Hello Kirill.
Kirill A. Korinsky wrote in
<98c1f03bc1d6c...@mx1.catap.net>:
...
|> Kirill A. Korinsky wrote in
|> <2fdd33f2325e6...@mx2.catap.net>:
|>|>|I imply that using ed25519 usually leads to malformed signature, \
...
|>|> Then these are not standard compliant. The DKIM standard 6376
|>|> *explicitly* supports multiple signatures.
|>|
|>|Yes, RFC may imply that but OpenDKMI was released quite a while ago \
|>|and the
|>|last stable release seems that doesn't handle well this case.
|>
|> OpenDKIM cannot. I looked at its code in about January and there
|> is no notion of it. zdkimfilter as of courier bases upon it, and
|> supports it. (Very preprocessor sprinkled crypto code in between
|> several libraries that uses, though, and the OpenSSL 3.0 thing
|> even fiddles with openssl parameters which i have *not*
|> understood from my short glance..)
|
|And here the issue and my point: until OpenDKIM is supporting anything else
|than RSA may lead to delivery emails into Junk.
No, Kirill, you are misunderstanding a little bit how DKIM works.
...
|> I could very much imagine that if you change to RSA-SHA256 then
|> your problem will vanish.
|
|Nope, it doesn't
|
|See mxtoolbox [1] for the case of RSA-SHA256 and icloud says, let me quote:
|
| Authentication-Results: dkim-verifier.icloud.com; dkim=permerror \
| (0-bit key) header.d=korins.ky header.i=@korins.ky header.b=VNwI9oir
| Authentication-Results: dkim-verifier.icloud.com; dkim=pass (2048-bit \
| key) header.d=korins.ky header.i=@korins.ky header.b=qwDQ6QCD
|
|The issue that one of signatures is invalid, and icloud moves mail to the
|Junk folder.
Because DKIM says that as long as *one* signature passes
correctly, DKIM has succeeded. The introduction of new algorithms
and key changes etc is quite broadly foreseen in a lot of RFCs
regarding public key infrastructure in the last two decades (my
view is very limited however, but, still..).
|As soon as I use only RSA signatures, emails are delivered to inbox.
This is broken behaviour of these people, see RFC 6376, 6.1:
INFORMATIVE NOTE: The rationale of this requirement is to permit
messages that have invalid signatures but also a valid signature
to work.
...
the message should succeed even in the presence of the
known-broken signature.
What they are doing is wrong. Maybe if you move it out of Junk
a few times their algorithm learns or what, i do not know.
I would start screaming, but normally noone listens anyhow, sure.
|Footnotes:
|[1] https://mxtoolbox.com/deliverability/86e2b0ff-ba95-47f3-b71e-4ead73\
|653a73
Ah, you, i do not look, this required Javascript and whatnot.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
