Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
Mark Martinec wrote: leeyc0, I have to comment a line Net/DNS/Resolver/Base.pm to fix this problem. (below is some lines in Net/DNS/Resolver/Base.pm send_tcp function) $buf = read_tcp($sock, $len, $self-{'debug'}); # comment this line, this should be a class property but used as a function # apparently mixed up with Net::DNS::Packet #$self-answerfrom($sock-peerhost); print ';; received ', length($buf), bytes\n if $self-{'debug'}; Thanks, good work - except that I can't reproduce the problem, and the fallback to TCP in Net::DNS 0.66 works just fine with your first sample message. Which version of Net::DNS are you using? I am using 0.66, installed using CPAN. Turns out that, the problem is not in the Net::DNS package, but rather the function call $sock-peerhost (which is a Socket object). $sock-peerhost runs normally until some data is read from the socket (to be exact, that particular failing line is in Net::DNS::Base read_tcp function, the line that reads unless ($sock-recv($read_buf, $nread)). After the $sock-recv call $sock-peerhost fails with Bad arg length for Socket::unpack_sockaddr_in. At this point I gave up to trobleshoot, since I knew that it would be futile to proceed further, because seems that the problem is because the mail server OS is too old, and having some compatibility problems with new software. -- View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28201004.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
leeyc0, After some struggle and tracing every bit of code (including tracing installing cpan packages!), apparently it is a bug in the latest Net::DNS::Packet::Resolver::Base send_tcp function call... Yes, it is caused by a bug in Net::DNS::Resolver::Base (sorry, there was a typo before about the package name). I have to comment a line Net/DNS/Resolver/Base.pm to fix this problem. (below is some lines in Net/DNS/Resolver/Base.pm send_tcp function) $buf = read_tcp($sock, $len, $self-{'debug'}); # comment this line, this should be a class property but used as a function # apparently mixed up with Net::DNS::Packet #$self-answerfrom($sock-peerhost); print ';; received ', length($buf), bytes\n if $self-{'debug'}; Thanks, good work - except that I can't reproduce the problem, and the fallback to TCP in Net::DNS 0.66 works just fine with your first sample message. Which version of Net::DNS are you using? Does the SpamAssassin dkim test produce any errors? $ prove t/dkim2.t $ export RES_OPTIONS=debug $ perl -MMail::DKIM::Verifier -ne ' BEGIN{$dkim=Mail::DKIM::Verifier-new_object}; s/\r?\n\z/\015\012/; $dkim-PRINT($_); END{$dkim-CLOSE; printf(%s\n,$_-result_detail) for $dkim-signatures}' dkim-failed.eml ;; query(ns4._domainkey.iwtek.net, TXT) ;; Trying to set up a AF_INET6() family type UDP socket with srcaddr: 0.0.0.0 ... done ;; setting up an AF_INET() family type UDP socket ;; send_udp(::1:53) ;; answer from ::1:53 : 478 bytes ;; HEADER SECTION ;; id = 29254 ;; qr = 1opcode = QUERYaa = 0tc = 1rd = 1 ;; ra = 1ad = 0cd = 0rcode = NOERROR ;; qdcount = 1 ancount = 1 nscount = 0 arcount = 0 ;; QUESTION SECTION (1 record) ;; ns4._domainkey.iwtek.net.IN TXT ;; ANSWER SECTION (1 record) ns4._domainkey.iwtek.net. 2095IN TXT v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEnzzPme RPW8s51DoJqu4ShXkFxLZVoSwPapc1HUGWCNBFbMvKReIYLxQoCWMC h6E1Pv5GITqWC1LrA9dluupPHIuyu7vXMMkecq6o1e4T0J5ZspzNMa TtPrvwlZEE5KZ5bWXuDTDjK6e24KfkPgWPg5jjMWs/fkEjPBNsNNmh kHkXMulHb4+LkTSgDWxE6WgMc8R7KvUuY6AedeY3CUpzzBqn/UNZgu w8Z9y7y2GPJK9lm4ERkbqZuiRB+iCDYmlSgUClWGk4cywkWK3AaAB/ 7w+2xLJ2DgVDGrgxLQCVLlpHnybGrh6FN0R8mlffZy9RJpmq3raO/e YkD1t2eeWQIDAQAB ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (0 records) ;; ;; packet truncated: retrying using TCP ;; attempt to send_tcp(::1:53) (src port = 0) ;; sending 42 bytes ;; read_tcp: expecting 2 bytes ;; read_tcp: received 2 bytes ;; read_tcp: expecting 614 bytes ;; read_tcp: received 614 bytes ;; received 614 bytes ;; HEADER SECTION ;; id = 29254 ;; qr = 1opcode = QUERYaa = 0tc = 0rd = 1 ;; ra = 1ad = 0cd = 0rcode = NOERROR ;; qdcount = 1 ancount = 1 nscount = 4 arcount = 4 ;; QUESTION SECTION (1 record) ;; ns4._domainkey.iwtek.net.IN TXT ;; ANSWER SECTION (1 record) ns4._domainkey.iwtek.net. 2095IN TXT v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEnzzPme RPW8s51DoJqu4ShXkFxLZVoSwPapc1HUGWCNBFbMvKReIYLxQoCWMC h6E1Pv5GITqWC1LrA9dluupPHIuyu7vXMMkecq6o1e4T0J5ZspzNMa TtPrvwlZEE5KZ5bWXuDTDjK6e24KfkPgWPg5jjMWs/fkEjPBNsNNmh kHkXMulHb4+LkTSgDWxE6WgMc8R7KvUuY6AedeY3CUpzzBqn/UNZgu w8Z9y7y2GPJK9lm4ERkbqZuiRB+iCDYmlSgUClWGk4cywkWK3AaAB/ 7w+2xLJ2DgVDGrgxLQCVLlpHnybGrh6FN0R8mlffZy9RJpmq3raO/e YkD1t2eeWQIDAQAB ;; AUTHORITY SECTION (4 records) iwtek.net. 2029IN NS ns6.iwtek.net. iwtek.net. 2029IN NS ns3.iwtek.net. iwtek.net. 2029IN NS ns4.iwtek.net. iwtek.net. 2029IN NS ns5.iwtek.net. ;; ADDITIONAL SECTION (4 records) ns3.iwtek.net. 2095IN A 116.92.10.96 ns4.iwtek.net. 2095IN A 116.92.10.97 ns5.iwtek.net. 2095IN A 116.92.10.98 ns6.iwtek.net. 2095IN A 218.213.70.126 pass Mark
the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
http://old.nabble.com/file/p28178215/dkim-failed.eml dkim-failed.eml I manage multiple mail servers, and recently decided to implement DKIM, but I met a very strange problem. I tried to send a DKIM-signed email to both @iwtek.net and @ieaa.org, as in the attachment (both mail servers are managed by me), but I got T_DKIM_INVALID in iwtek.net while I got DKIM_VALID,DKIM_VALID_AU in ieaa.org (it is the same email simultaneous sent to both email addresses). This is weird enough, but there is even stranger thing. I tried to feed the supposed failed email (exactly the one attached) to spamd in ieaa.org, and I got DKIM_VALID,DKIM_VALID_AU. I have really no idea what's wrong here. Is there anyone here have some clue? -- View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28178215.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
On Thursday 08 April 2010 15:01:40 leeyc0 wrote: http://old.nabble.com/file/p28178215/dkim-failed.eml dkim-failed.eml I manage multiple mail servers, and recently decided to implement DKIM, but I met a very strange problem. I tried to send a DKIM-signed email to both @iwtek.net and @ieaa.org, as in the attachment (both mail servers are managed by me), but I got T_DKIM_INVALID in iwtek.net while I got DKIM_VALID,DKIM_VALID_AU in ieaa.org (it is the same email simultaneous sent to both email addresses). This is weird enough, but there is even stranger thing. I tried to feed the supposed failed email (exactly the one attached) to spamd in ieaa.org, and I got DKIM_VALID,DKIM_VALID_AU. I have really no idea what's wrong here. Is there anyone here have some clue? The dkim-failed.eml message looks fine, the DKIM signature validates. If both domains are under your control/access, the simplest is to collect the message from both mailboxes and compare them. Mark
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
Mark Martinec wrote: The dkim-failed.eml message looks fine, the DKIM signature validates. If both domains are under your control/access, the simplest is to collect the message from both mailboxes and compare them. Mark I tried, but still have no clue, but discovered another horrible thing. I tried to send another email from gmail to iwtek.net, the DKIM signature validates at iwtek.net (see attachment). I am running mad now... http://old.nabble.com/file/p28178961/gmail.eml gmail.eml -- View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28178961.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
Mark Martinec wrote: The dkim-failed.eml message looks fine, the DKIM signature validates. If both domains are under your control/access, the simplest is to collect the message from both mailboxes and compare them. Mark I changed to use 1024 bit RSA key, and seems the email passed DKIM validation. Seems that my perl installation at iwtek.net somehow cannot validate 2048 bit RSA DKIM signatures. Does anyone have some clue? -- View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28180044.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
I tried, but still have no clue, but discovered another horrible thing. I tried to send another email from gmail to iwtek.net, the DKIM signature validates at iwtek.net (see attachment). I am running mad now... http://old.nabble.com/file/p28178961/gmail.eml gmail.eml One thing I noticed: this second message contains a header field: X-mail-iwtek-net-MailScanner-SpamCheck: not spam, SpamAssassin (not cached but the first one does not say not cached. Could it be a MailScanner issue, that it was reusing a cached SpamAssassin results from some earlier mail sample. Having a trivial message with a single '=' line in a body makes it very likely to hit a body hash of some earlier test message. I changed to use 1024 bit RSA key, and seems the email passed DKIM validation. Seems that my perl installation at iwtek.net somehow cannot validate 2048 bit RSA DKIM signatures. Does anyone have some clue? That is possible too, the DNS packet is probably larger than 512 bytes, and perhaps your DNS resolver does not fallback to TCP or EDNS0, or you have TCP on port 53 blocked at a firewall. Mark
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
I changed to use 1024 bit RSA key, and seems the email passed DKIM validation. Seems that my perl installation at iwtek.net somehow cannot validate 2048 bit RSA DKIM signatures. Does anyone have some clue? That is possible too, the DNS packet is probably larger than 512 bytes, and perhaps your DNS resolver does not fallback to TCP or EDNS0, or you have TCP on port 53 blocked at a firewall. Mark Turns out the problem is here is the classic problem of I got a old (or broken?) system. I tried to use Mail::DKIM library directly to debug the problem, and got this error message when a email with RSA 2048 bit signature is fed into. verify result: invalid (public key: Bad arg length for Socket::unpack_sockaddr_in, length is 4095, should be 16 at /usr/local/lib/perl5/5.8.6/i686-linux/Socket.pm line 370, STDIN line 41.) Feeding a email with RSA 1024 bit signature doesn't have any problem. -- View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28186154.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
leeyc0 wrote: I changed to use 1024 bit RSA key, and seems the email passed DKIM validation. Seems that my perl installation at iwtek.net somehow cannot validate 2048 bit RSA DKIM signatures. Does anyone have some clue? That is possible too, the DNS packet is probably larger than 512 bytes, and perhaps your DNS resolver does not fallback to TCP or EDNS0, or you have TCP on port 53 blocked at a firewall. Mark Turns out the problem is here is the classic problem of I got a old (or broken?) system. I tried to use Mail::DKIM library directly to debug the problem, and got this error message when a email with RSA 2048 bit signature is fed into. verify result: invalid (public key: Bad arg length for Socket::unpack_sockaddr_in, length is 4095, should be 16 at /usr/local/lib/perl5/5.8.6/i686-linux/Socket.pm line 370, STDIN line 41.) Feeding a email with RSA 1024 bit signature doesn't have any problem. After some struggle and tracing every bit of code (including tracing installing cpan packages!), apparently it is a bug in the latest Net::DNS::Packet::Resolver::Base send_tcp function call... -- View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28186774.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
leeyc0 wrote: After some struggle and tracing every bit of code (including tracing installing cpan packages!), apparently it is a bug in the latest Net::DNS::Packet::Resolver::Base send_tcp function call... Yes, it is caused by a bug in Net::DNS::Resolver::Base (sorry, there was a typo before about the package name). I have to comment a line Net/DNS/Resolver/Base.pm to fix this problem. (below is some lines in Net/DNS/Resolver/Base.pm send_tcp function) $buf = read_tcp($sock, $len, $self-{'debug'}); # comment this line, this should be a class property but used as a function # apparently mixed up with Net::DNS::Packet #$self-answerfrom($sock-peerhost); print ';; received ', length($buf), bytes\n if $self-{'debug'}; (end) -- View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28186929.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.