I have some more information on this, via mailtest@unlocktheinbox.com
Seems like qmail is doing something wrong in both DKIM and DomainKeys
DKIM
DomainKeys
This is the full report from them:
Publication: RFC 822
Header Information
Name Value
return-path <kid@mydomain.com>
received from mydomain.com (mydomain.com [192.165.67.62]) by mail.unlocktheinbox.com with SMTP; Sat, 1 Mar 2014 13:36:40 -0500
received (qmail 4187 invoked by uid 453); 1 Mar 2014 18:36:39 -0000
dkim-signature v=1; a=rsa-sha1; c=relaxed; d=mydomain.com; h=received:from:subject:date:message-id; s=default; bh=ayrwFPadp4F3z/QXtjGze4JrOL0=; b=TSqRlUtSroUorhcwJGR7Io/AbNL3o+WqaYLyCowj0WioWgA6KPJka/hJyCsfNJWaDMobrYG8QoRoxILqw5K4pjVHGowPhhTOloomQW/77wqpL7ScI1jOxUyNCzzAVGunV1lDQDafAijVGzYRbuOgtA2S0eXcL++jFCbv1lUY0bs=
domainkey-signature a=rsa-sha1; c=nofws; d=mydomain.com; h=received:from:subject:date:message-id; q=dns; s=default; b=Q7PrdhTR3JZCMjAUAqSPHlHlafil4hi+XVTSXQ+akeb07TJxZZbinrmq4JX3ZSOtroDRTm3XxAJzPJ6h++ItIYNRsRx61KcZPl9l7YTwvMZSmA8oWRkViQ597ozCEFWR0BdKnKKnhjpVcXe5ajD/gsWQdInlKuPXW405VO9FsFk=
received from ppp005054123032.access.hol.gr (HELO [192.168.178.2]) (5.54.123.32) (smtp-auth username kid, mechanism plain) by mydomain.com (qpsmtpd/0.84) with (AES128-SHA encrypted) ESMTPSA; Sat, 01 Mar 2014 19:36:39 +0100
message-id <531228B5.2010109@mydomain.com>
date Sat, 01 Mar 2014 20:36:37 +0200
from kidanos Kalantzis <kid@mydomain.com>
user-agent Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
mime-version 1.0
to mailtest@unlocktheinbox.com
subject aaaa
content-type text/plain; charset=ISO-8859-1; format=flowed
content-transfer-encoding 7bit
x-virus-checked Checked by ClamAV on mydomain.com
Authoritative DNS Server (SOA) Check for: mydomain.com
SOA Server Results
a.dns.gandi.net Passed
MX Records
Pref Value Blacklists
10 mydomain.com Check for Blacklists
Information: PTR Records
rDNS PTR Records
Type Mail Domain ARPA Record Results
MX mydomain.com [192.165.67.62] 62.67.165.192.in-addr.arpa. Passed
LSIP mydomain.com [192.165.67.62] 62.67.165.192.in-addr.arpa. Passed
Mail Flow
Mail Domain IP Address
mydomain.com 192.165.67.62
Unknown Unknown
HELO 192.168.178.2
Email Port Checks for: mydomain.com
Protocol Results
SMTP (Port 25): Connection Established
- Extensions: PIPELINING, 8BITMIME, SIZE, STARTTLS
- SSL Hostname: www.mydomain.com
- SSL Subject: E=postmaster@mydomain.com, CN=www.mydomain.com, C=GR
- SSL Issuer: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
- SSL Valid: Certificate is Valid
- SSL Key Size: 4096
SMTP SSL (Port 465): Connection Established
- Extensions: PIPELINING, 8BITMIME, SIZE, AUTH
- SSL Hostname: www.mydomain.com
- SSL Subject: E=postmaster@mydomain.com, CN=www.mydomain.com, C=GR
- SSL Issuer: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
- SSL Valid: Certificate is Valid
- SSL Key Size: 4096
POP3 (Port 110): Unable to Establish Connection
POP3 SSL (Port 995): Unable to Establish Connection
IMAP (Port 143): Unable to Establish Connection
IMAP SSL (Port 993): Connection Established
- Extensions: IMAP4rev1, AUTH, IMAP4rev1, SASL-IR, SORT, AUTH, MULTIAPPEND, UNSELECT, LITERAL+, IDLE, CHILDREN, NAMESPACE, LOGIN-REFERRALS
- SSL Hostname: www.mydomain.com
- SSL Subject: E=postmaster@mydomain.com, CN=www.mydomain.com, C=GR
- SSL Issuer: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
- SSL Valid: Certificate is Valid
- SSL Key Size: 4096
Publication: RFC 4408
SPF Records
SPF Check: Passed
SPF DNS Location: Click Here: mydomain.com
SPF Record in TXT (TYPE 16): v=spf1 mx -all
(TYPE 16) Syntax: Passed
SPF Record in SPF (TYPE 99): v=spf1 mx -all
(TYPE 99) Syntax: Passed
SPF/TXT Match: Passed
Information: Identifier Alignments
SPF Alignment Test (Used in DMARC ASPF Test)
Mail From/Return Path Domain: mydomain.com
From Domain: mydomain.com
SPF Identifier Alignment: Strict
Publication: RFC 4406
Sender ID
Sender ID Check: Passed
Sender ID Record: Uses SPF implementation above
Publication: RFC 4870
Domain Keys Additional Information (Obsolete)
Tag Value
Key Algorithm: a=rsa-sha1
Canonicalization: c=nofws
Domain Name: d=mydomain.com
Signed Headers: h=received:from:subject:date:message-id
Query Method: q=dns
Selector: s=default
Signature Data: b=Q7PrdhTR3JZCMjAUAqSPHlHlafil4hi+XVTSXQ+akeb07TJxZZbinrmq4JX3ZSOtroDRTm3XxAJzPJ6h++ItIYNRsRx61KcZPl9l7YTwvMZSmA8oWRkViQ597ozCEFWR0BdKnKKnhjpVcXe5ajD/gsWQdInlKuPXW405VO9FsFk=
Domain Keys Check (Obsolete)
Signature Found: Yes
SM Signature Verification: Failed - Bad Signature
From Signed: Yes
Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc, DKIM-Signature should not be signed.
Public Domain Key (Obsolete)
Selector Location: Click Here: default._domainkey.mydomain.com
DNS Record Found: Yes
Record Syntax: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxxV7JrJpheP7Yp4AtLlD4fS/qGiBdDZv3EiGbcEVZfWjqHRBrETXsGkE7vrhu3rZJ/d2MC3drxd+mKRUplgyBTvCZR/32m1K/LpQEjorLd7mtw4ogev+Jiw8xnfTgqh3z0S+7kTNphQ14YdqFYsisKr1VEFBDgZefIxXm71n/qwIDAQAB
Key Size: 1024
Publication: RFC 6376
DKIM Signature Additional Information
Tag Value
Version: v=1
Key Algorithm: a=rsa-sha1
Canonicalization: c=relaxed
Domain Name: d=mydomain.com
Signed Headers: h=received:from:subject:date:message-id
Selector: s=default
Body Hash: bh=ayrwFPadp4F3z/QXtjGze4JrOL0=
Signature Data: b=TSqRlUtSroUorhcwJGR7Io/AbNL3o+WqaYLyCowj0WioWgA6KPJka/hJyCsfNJWaDMobrYG8QoRoxILqw5K4pjVHGowPhhTOloomQW/77wqpL7ScI1jOxUyNCzzAVGunV1lDQDafAijVGzYRbuOgtA2S0eXcL++jFCbv1lUY0bs=
Publication: RFC 6376
DKIM Check
Signature Found: Yes
SM Sig Verification: Passed
LL Sig Verification: Passed
From Signed: Yes
Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc, DKIM-Signature should not be signed.
Public DKIM Key
Selector Location: Click Here: default._domainkey.mydomain.com
DNS Record Found: Yes
Record Syntax: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxxV7JrJpheP7Yp4AtLlD4fS/qGiBdDZv3EiGbcEVZfWjqHRBrETXsGkE7vrhu3rZJ/d2MC3drxd+mKRUplgyBTvCZR/32m1K/LpQEjorLd7mtw4ogev+Jiw8xnfTgqh3z0S+7kTNphQ14YdqFYsisKr1VEFBDgZefIxXm71n/qwIDAQAB
Key Size: 1024 bits
Information: Identifier Alignments
DKIM Alignment Test (Used in DMARC ADKIM Test)
DKIM d= Tag: mydomain.com
From Domain: mydomain.com
DKIM Identifier Alignment: Strict
Draft Publication: DMARC Base-00-02
DMARC Check
Record Syntax: Passed
DKIM Test: Passed
SPF Test: Passed
ADKIM Test: Passed
ASPF Test: Passed
RUA Test: Passed
RUF Test: Passed
DMARC Passed: Yes
DMARC Record Location: Click Here: _dmarc.mydomain.com
DMARC Record: v=DMARC1; p=reject; rua=mailto:postmaster@mydomain.com
Publication: RFC 5617
ADSP (Author Domain Signing Policy) Check
ADSP Record: Not Found - Learn how to set up your ADSP record by clicking here: ADSP Record
ADSP Record Syntax: Not Found
Publication: RFC 822 (6.3), RFC 1123 (5.2.7), RFC 2821 (4.5.1)
Acceptance of Postmaster Address
postmaster@mydomain.com Passed
Acceptance of Abuse Address
abuse@mydomain.com Passed
Spam Assassian Results
Content analysis details: (You scored -3.1 points, 5.0 or higher is considered to be spam)
Pts Rule Name Description
-1.2 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
In both DKIM and DomainKeys sections, it is mentioned that the specified headers should not be signed.
The
domainkey-signature header of the email states, h=received:from:subject:date:message-id;
So it signs the received header that should not be signed.
Is the responsible functionality of qmail developed externally of the qmail package?
yum says:
Version : 1.03
Release : 17.el5.sme
From what I can see in qmail.org the latest version is indeed 1.03, except from a netqmail package that has a version of 1.06.
But the changes between the two, as stated in qmail.org, have nothing to do with domainkeys/dkim.
Should I report a bug in sme server ?
EDIT: personal information redacted at the request of Author.