I recently started siging our email with DKIM and started using a dkim filter for our inbound mail.
We are a university and I got a complaint from certain parents who became unable to email their son, a student here. The parents also tried emailing our helpdesk, which also failed. This appears in our logs: Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: from=<[email protected]>, size=3440, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=web180614.mail.sp1.yahoo.com [68.180.196.150] Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: header: X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/ Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: header: Received-SPF: Neutral (SMTP.WPI.EDU: 68.180.196.150 is neither permitted\n\tnor denied by domain of [email protected])\n\treceiver=SMTP.WPI.EDU; client-ip=68.180.196.150;\n\tenvelope-from=<[email protected]>; helo=web180614.mail.sp1.yahoo.com; Aug 24 11:33:47 SMTP dkim-filter[11907]: n7OFXfCD009611: key retrieval failed (s=s1024, d=bellsouth.net): `s1024._domainkey.bellsouth.net' record not found Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert (1): header: Authentication-Results: SMTP.WPI.EDU; dkim=neutral\n\[email protected]; x-dkim-adsp=none Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert (1): header: X-DKIM: Sendmail DKIM Filter v2.8.3 SMTP.WPI.EDU n7OFXfCD009611 Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter: data, reject=451 4.3.2 Please try again later Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: to=<[email protected]>, delay=00:00:00, pri=33440, stat=Please try again later "parent" is not the addres at bellsouth. It gives "ok" from their mail server, so maybe parent is somebody, but it's not them. The parents claimed they were unable to get any help from Yahoo or BellSouth about this issue. Those helpdesk people claimed that the problem was here at WPI. I thought that the parents had gotten onto yahoo by mistake and were sending a bellsouth message, causing the trouble, but I found a mention of "netscape mail" on the bellsouth.net Internet mail FAQ, and that leads me to suspect that maybe Yahoo is really officially carrying BellSouth customers' email. Maybe that's a bad guess of mine. I turned off the DKIM filter, since I can't see the message until I do that. A message from them to me had this header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net; s=s1024; t=1251295577; bh=AWurPyCfrWyL7Q4VoVf/3EwEKj++xepXQ72Z/H6SNU0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=NtTZuqgdUa6AbMvBYLAcplSRLag1MYv64CaLP9tngtSO4p7uuclGatImb9L7aRHaLFlXH1LXPHPDH7DN05y4/JwxZSyg1lJND9iaNejALpGTeyuBSSE1NjBWAhh97Z1vpSWVEqvZL6x7q7JmBJVxy8dMrpqdRg92ahgXJgUYJc0= The problem is that bellsouth.net has no selector named s1024. However, yahoo.com does: # dig s1024._domainkey.yahoo.com txt ; <<>> DiG 9.3.4-P1 <<>> s1024._domainkey.yahoo.com txt ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39073 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;s1024._domainkey.yahoo.com. IN TXT ;; ANSWER SECTION: s1024._domainkey.yahoo.com. 86400 IN TXT "k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm" "JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB\; n=A 1024 bit key\;" So, my question is about how our DKIM filter is supposed to know to check yahoo.com when given a domain of bellsouth.com in the DKIM-Signature Is there a newer version than dkim-milter-2.8.3 which might understand some new magic about how to translate domain names given in the DKIM header? Is this just a configuration problem at Yahoo? I thought they were a leader in the Domainkeys/DKIM area and it would seem strange if they didn't understand their own protocol. _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
