c=simple; q=dns; > >b=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2amdz0mVsDr9mXDOa0eDKKnuhBMHCEXW+7wBniEZejtQ9WLhA21KUchkv8vnJCOotz3/CObPSl7rc2pRHD2GYfBIKH2rq7vsDHzrbszWXIOGMoCDFc4F9tVvOi1DCUs2b0EXO8ewfazggJjXx7G8D+BW6b5UbW57gUYUrPdBTMwIDAQAB > I sent mail to [email protected] hoping to validate the > DKIM installation. > However, the server responds with: > >- Ignored: > DKIM Signature validation: DKIM-Signature could not be verified > DKIM Author Domain Signing Practices: no DNS record for > _adsp._domainkey.1sit.com > > DKIM Selector: ezms1 > "v=DKIM1; g=*; k=rsa; > p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2amdz0mVsDr9mXDOa0eDKKnuhBMHCEXW+7wBniEZejtQ9WLhA21KUchkv8vnJCOotz3/CObPSl7rc2pRHD2GYfBIKH2rq7vsDHzrbszWXIOGMoCDFc4F9tVvOi1DCUs2b0EXO8ewfazggJjXx7G8D+BW6b5UbW57gUYUrPdBTMwIDAQAB; > > ----- DKIM"
The public key in DNS is incorrect. That part should be: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2amdz0mVsDr9mXDOa0eDKKnuhBMHCEXW+7wBniEZejtQ9WLhA21KUchkv8vnJCOotz3/CObPSl7rc2pRHD2GYfBIKH2rq7vsDHzrbszWXIOGMoCDFc4F9tVvOi1DCUs2b0EXO8ewfazggJjXx7G8D+BW6b5UbW57gUYUrPdBTMwIDAQAB > *I append this header to all emails from verified smtp auth connections > vi the smtpd_sender_restrictions directive: > *DKIM-Signature: v=DKIM1; a=rsa-sha1; s=ezms1; > d=ez-merchant-hosting.com; c=simple; q=dns; > >b=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2amdz0mVsDr9mXDOa0eDKKnuhBMHCEXW+7wBniEZejtQ9WLhA21KUchkv8vnJCOotz3/CObPSl7rc2pRHD2GYfBIKH2rq7vsDHzrbszWXIOGMoCDFc4F9tVvOi1DCUs2b0EXO8ewfazggJjXx7G8D+BW6b5UbW57gUYUrPdBTMwIDAQAB* You are appending the public key instead of having dkim-milter sign the message. > I guess I would expect the "checker" to: > 1) Use the info in the header to check the dkim info (I.e. > ezms1._domainkey.ez-merchant-hosting.com) > 2) Validate against those credentials. That's what it does. > I'm trying to avoid setting up unique dkim info for each client that > uses this system. Maintenance nightmare. Is that even possible? Yes, that is possible. > > What am I doing wrong? My bet is that since the From field does not have > the same domain name as the DKIM-Signature that it is trying to find the > domain key info based on the From domain. > > Headers sent to the autoresponder are: [snip] > DKIM-Signature: a=rsa-sha1; s=ezms1; d=ez-merchant-hosting.com; > c=simple; q=dns; > b=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2amdz0mVsDr9mXDOa0eDKKnuhBMHCEXW+7wBniEZejtQ9WLhA21KUchkv8vnJCOotz3/CObPSl7rc2pRHD2GYfBIKH2rq7vsDHzrbszWXIOGMoCDFc4F9tVvOi1DCUs2b0EXO8ewfazggJjXx7G8D+BW6b5UbW57gUYUrPdBTMwIDAQAB See above comments about how to sign the message. Ignoring the "DKIM-Signature:" part, that header looks like a DomainKeys signature. Regards, -sm ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
