Koozali.org formerly Contribs.org

DomainKey does not pass

DomainKey does not pass
« on: February 26, 2014, 04:26:46 PM »
Hi,

I have a SME Server installation on a public IP, without an ISP in front of me.

I am trying to set up SPF, DomainKey, DKIM and DMARC.

Everything seems to be working except DomainKey. If I have understood correctly, domainkey is a deprecated version of DKIM, but some servers still use it.

These are the relevant DNS entries:

Code: [Select]
# host -t TXT "nullstack.eu"
nullstack.eu descriptive text "v=spf1 a mx -all"
# host -t TXT "_domainkey.nullstack.eu"
_domainkey.nullstack.eu descriptive text "o=-\; r=postmaster@nullstack.eu"
# host -t TXT "default._domainkey.nullstack.eu"
default._domainkey.nullstack.eu descriptive text "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKm/88Xo1cqgEapGFOzjS8EvUh9/drZTswetqryMI9jUXODjvT+V9YU7PkpgK1YQJDc4KoyFNVdis7DtdmH4Q8O00Bg0SvwX82Dn/pHmxABldnTy5XQNCsHTqQ1xYcveVgduyOCLxOo3wrSeYKRN5lYG2cFBZ/xw6R5ZhPwT0ZjwIDAQAB"
# host -t TXT "_dmarc.nullstack.eu"
_dmarc.nullstack.eu descriptive text "v=DMARC1\; p=reject\; rua=mailto:postmaster@nullstack.eu"

This is the response from pythentic@had-pilot.biz

Code: [Select]


2014/02/26 09:50:20 :Your DMARC record for   '_dmarc.nullstack.eu'   is   'v=DMARC1; p=reject; rua=mailto:postmaster@nullstack.eu' 

Here are the results of the message from stef@nullstack.eu
received on Wed Feb 26 09:50:02 2014 with Subject dmarc

The message was: Delivered
The SPF result was: pass
The DKIM result was: True

**********************************************************
Enter your email address and this hash stringin the Review My Results link for message header analysis of results: address=stef@nullstack.eu  hash=MF91PZeQU3nf2py1JyjU

**********************************************************
Full Record

Id[15]: 
SPF result: pass
DKIM result: True
Alignment result: Pass
Feedback: RecordType
Delivery Result: Pass
Source IP: 188.164.128.61
User Agent: Pythentic
Version: 1
Recipient: had-pilot.biz
Arrival Date: Wed Feb 26 09:50:02 2014
From: stef@nullstack.eu
DKIM Signature: v=1; a=rsa-sha1; c=relaxed; d=nullstack.eu; h=received:from:subject:date:message-id; s=default; bh=uaKcey34TfR3MDx+lwcxx6mWfSo=; b=lpe/A00pInaGVFp0O3iPj8XlCoPPIjUBAcUyH3+mdCE8CUndQFbyJ8puHVW9EL1I4igTp/WuPcRf8eAJAgozTaP4jpwcl18QRYblkFBu3qLVdDHIXz+gXsz94Saa2+77nnKaDbBKge3/0bk01+i7cdO0wjrephyUQsgFJL1VwgQ=
Subject: dmarc
Reported: 0
SPFReason: sender SPF authorized
DKIMReason: Good DKIM Signature.
DMARCReason: Message authenticated.
Message: Received: (qmail 9922 invoked by uid 453); 26 Feb 2014 14:49:56 -0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=nullstack.eu; h=received:from:subject:date:message-id; s=default; bh=uaKcey34TfR3MDx+lwcxx6mWfSo=; b=lpe/A00pInaGVFp0O3iPj8XlCoPPIjUBAcUyH3+mdCE8CUndQFbyJ8puHVW9EL1I4igTp/WuPcRf8eAJAgozTaP4jpwcl18QRYblkFBu3qLVdDHIXz+gXsz94Saa2+77nnKaDbBKge3/0bk01+i7cdO0wjrephyUQsgFJL1VwgQ=
Received: from Unknown (HELO [192.168.2.6]) (195.251.66.196)
  (smtp-auth username stef, mechanism plain)
  by nullstack.eu (qpsmtpd/0.84) with (AES256-SHA encrypted) ESMTPSA; Wed, 26 Feb 2014 15:49:56 +0100
Message-ID: <530DFF0C.1070704@nullstack.eu>
Date: Wed, 26 Feb 2014 16:49:48 +0200
From: Stefanos Kalantzis <stef@nullstack.eu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: pythentic@had-pilot.biz
Subject: dmarc
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on nullstack.eu
X-dkim: d=nullstack.eu,s=default,DKIMReason=Good DKIM Signature.
X-spf: i=188.164.128.61,h=nullstack.eu.,s=stef@nullstack.eu,SPFResult=pass

aaaa
 

And this is the response from check-auth@verifier.port25.com

Code: [Select]


This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com.  The service allows email senders to perform
a simple check of various sender authentication mechanisms.  It is provided
free of charge, in the hope that it is useful to the email community.  While
it is not officially supported, we welcome any feedback you may have at
<verifier-feedback@port25.com>.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  nullstack.eu
Source IP:      188.164.128.61
mail-from:      stef@nullstack.eu

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mailfrom=stef@nullstack.eu
DNS record(s):
    nullstack.eu. 10800 IN SPF "v=spf1 a mx -all"
    nullstack.eu. 10800 IN A 188.164.128.61

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=stef@nullstack.eu
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: stef@nullstack.eu)
ID(s) verified: header.d=nullstack.eu
Canonicalized Headers:
    received:from'20'Unknown'20'(HELO'20'[192.168.2.6])'20'(195.251.66.196)'20'(smtp-auth'20'username'20'stef,'20'mechanism'20'plain)'20'by'20'nullstack.eu'20'(qpsmtpd/0.84)'20'with'20'(AES256-SHA'20'encrypted)'20'ESMTPSA;'20'Wed,'20'26'20'Feb'20'2014'20'15:54:42'20'+0100'0D''0A'
    from:Stefanos'20'Kalantzis'20'<stef@nullstack.eu>'0D''0A'
    subject:test'0D''0A'
    date:Wed,'20'26'20'Feb'20'2014'20'16:54:34'20'+0200'0D''0A'
    message-id:<530E002A.7080807@nullstack.eu>'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha1;'20'c=relaxed;'20'd=nullstack.eu;'20'h=received:from:subject:date:message-id;'20's=default;'20'bh=uaKcey34TfR3MDx+lwcxx6mWfSo=;'20'b=

Canonicalized Body:
    aaaa'0D''0A'
   

DNS record(s):
    default._domainkey.nullstack.eu. 10800 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKm/88Xo1cqgEapGFOzjS8EvUh9/drZTswetqryMI9jUXODjvT+V9YU7PkpgK1YQJDc4KoyFNVdis7DtdmH4Q8O00Bg0SvwX82Dn/pHmxABldnTy5XQNCsHTqQ1xYcveVgduyOCLxOo3wrSeYKRN5lYG2cFBZ/xw6R5ZhPwT0ZjwIDAQAB"

Public key used for verification: default._domainkey.nullstack.eu (1024 bits)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: header.From=stef@nullstack.eu
DNS record(s):
    nullstack.eu. 10800 IN SPF "v=spf1 a mx -all"
    nullstack.eu. 10800 IN A 188.164.128.61

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.3.1 (2010-03-16)

Result:         ham  (-2.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0000]
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                            domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 1.0 BODY_URI_ONLY          Message body is only a URI in one line of text or for
                            an image

==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.


==========================================================
Original Email
==========================================================

Return-Path: <stef@nullstack.eu>
Received: from nullstack.eu (188.164.128.61) by verifier.port25.com id h1o03i11u9c2 for <check-auth@verifier.port25.com>; Wed, 26 Feb 2014 09:54:49 -0500 (envelope-from <stef@nullstack.eu>)
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=stef@nullstack.eu
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=stef@nullstack.eu
Authentication-Results: verifier.port25.com; dkim=pass (matches From: stef@nullstack.eu) header.d=nullstack.eu
Authentication-Results: verifier.port25.com; sender-id=pass header.From=stef@nullstack.eu
Received: (qmail 9998 invoked by uid 453); 26 Feb 2014 14:54:42 -0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=nullstack.eu; h=received:from:subject:date:message-id; s=default; bh=uaKcey34TfR3MDx+lwcxx6mWfSo=; b=fewKznJaD9rQq9+71OwTRLhfaMQZeI+kuAFpZ9ZGNg2baNTozflX2orL6oBUyj61WnWHwqRPPRpzLBsArAYTlkgTp8blhtaxX8kwBEuBP2JB6rE+u77LNUwox947X7RBzhuBHvuT3gWuRiGYiqPEe8tKiy9eHC+6kC9omO8dnSA=
Received: from Unknown (HELO [192.168.2.6]) (195.251.66.196)
  (smtp-auth username stef, mechanism plain)
  by nullstack.eu (qpsmtpd/0.84) with (AES256-SHA encrypted) ESMTPSA; Wed, 26 Feb 2014 15:54:42 +0100
Message-ID: <530E002A.7080807@nullstack.eu>
Date: Wed, 26 Feb 2014 16:54:34 +0200
From: Stefanos Kalantzis <stef@nullstack.eu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: check-auth@verifier.port25.com
Subject: test
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on nullstack.eu

aaaa


As you can see the results from check-auth@verifier.port25.com, the part for domain key says
"neutral (message not signed)"

I have followed this guide: http://wiki.contribs.org/Email#Domain_Authentication

I know that the question it is not 100% relevant to SME Server, but I will appreciate any help..

Thanks in advance!

Re: DomainKey does not pass
« Reply #1 on: February 27, 2014, 12:03:05 AM »
Moving to Contribs section of the Forums where it is more appropriate.
- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org)  - check: http://wiki.contribs.org/Bugzilla_Help .  Thanks.

Offline Franco

  • *
  • 1,171
    • http://contribs.org
Re: DomainKey does not pass
« Reply #2 on: February 28, 2014, 03:36:28 PM »
Hi,
this piece:
Code: [Select]
mkdir --parent /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "dkim_sign keys dkim">/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign
signal-event email-update

finally propagate your public key "dkim.public" content (<key text>) your DNS, check with your DNS server / registrar default._domainkey.domain.ext IN TXT "k=rsa; p=<key text>; t=y" if you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.

    keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both"
    dk_method : for domainkey method , default "nofws"
    selector : the selector you want, default "default"
    algorithm : algorithm for DKIM signing, default "rsa-sha1"
    dkim_method : for DKIM, default "relaxed"

You need to define what to sign, so for domainkey it should be:
Code: [Select]
dkim_sign keysThe example show dkim signature only.

Hope it helps,

Re: DomainKey does not pass
« Reply #3 on: February 28, 2014, 04:44:57 PM »
Hi,

Thanks a lot for your reply !!

That's what happens if you stop reading at the last code block...

So I fixed it, and I sent again to check-auth@verifier.port25.com

I got a fail. It's progress though !

Code: [Select]
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         fail (bad signature)
ID(s) verified: header.From=stef@nullstack.eu
DNS record(s):
    default._domainkey.nullstack.eu. 10800 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKm/88Xo1cqgEapGFOzjS8EvUh9/drZTswetqryMI9jUXODjvT+V9YU7PkpgK1YQJDc4KoyFNVdis7DtdmH4Q8O00Bg0SvwX82Dn/pHmxABldnTy5XQNCsHTqQ1xYcveVgduyOCLxOo3wrSeYKRN5lYG2cFBZ/xw6R5ZhPwT0ZjwIDAQAB"

Any ideas ?

Re: DomainKey does not pass
« Reply #4 on: March 01, 2014, 07:55:53 PM »
I have some more information on this, via mailtest@unlocktheinbox.com

Seems like qmail is doing something wrong in both DKIM and DomainKeys

DKIM



DomainKeys



This is the full report from them:
Code: [Select]
Publication: RFC 822
Header Information
Name Value
return-path <stef@nullstack.eu>
received from nullstack.eu (nullstack.eu [192.165.67.62]) by mail.unlocktheinbox.com with SMTP; Sat, 1 Mar 2014 13:36:40 -0500
received (qmail 4187 invoked by uid 453); 1 Mar 2014 18:36:39 -0000
dkim-signature v=1; a=rsa-sha1; c=relaxed; d=nullstack.eu; h=received:from:subject:date:message-id; s=default; bh=ayrwFPadp4F3z/QXtjGze4JrOL0=; b=TSqRlUtSroUorhcwJGR7Io/AbNL3o+WqaYLyCowj0WioWgA6KPJka/hJyCsfNJWaDMobrYG8QoRoxILqw5K4pjVHGowPhhTOloomQW/77wqpL7ScI1jOxUyNCzzAVGunV1lDQDafAijVGzYRbuOgtA2S0eXcL++jFCbv1lUY0bs=
domainkey-signature a=rsa-sha1; c=nofws; d=nullstack.eu; h=received:from:subject:date:message-id; q=dns; s=default; b=Q7PrdhTR3JZCMjAUAqSPHlHlafil4hi+XVTSXQ+akeb07TJxZZbinrmq4JX3ZSOtroDRTm3XxAJzPJ6h++ItIYNRsRx61KcZPl9l7YTwvMZSmA8oWRkViQ597ozCEFWR0BdKnKKnhjpVcXe5ajD/gsWQdInlKuPXW405VO9FsFk=
received from ppp005054123032.access.hol.gr (HELO [192.168.178.2]) (5.54.123.32) (smtp-auth username stef, mechanism plain) by nullstack.eu (qpsmtpd/0.84) with (AES128-SHA encrypted) ESMTPSA; Sat, 01 Mar 2014 19:36:39 +0100
message-id <531228B5.2010109@nullstack.eu>
date Sat, 01 Mar 2014 20:36:37 +0200
from Stefanos Kalantzis <stef@nullstack.eu>
user-agent Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
mime-version 1.0
to mailtest@unlocktheinbox.com
subject aaaa
content-type text/plain; charset=ISO-8859-1; format=flowed
content-transfer-encoding 7bit
x-virus-checked Checked by ClamAV on nullstack.eu

Authoritative DNS Server (SOA) Check for: nullstack.eu
SOA Server Results
a.dns.gandi.net Passed

MX Records
Pref Value Blacklists
10 nullstack.eu Check for Blacklists

Information: PTR Records
rDNS PTR Records
Type Mail Domain ARPA Record Results
MX nullstack.eu [192.165.67.62] 62.67.165.192.in-addr.arpa. Passed
LSIP nullstack.eu [192.165.67.62] 62.67.165.192.in-addr.arpa. Passed

Mail Flow
Mail Domain IP Address
nullstack.eu 192.165.67.62
Unknown Unknown
HELO 192.168.178.2

Email Port Checks for: nullstack.eu
Protocol Results
SMTP (Port 25): Connection Established
- Extensions: PIPELINING, 8BITMIME, SIZE, STARTTLS
- SSL Hostname: www.nullstack.eu
- SSL Subject: E=postmaster@nullstack.eu, CN=www.nullstack.eu, C=GR
- SSL Issuer: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
- SSL Valid: Certificate is Valid
- SSL Key Size: 4096
 
SMTP SSL (Port 465): Connection Established
- Extensions: PIPELINING, 8BITMIME, SIZE, AUTH
- SSL Hostname: www.nullstack.eu
- SSL Subject: E=postmaster@nullstack.eu, CN=www.nullstack.eu, C=GR
- SSL Issuer: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
- SSL Valid: Certificate is Valid
- SSL Key Size: 4096
 
POP3 (Port 110): Unable to Establish Connection
 
POP3 SSL (Port 995): Unable to Establish Connection
 
IMAP (Port 143): Unable to Establish Connection
 
IMAP SSL (Port 993): Connection Established
- Extensions: IMAP4rev1, AUTH, IMAP4rev1, SASL-IR, SORT, AUTH, MULTIAPPEND, UNSELECT, LITERAL+, IDLE, CHILDREN, NAMESPACE, LOGIN-REFERRALS
- SSL Hostname: www.nullstack.eu
- SSL Subject: E=postmaster@nullstack.eu, CN=www.nullstack.eu, C=GR
- SSL Issuer: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
- SSL Valid: Certificate is Valid
- SSL Key Size: 4096

Publication: RFC 4408
SPF Records
SPF Check: Passed
SPF DNS Location: Click Here: nullstack.eu
SPF Record in TXT (TYPE 16): v=spf1 mx -all
(TYPE 16) Syntax: Passed
SPF Record in SPF (TYPE 99): v=spf1 mx -all
(TYPE 99) Syntax: Passed
SPF/TXT Match: Passed

Information: Identifier Alignments
SPF Alignment Test (Used in DMARC ASPF Test)
Mail From/Return Path Domain: nullstack.eu
From Domain: nullstack.eu
SPF Identifier Alignment: Strict

Publication: RFC 4406
Sender ID
Sender ID Check: Passed
Sender ID Record: Uses SPF implementation above

Publication: RFC 4870
Domain Keys Additional Information (Obsolete)
Tag Value
Key Algorithm: a=rsa-sha1
Canonicalization: c=nofws
Domain Name: d=nullstack.eu
Signed Headers: h=received:from:subject:date:message-id
Query Method: q=dns
Selector: s=default
Signature Data: b=Q7PrdhTR3JZCMjAUAqSPHlHlafil4hi+XVTSXQ+akeb07TJxZZbinrmq4JX3ZSOtroDRTm3XxAJzPJ6h++ItIYNRsRx61KcZPl9l7YTwvMZSmA8oWRkViQ597ozCEFWR0BdKnKKnhjpVcXe5ajD/gsWQdInlKuPXW405VO9FsFk=

Domain Keys Check (Obsolete)
Signature Found: Yes
SM Signature Verification: Failed - Bad Signature
From Signed: Yes
Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc, DKIM-Signature should not be signed.

Public Domain Key (Obsolete)
Selector Location: Click Here: default._domainkey.nullstack.eu
DNS Record Found: Yes
Record Syntax: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxxV7JrJpheP7Yp4AtLlD4fS/qGiBdDZv3EiGbcEVZfWjqHRBrETXsGkE7vrhu3rZJ/d2MC3drxd+mKRUplgyBTvCZR/32m1K/LpQEjorLd7mtw4ogev+Jiw8xnfTgqh3z0S+7kTNphQ14YdqFYsisKr1VEFBDgZefIxXm71n/qwIDAQAB
Key Size: 1024

Publication: RFC 6376
DKIM Signature Additional Information
Tag Value
Version: v=1
Key Algorithm: a=rsa-sha1
Canonicalization: c=relaxed
Domain Name: d=nullstack.eu
Signed Headers: h=received:from:subject:date:message-id
Selector: s=default
Body Hash: bh=ayrwFPadp4F3z/QXtjGze4JrOL0=
Signature Data: b=TSqRlUtSroUorhcwJGR7Io/AbNL3o+WqaYLyCowj0WioWgA6KPJka/hJyCsfNJWaDMobrYG8QoRoxILqw5K4pjVHGowPhhTOloomQW/77wqpL7ScI1jOxUyNCzzAVGunV1lDQDafAijVGzYRbuOgtA2S0eXcL++jFCbv1lUY0bs=

Publication: RFC 6376
DKIM Check
Signature Found: Yes
SM Sig Verification: Passed
LL Sig Verification: Passed
From Signed: Yes
Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc, DKIM-Signature should not be signed.

Public DKIM Key
Selector Location: Click Here: default._domainkey.nullstack.eu
DNS Record Found: Yes
Record Syntax: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxxV7JrJpheP7Yp4AtLlD4fS/qGiBdDZv3EiGbcEVZfWjqHRBrETXsGkE7vrhu3rZJ/d2MC3drxd+mKRUplgyBTvCZR/32m1K/LpQEjorLd7mtw4ogev+Jiw8xnfTgqh3z0S+7kTNphQ14YdqFYsisKr1VEFBDgZefIxXm71n/qwIDAQAB
Key Size: 1024 bits

Information: Identifier Alignments
DKIM Alignment Test (Used in DMARC ADKIM Test)
DKIM d= Tag: nullstack.eu
From Domain: nullstack.eu
DKIM Identifier Alignment: Strict

Draft Publication: DMARC Base-00-02
DMARC Check
Record Syntax: Passed
DKIM Test: Passed
SPF Test: Passed
ADKIM Test: Passed
ASPF Test: Passed
RUA Test: Passed
RUF Test: Passed
DMARC Passed: Yes
DMARC Record Location: Click Here: _dmarc.nullstack.eu
DMARC Record: v=DMARC1; p=reject; rua=mailto:postmaster@nullstack.eu

Publication: RFC 5617
ADSP (Author Domain Signing Policy) Check
ADSP Record: Not Found - Learn how to set up your ADSP record by clicking here: ADSP Record
ADSP Record Syntax: Not Found

Publication: RFC 822 (6.3), RFC 1123 (5.2.7), RFC 2821 (4.5.1)
Acceptance of Postmaster Address
postmaster@nullstack.eu Passed

Acceptance of Abuse Address
abuse@nullstack.eu Passed

Spam Assassian Results
Content analysis details: (You scored -3.1 points, 5.0 or higher is considered to be spam)

Pts Rule Name Description
-1.2 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

In both DKIM and DomainKeys sections, it is mentioned that the specified headers should not be signed.
The domainkey-signature header of the email states, h=received:from:subject:date:message-id;

So it signs the received header that should not be signed.

Is the responsible functionality of qmail developed externally of the qmail package?

yum says:
Version    : 1.03
Release    : 17.el5.sme

From what I can see in qmail.org the latest version is indeed 1.03, except from a netqmail package that has a version of 1.06.
But the changes between the two, as stated in qmail.org, have nothing to do with domainkeys/dkim.

Should I report a bug in sme server ?

Re: DomainKey does not pass
« Reply #5 on: March 02, 2014, 02:36:16 AM »
Seems like qmail is doing something wrong in both DKIM and DomainKeys

qmail doesn't implement dkim or DomainKeys. So I'm not sure why you think qmail is implicated.

Quote
Should I report a bug in sme server ?

If you have evidence of a bug in SME server software. But since SME server does not implement DKIM or DomainKeys I'm not sure what there would be to fix.

Re: DomainKey does not pass
« Reply #6 on: March 02, 2014, 02:40:03 AM »
Is the responsible functionality of qmail developed externally of the qmail package?

I''m not quite sure what you are asking here. I think you are asking whether the DKIM feature you are trying to use is implemented outside of qmail. They answer to that is "yes" - you are using a plugin add-on module of qpsmtpd.

Re: DomainKey does not pass
« Reply #7 on: March 02, 2014, 11:15:09 PM »
I found the qmail plugin that does the DKIM/DomainKeys signing.
It was installed by default with SME Server. I didn't add it.

It's this file: /usr/share/qpsmtpd/plugins/dkim_sign

In my last post I had two screenshots from the report of mailtest@unlocktheinbox.com showing the errors.
I found and fixed the bug about the invalid signed headers.
It's a very small patch. I uploaded it here: https://mega.co.nz/#!tlBQHJCY!MNgqcHRaBMZWrshAPlM7_G78575pHFOxawMqEC6ovgo

So the new report is like this for DKIM:


and for DomainKeys:


Still the other error in DomainKeys about the Bad Signature is there.
I don't know how to fix that.

So where should I report the two bugs for that specific file (/usr/share/qpsmtpd/plugins/dkim_sign) ?

Offline janet

  • ****
  • 4,812
Re: DomainKey does not pass
« Reply #8 on: March 02, 2014, 11:38:32 PM »
Kiidlike

You seem to be overlooking or misreading what has been said to you.

qmail IS NOT INVOLVED

qpsmtpd IS INVOLVED
The plugin being used is for qpsmtpd, even the location you refer to says .../qpsmtpd/...

Quote
It's this file: /usr/share/qpsmtpd/plugins/dkim_sign

qmail & qpsmtpd ARE DIFFERENT THINGS, google them !

Please report a bug against the qpsmtpd plugin, using the Bugs link at top of forum
Register using a valid email address as your user name/ID, because your forum user account does not work at Bugzilla
Please report your findings there in detail, do not simply link to tbis thread

Remember one bug report for one error or problem, so you should create 2 bugs for the 2 issues you mention for qpsmtpd plugin, not for qmail.

Quote
So where should I report the two bugs for that specific file (/usr/share/qpsmtpd/plugins/dkim_sign) ?
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Re: DomainKey does not pass
« Reply #9 on: March 02, 2014, 11:41:07 PM »
wow.. though qpsmtpd was related to qmail !

Offline janet

  • ****
  • 4,812
Re: DomainKey does not pass
« Reply #10 on: March 03, 2014, 01:43:05 AM »
Kidlike

Related maybe in usage, but qmail is an MTA & qpsmtpd is a smtpd daemon with plugins for versatility. They are involved in different stages of mail processing
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Re: DomainKey does not pass
« Reply #11 on: March 03, 2014, 01:43:51 AM »
It's a very small patch. I uploaded it here: https://mega.co.nz/#!tlBQHJCY!MNgqcHRaBMZWrshAPlM7_G78575pHFOxawMqEC6ovgo

Please attach it to a bug report in the bug tracker. Who knows when mega.co.nz will disappear or delete that file.

Re: DomainKey does not pass
« Reply #12 on: March 03, 2014, 01:46:23 AM »

Re: DomainKey does not pass
« Reply #13 on: March 03, 2014, 01:46:47 AM »
Related maybe in usage, but qmail is an MTA & qpsmtpd is a smtpd daemon with plugins for versatility. They are involved in different stages of mail processing

More specifically, SME server users qmail to deliver mail to local and remote users, and uses qpsmtpd to receive mail via the network.