[7.250] DKIM not working [NOTABUG]

fobe · #1 (**permalink**) 07-14-2008, 12:41 PM

Hi,
DKIM seems not to be working completelty. I have the following setup:
E-mail Security-> SMTP
1) Simple Mode
2) Routing: 1) mydomain.com
2) mailserver.mydomain.com
3)Relaying: Allowed hosts/networks-> mailserver.mydomain.com
4)Advanced: 1) Filled in my "Private RSA key"
filled in the selector "test1024"
DKIM Domains: mydomain.com
2) Activated "Use transparent mode" & "Allow SMTP traffic for listed hosts/nets"

Further I enabled & also disabeld the AV-footer, So I know for sure that the e-mail is going trough ASG.

My nameserver has the right entry (this is tested with another application where it works fine). The "public key" is added in the header but when I test with my yahoo-account it says the following:

"domainkeys=neutral (no sig)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mydomain.com; s=test1024; h=From

ate:To:Message-ID:Subject:
MIME-Version:Content-Type; bh=eYrTKD1FzeJ4fYijEdK/rdPnjLTnDVFszX
kas6BU55U=; b=J3Sg88eLzcfaEVuJpZqpxxWLryjd4fg7zJJgnEBmiFJu5gIk wd
JiVKW53sb9aUSyd84z9EZPDKShUxDK9ttTDY39bICkKnsyycG/ZfAonWTv25jzko
FhGZeQGEdPn57OrhQcCrQlza9HKp2buA+iXwy9mxspnltm8Eoh 8yx/WHI="

The domainkeys shouldn't be neutral (nosig) but something like: from=mydomain.com; domainkeys=pass (ok)...

tom · #2 (**permalink**) 07-14-2008, 01:17 PM

Does the outgoing mail contain a DKIM-Signature header? Please send a message through that ASG to tkistner@astaro-tech.com (This is an out-of-band email address that does no content scan or modification on incoming messages).

fobe · #3 (**permalink**) 07-14-2008, 02:16 PM

mail is sended

tom · #4 (**permalink**) 07-14-2008, 08:00 PM

This has resolved itself outside of this thread ...

BAlfson · #5 (**permalink**) 09-12-2008, 12:39 AM

Tom, I established a DKIM record at ns1.bluehost.com:

dkim._domainkey.mediasoftusa.com IN TXT v=DKIM1; p={output of OpenSSL stripped of header, footer & carriage returns}

I have pasted the output of OpenSSL for the private key into Private RSA key complete with the header, footer and CRs.

Key selector: dkim

Domain: mediasoftusa.com

The header of an email sent from mediasoftusa.com to yahoo.com reveals:

domainkeys=neutral (no sig)

Do I need to enable the transparent mode, or do I have another problem?

I have a two-page document I created entitled "Configuring DKIM in the Astaro SMTP Proxy" that I can send you if it would help you understand my problem.

Thanks - Bob

tom · #6 (**permalink**) 09-12-2008, 09:40 AM

Quote:

Originally Posted by BAlfson

Tom, I established a DKIM record at ns1.bluehost.com:

dkim._domainkey.mediasoftusa.com IN TXT v=DKIM1; p={output of OpenSSL stripped of header, footer & carriage returns}

You also need to terminate the record name with a dot if you specify the full domain, like:

dkim._domainkey.mediasoftusa.com. IN TXT v=DKIM1; p={output of OpenSSL stripped of header, footer & carriage returns}

Quote:

Originally Posted by BAlfson

The header of an email sent from mediasoftusa.com to yahoo.com reveals:

domainkeys=neutral (no sig)

This is a "domainkeys" result which is kind of a predecessor to DKIM. You can test using the "official" reflector address. See http://testing.dkim.org/reflector.html

BAlfson · #7 (**permalink**) 09-12-2008, 12:56 PM

I'm sorry for the typo, Tom; the "." is in the DNS record.

An email to mail@testing.dkim.org returns an email containing:

Authentication Results
testing.dkim.org; v=0.1; ssp=neutral, header.From=balfson@MediaSoftUSA.com
DKIM Processing Output
[IIM-EOM: Info]
End of Message

Shouldn't there be something in my outbound header that indicates DKIM? Here's an example of what I sent to my Yahoo account:

From Bob Alfson Thu Sep 11 22:50:16 2008
Return-Path: <balfson@mediasoftusa.com>
Authentication-Results: mta293.mail.mud.yahoo.com from=MediaSoftUSA.com; domainkeys=neutral (no sig)
Received: from 68.15.104.33 (EHLO mediasoftusa.com) (68.15.104.33)
by mta293.mail.mud.yahoo.com with SMTP; Thu, 11 Sep 2008 15:51:26 -0700
Received: from BobDeskTop ([10.1.1.64]) by mediasoftusa.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 11 Sep 2008 17:50:15 -0500
From: "Bob Alfson" <BAlfson@MediaSoftUSA.com>
To: <balfson@yahoo.com>
Subject: DKIM test
Date: Thu, 11 Sep 2008 17:50:16 -0500
Message-ID: <026FE3C15CAF0143A48A7A49428105BC4B0459@sun.MediaS oft.local>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0004_01C91436.D9302390"
Importance: Normal
Thread-Index: AckUYMGk9Z6xGeTESfuALLJfZiaGVQ==
Return-Path: BAlfson@MediaSoftUSA.com
Content-Length: 4132

Thanks again - Bob

tom · #8 (**permalink**) 09-12-2008, 07:32 PM

Yes, there should be a DKIM-Signature: header in there, so it doesn't sign it. Please check /var/log/smtp.log when sending a message. You can also send login info to tkistner@astaro.com, then I can have a look myself.

BAlfson · #9 (**permalink**) 09-15-2008, 05:28 PM

My mistake was diagnosed by Tom. His final email gave me what I was missing that caused the Astaro to reject emails from my Exchange Server:

Quote:

Re-add the smarthost to Exchange, and add the IP of your Exchange server to the "Relaying->Host-based relay" list. Then outgoing mail will be handled by ASG, and signing should work OK.

Now, my emails to myself at Gmail get through with a 'DKIM-pass' in the header and have the correct DKIM-Signature, but ones to my Yahoo account are not going through!

When I send an email to 'dkim-test@testing.dkim.org', I get:

Quote:

testing.dkim.org; v=0.1; dkim=fail, header.i=@mediasoftusa.com (
Err: body altered; RSA-64 err: hdrdiffs=none; bodyvfy=no; me
diasoftusa.com/dkim fail; );[/INDENT]

How can this be?

BAlfson · #10 (**permalink**) 09-15-2008, 06:13 PM

I found another reflector, and it passes me:

check-auth@verifier.port25.com

It's better than the one at dkim.org.

I'm still not able to send email to my Yahoo address.