DKIM configuration with postfix 2.5.5 on Debian Lenny
in [Postfix]
|
Prev: Configuring bounce mail content in postfix
Next: Disabling checking for "my own hostname" in smtp connections to transports
From: can on 21 Jun 2010 05:33 Hello, I cannot get DKIM to sign my emails correctly. I followed this tutorial: http://www.debiantutorials.net/setup-domainkeys-identified-mail-dkim-in-postfix/ but when sending a test e-mail to dkim-test at altn.com, I got the reply: "Authentication-Results: c3po.altn.com spf=softfail smtp.mail=apache(a)natune.net; sender-id=softfail header.from=admin(a)natune.net; x-ip-ptr=hardfail ip=85.190.1.229 (no PTR records found); x-ip-helo=pass smtp.helo=donnell.natune.net (ip=85.190.1.229); x-ip-mail=hardfail smtp.mail=apache(a)natune.net (does not match 85.190.1.229); dkim=neutral header.d=natune.net (b=shUNp7xHDL; 1:-4:DKIM_SIGNATURE_BAD_BUT_TESTING);" (Only the dkim error is of relevance, the rest is not setup yet anyway.) I decided to create the keys manually by executing: openssl genrsa -out private.key 1024 openssl rsa -in private.key -out public.key -pubout -outform PEM I copied the private.key to /etc/dkim/keys/... Now I get this error when using the altn service mentioned above: "Authentication-Results: c3po.altn.com spf=softfail smtp.mail=apache(a)natune.net; sender-id=softfail header.from=admin(a)natune.net; x-ip-ptr=hardfail ip=85.190.1.229 (no PTR records found); x-ip-helo=pass smtp.helo=donnell.natune.net (ip=85.190.1.229); x-ip-mail=hardfail smtp.mail=apache(a)natune.net (does not match 85.190.1.229); dkim=neutral header.d=natune.net (b=fb2GTtkV25; 1:-15:DKIM_BODY_HASH_MISMATCH);" Where could the mistake be? There is one strange thing I noticed: When I choose another selector (that is I update dkim-keys.conf with another selector, that is also registered in my DNS config, and restart the dkim service) and send the same email (different headers, but same message) again, then I get the same body hash (bh=...) in the message. Shouldn't the hash value change when using a different selector? (The DKIM header of the email even shows that another selector name has been used (s=selector2 or s=all)). By the way: I also get DKIM_SIGNATURE_BAD_BUT_TESTING if I use the private key that is the counterpart of the public key for selector2. The funny thing is: this very private/public key combination is working on a redhat machine using postfix. It's even the same php script that is sending the message. Why is my config not working on Lenny? br, Can
From: can on 21 Jun 2010 05:58 On 21 Jun., 12:33, can <ad...(a)natune.net> wrote: > There is one strange thing I noticed: > When I choose another selector (that is I update dkim-keys.conf with > another selector, that is also registered in my DNS config, and > restart the dkim service) and send the same email (different headers, > but same message) again, then I get the same body hash (bh=...) in the > message. Shouldn't the hash value change when using a different > selector? (The DKIM header of the email even shows that another > selector name has been used (s=selector2 or s=all)). > Example: I used the selector "all", with its own private key, resulting in this header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=natune.net; s=all; t=1277114076; bh=tWyrSgVZYk7QAeOAedkgh87wExER+3YgRDefzUPH94E=; h=To:Subject:From:Mime-Version:Content-Type: Content-Transfer-Encoding:Message-Id:Date; ....... Then I sent the same message body, signed with selector "selector", resulting in this header DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=natune.net; s=selector2; t=1277113972; bh=tWyrSgVZYk7QAeOAedkgh87wExER+3YgRDefz UPH94E=; h=To:Subject:From:Mime-Version:Content-Type: Content-Transfer-Encoding:Message-Id:Date; ........ Note that s= is different each time but bh is idential: selector "all": bh=tWyrSgVZYk7QAeOAedkgh87wExER +3YgRDefzUPH94E= selector "selector2": bh=tWyrSgVZYk7QAeOAedkgh87wExER+3YgRDefzUPH94E= Is this normal?
From: can on 21 Jun 2010 10:02
To answer my own question: The keys are ok, the DNS settings are ok. The problem has to do with line endings. My email is Base64 encoded (by PHP). PHP wraps the lines automatically when encoding the text... The integration of the DKIM service is done via: "smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891" in the main.cf file. (...just as it is proposed in dozens of howtos...) Now the problem is, that most probably AFTER the message has been signed, postfix changes the line endings...which breaks the signature. I could tweak the PHP code, so that the line endings won't be changed, but that's not really a clean solution... What if I send a message via the submission service and have the same troubles...? So...I somehow need to change the way how DKIM is integrated into postfix. I haven't found a working solution yet, though... |