[Wow, this is really a blast from the past...I remember your name from back when I was a student at WRHS and we were using first a Spectra 70 and then a KA10 at WPI. But I'm probably dating both of us...]
I'm not entirely happy with all of the defaults for handling DNS failures. The CONFIGURATION section of the dkim-filter manpage says "In the interests of minimal initial impact, the defaults for badsignature and nosignature are accept, and the default for the others is tempfail." Which means that if it can't access the key record, it'll tempfail the message, which I don't consider minimal initial impact. I have my filter (2.8.1 currently) set up to override the defaults for those failures. Here are my command line arguments: DKIM_ARGS="-l -d bluepopcorn.net -D -p inet:8...@localhost -k /var/db/domainkeys /buttered.key.pem -s buttered -c relaxed -C bad=accept,dns=accept,int=accept,no= accept,sec=accept" So I'm still accepting the message on any type of failure. -Jim Allan E. Johannesen wrote: > I recently started siging our email with DKIM and started using a dkim filter > for our inbound mail. > > We are a university and I got a complaint from certain parents who became > unable to email their son, a student here. > > The parents also tried emailing our helpdesk, which also failed. This appears > in our logs: > > Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: > from=<[email protected]>, size=3440, class=0, nrcpts=1, > msgid=<[email protected]>, proto=SMTP, daemon=MTA, > relay=web180614.mail.sp1.yahoo.com [68.180.196.150] > Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: header: > X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/ > Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter add: header: > Received-SPF: Neutral (SMTP.WPI.EDU: 68.180.196.150 is neither > permitted\n\tnor denied by domain of > [email protected])\n\treceiver=SMTP.WPI.EDU; > client-ip=68.180.196.150;\n\tenvelope-from=<[email protected]>; > helo=web180614.mail.sp1.yahoo.com; > Aug 24 11:33:47 SMTP dkim-filter[11907]: n7OFXfCD009611: key retrieval failed > (s=s1024, d=bellsouth.net): `s1024._domainkey.bellsouth.net' record not found > Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert (1): > header: Authentication-Results: SMTP.WPI.EDU; > dkim=neutral\n\[email protected]; x-dkim-adsp=none > Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter insert (1): > header: X-DKIM: Sendmail DKIM Filter v2.8.3 SMTP.WPI.EDU n7OFXfCD009611 > Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: Milter: data, reject=451 > 4.3.2 Please try again later > Aug 24 11:33:47 SMTP sendmail[9611]: n7OFXfCD009611: to=<[email protected]>, > delay=00:00:00, pri=33440, stat=Please try again later > > "parent" is not the addres at bellsouth. It gives "ok" from their mail > server, > so maybe parent is somebody, but it's not them. > > The parents claimed they were unable to get any help from Yahoo or BellSouth > about this issue. Those helpdesk people claimed that the problem was here at > WPI. > > I thought that the parents had gotten onto yahoo by mistake and were sending a > bellsouth message, causing the trouble, but I found a mention of "netscape > mail" on the bellsouth.net Internet mail FAQ, and that leads me to suspect > that > maybe Yahoo is really officially carrying BellSouth customers' email. Maybe > that's a bad guess of mine. > > I turned off the DKIM filter, since I can't see the message until I do that. > > A message from them to me had this header: > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net; > s=s1024; t=1251295577; bh=AWurPyCfrWyL7Q4VoVf/3EwEKj++xepXQ72Z/H6SNU0=; > h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; > > b=NtTZuqgdUa6AbMvBYLAcplSRLag1MYv64CaLP9tngtSO4p7uuclGatImb9L7aRHaLFlXH1LXPHPDH7DN05y4/JwxZSyg1lJND9iaNejALpGTeyuBSSE1NjBWAhh97Z1vpSWVEqvZL6x7q7JmBJVxy8dMrpqdRg92ahgXJgUYJc0= > > The problem is that bellsouth.net has no selector named s1024. However, > yahoo.com does: > > # dig s1024._domainkey.yahoo.com txt > > ; <<>> DiG 9.3.4-P1 <<>> s1024._domainkey.yahoo.com txt > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39073 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 > > ;; QUESTION SECTION: > ;s1024._domainkey.yahoo.com. IN TXT > > ;; ANSWER SECTION: > s1024._domainkey.yahoo.com. 86400 IN TXT "k=rsa\; t=y\; > p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm" > > "JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB\; > n=A 1024 bit key\;" > > So, my question is about how our DKIM filter is supposed to know to check > yahoo.com when given a domain of bellsouth.com in the DKIM-Signature > > Is there a newer version than dkim-milter-2.8.3 which might understand some > new > magic about how to translate domain names given in the DKIM header? > > Is this just a configuration problem at Yahoo? I thought they were a leader > in > the Domainkeys/DKIM area and it would seem strange if they didn't understand > their own protocol. > _______________________________________________ > dkim-ops mailing list > [email protected] > http://mipassoc.org/mailman/listinfo/dkim-ops > _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
