At 08:37 26-08-2009, Allan E. Johannesen wrote: >I recently started siging our email with DKIM and started using a dkim filter >for our inbound mail. > >We are a university and I got a complaint from certain parents who became >unable to email their son, a student here. > >The parents also tried emailing our helpdesk, which also failed. This appears >in our logs: > >Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: >from=<[email protected]>, size=3440, class=0, nrcpts=1, >msgid=<[email protected]>, proto=SMTP, >daemon=MTA, relay=web180614.mail.sp1.yahoo.com [68.180.196.150] >Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: >header: X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/ >Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: >header: Received-SPF: Neutral (SMTP.WPI.EDU: 68.180.196.150 is >neither permitted\n\tnor denied by domain of >[email protected])\n\treceiver=SMTP.WPI.EDU; >client-ip=68.180.196.150;\n\tenvelope-from=<[email protected]>; >helo=web180614.mail.sp1.yahoo.com; >Aug 24 11:33:47 SMTP dkim-filter[11907]: n7OFXfCD009611: key >retrieval failed (s=s1024, d=bellsouth.net): >`s1024._domainkey.bellsouth.net' record not found
The public key cannot be retrieved. >Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert >(1): header: Authentication-Results: SMTP.WPI.EDU; >dkim=neutral\n\[email protected]; x-dkim-adsp=none >Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert >(1): header: X-DKIM: Sendmail DKIM Filter v2.8.3 SMTP.WPI.EDU n7OFXfCD009611 >Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter: data, >reject=451 4.3.2 Please try again later Configure your milter for it not temporarily fail if there is a DNS issue (On-DNSError accept). >The parents claimed they were unable to get any help from Yahoo or BellSouth >about this issue. Those helpdesk people claimed that the problem was here at >WPI. As you asked an operational question, I'll provide you with the operational answer which is to fix the problem at your end. :-) >I thought that the parents had gotten onto yahoo by mistake and were sending a >bellsouth message, causing the trouble, but I found a mention of "netscape >mail" on the bellsouth.net Internet mail FAQ, and that leads me to >suspect that >maybe Yahoo is really officially carrying BellSouth customers' email. Maybe >that's a bad guess of mine. Yes. >A message from them to me had this header: > >DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >d=bellsouth.net; s=s1024; t=1251295577; >bh=AWurPyCfrWyL7Q4VoVf/3EwEKj++xepXQ72Z/H6SNU0=; >h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; > >b=NtTZuqgdUa6AbMvBYLAcplSRLag1MYv64CaLP9tngtSO4p7uuclGatImb9L7aRHaLFlXH1LXPHPDH7DN05y4/JwxZSyg1lJND9iaNejALpGTeyuBSSE1NjBWAhh97Z1vpSWVEqvZL6x7q7JmBJVxy8dMrpqdRg92ahgXJgUYJc0= > >The problem is that bellsouth.net has no selector named s1024. However, >yahoo.com does: > ># dig s1024._domainkey.yahoo.com txt > >; <<>> DiG 9.3.4-P1 <<>> s1024._domainkey.yahoo.com txt >;; global options: printcmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39073 >;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 > >;; QUESTION SECTION: >;s1024._domainkey.yahoo.com. IN TXT > >;; ANSWER SECTION: >s1024._domainkey.yahoo.com. 86400 IN TXT "k=rsa\; t=y\; >p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm" > >"JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB\; > >n=A 1024 bit key\;" > >So, my question is about how our DKIM filter is supposed to know to check >yahoo.com when given a domain of bellsouth.com in the DKIM-Signature DKIM filter is working correctly as it is using the correct selector and domain to retrieve the public key. This is either a case of the wrong domain being used to DKIM sign the message or a DNS misconfiguration. >Is there a newer version than dkim-milter-2.8.3 which might >understand some new >magic about how to translate domain names given in the DKIM header? You do not need to do that. >Is this just a configuration problem at Yahoo? I thought they were >a leader in >the Domainkeys/DKIM area and it would seem strange if they didn't understand >their own protocol. This is a configuration issue at the DKIM signer's end. I tried to report the problem to Bellsouth. As I did not get any response, I fixed the problem at my end. Regards, -sm _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
