Package: opendkim Version: 2.6.8-4 Severity: important Dear Maintainer, I tried to test whether opendkim correcly reports dkim-fails in the Authentication-Result header. To do this, I send a mail from gmail to myself. Since this is an valid email, the Authentication-Result header reported a valid mail (dkim=pass) with dkim-adsp=pass (which is strange, since there is no _adsp._domainkey.gmail.com dns-entry). Also the syslog reported a valid mail Feb 16 17:09:44 infinity opendkim[3083]: 3fRtZJ47HVzQjQt: signature=ra964g/1 domain=gmail.com selector=20120113 result="no signature error" After that I connected to my mail-server by hand and copy&pasted my mail with some alterations. Since I altered the content and the subject-header, the resulting mail is invalid. On syslog, opendkim correctly reports Feb 16 17:37:42 infinity opendkim[3083]: 3fRv8v5C55zQjQt: signature=ra964g/1 domain=gmail.com selector=20120113 result="signature verification failed" Feb 16 17:37:42 infinity opendkim[3083]: 3fRv8v5C55zQjQt: s=20120113 d=gmail.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signatur But, the Authentication-Result header contained dkim=pass again, but this time "dkim-adsp=none (insecure policy)".
I also tested both mails with opendkim-testmsg which also reported the first mail als valid (no output, manpage tells me that this happens when a mail is valid) and the faked mail reported "opendkim-testmsg: dkim_eom(): Bad signature". I would expect dkim=fail or something like that in the authentication-result header, or am I interpret the dkim= field wrong? Greetings FH Original mail: Return-Path: <[email protected]> Delivered-To: <[email protected]> Received: from infinity.srv.4fh.eu by infinity.srv.4fh.eu (Dovecot) with LMTP id j00tCMniAFPKDgAAfXBrmw for <[email protected]>; Sun, 16 Feb 2014 17:09:45 +0100 Received: from mail-yk0-x243.google.com (mail-yk0-x243.google.com [IPv6:2607:f8b0:4002:c07::243]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by infinity.srv.4fh.eu (Postfix) with ESMTPS id 3fRtZJ47HVzQjQt for <[email protected]>; Sun, 16 Feb 2014 17:09:44 +0100 (CET) Authentication-Results: infinity.srv.4fh.eu/3fRtZJ47HVzQjQt; dkim=pass reason="2048-bit key; insecure key" header.d=gmail.com [email protected] header.b=ra964g/1; dkim-adsp=pass; dkim-atps=neutral Received: by mail-yk0-f195.google.com with SMTP id 10so6685630ykt.2 for <[email protected]>; Sun, 16 Feb 2014 08:09:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=BcsIVWGQ2DGJ4/7CSezIyHTugVbzAjqw9eNg6n6oUFk=; b=ra964g/1O7hDxph535Mm0QkPtJpDPnQepsi41WmFhYYyMmb7WtvwVmj0pl5S8ByDZT AnACkPjefQRtdeA5eKiVAejs0iBr66k+53IwWbaz8mL/xkdGr6xJjcju1zQvYBNma7hw tdHF9XEE16rPdKFpAPJFgfUDogu53riUpP2hj+CZbyLvj4wmE+KZIhod4CyXkwn/MIyI GcmXcLR6cBt0n1dEYTnC2s9qCQ4klhqaqd9LnM9BoNbKot0iRFtpSS2twalEzpOznPcc GbLi9I/BdNZjI9O9F8txtdwE0QzXKt1fNEZb9tsLayppIzuZNAatwuXV58mMZnMPuoT1 hJ9Q== MIME-Version: 1.0 X-Received: by 10.236.174.37 with SMTP id w25mr16413319yhl.36.1392566984552; Sun, 16 Feb 2014 08:09:44 -0800 (PST) Received: by 10.170.46.216 with HTTP; Sun, 16 Feb 2014 08:09:44 -0800 (PST) Date: Sun, 16 Feb 2014 17:09:44 +0100 Message-ID: <CAMOfJyhP0otv_m7gf+SnCKA-6bS7cj8Trc4Xc3wgXsLgcFX=i...@mail.gmail.com> Subject: Test From: "FH3095 ." <[email protected]> To: [email protected] Content-Type: multipart/alternative; boundary=20cf305b0ab470b60504f28844de --20cf305b0ab470b60504f28844de Content-Type: text/plain; charset=UTF-8 Test --20cf305b0ab470b60504f28844de Content-Type: text/html; charset=UTF-8 <div dir="ltr">Test<br><div><div style id="__af745f8f43-e961-4b88-8424-80b67790c964__"></div></div></div> --20cf305b0ab470b60504f28844de-- Faked mail (altered Subject and content): Return-Path: <[email protected]> Delivered-To: <[email protected]> Received: from infinity.srv.4fh.eu by infinity.srv.4fh.eu (Dovecot) with LMTP id bQhEHlbpAFN+GAAAfXBrmw for <[email protected]>; Sun, 16 Feb 2014 17:37:42 +0100 Received: from fh (p579DC1A8.dip0.t-ipconnect.de [87.157.193.168]) by infinity.srv.4fh.eu (Postfix) with ESMTP id 3fRv8v5C55zQjQt for <[email protected]>; Sun, 16 Feb 2014 17:36:12 +0100 (CET) Authentication-Results: infinity.srv.4fh.eu/3fRv8v5C55zQjQt; dkim=pass reason="2048-bit key; insecure key" header.d=gmail.com [email protected] header.b=ra964g/1; dkim-adsp=none (insecure policy); dkim-atps=neutral Delivered-To: <[email protected]> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=BcsIVWGQ2DGJ4/7CSezIyHTugVbzAjqw9eNg6n6oUFk=; b=ra964g/1O7hDxph535Mm0QkPtJpDPnQepsi41WmFhYYyMmb7WtvwVmj0pl5S8ByDZT AnACkPjefQRtdeA5eKiVAejs0iBr66k+53IwWbaz8mL/xkdGr6xJjcju1zQvYBNma7hw tdHF9XEE16rPdKFpAPJFgfUDogu53riUpP2hj+CZbyLvj4wmE+KZIhod4CyXkwn/MIyI GcmXcLR6cBt0n1dEYTnC2s9qCQ4klhqaqd9LnM9BoNbKot0iRFtpSS2twalEzpOznPcc GbLi9I/BdNZjI9O9F8txtdwE0QzXKt1fNEZb9tsLayppIzuZNAatwuXV58mMZnMPuoT1 hJ9Q== MIME-Version: 1.0 X-Received: by 10.236.174.37 with SMTP id w25mr16413319yhl.36.1392566984552; Sun, 16 Feb 2014 08:09:44 -0800 (PST) Received: by 10.170.46.216 with HTTP; Sun, 16 Feb 2014 08:09:44 -0800 (PST) Date: Sun, 16 Feb 2014 17:09:44 +0100 Message-ID: <CAMOfJyhP0otv_m7gf+SnCKA-6bS7cj8Trc4Xc3wgXsLgcFX=i...@mail.gmail.com> Subject: FakedMail From: "FH3095 ." <[email protected]> To: [email protected] Content-Type: multipart/alternative; boundary=20cf305b0ab470b60504f28844de --20cf305b0ab470b60504f28844de Content-Type: text/plain; charset=UTF-8 FakedText in mail --20cf305b0ab470b60504f28844de Content-Type: text/html; charset=UTF-8 <div dir="ltr">Test<br><div><div style id="__af745f8f43-e961-4b88-8424-80b67790c964__"></div></div></div> --20cf305b0ab470b60504f28844de-- -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages opendkim depends on: ii adduser 3.113+nmu3 ii libc6 2.13-38+deb7u1 ii libdb5.1 5.1.29-5 ii libldap-2.4-2 2.4.31-1+nmu2 ii liblua5.1-0 5.1.5-4 ii libmilter1.0.1 8.14.4-4 ii libopendkim7 2.6.8-4 ii libssl1.0.0 1.0.1e-2+deb7u4 ii libunbound2 1.4.17-3 ii libvbr2 2.6.8-4 ii lsb-base 4.1+Debian8+deb7u1 opendkim recommends no packages. Versions of packages opendkim suggests: ii opendkim-tools 2.6.8-4 -- Configuration Files: /etc/default/opendkim changed: DAEMON_OPTS="-x /etc/opendkim/opendkim.conf -u postfix" SOCKET="local:/var/spool/postfix/private/opendkim" /etc/opendkim.conf [Errno 2] No such file or directory: u'/etc/opendkim.conf' -- no debconf information *** /etc/opendkim/opendkim.conf # This is a basic configuration that can easily be adapted to suit a standard # installation. For more advanced options, see opendkim.conf(5) and/or # /usr/share/doc/opendkim/examples/opendkim.conf.sample. # Log to syslog Syslog yes LogResults yes #LogWhy yes #Generate statistics Statistics /var/log/dkim-stats # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 007 #Set basedir for file references BaseDirectory /etc/opendkim #Temp-Dir TemporaryDirectory /tmp #Auto-Restart on AutoRestart yes #How often shoud I try to restart in a given time (10 in 10 minutes) AutoRestart 10/10m #We (S)ign and (V)erify Mode sv #Verification: #Discard messages when the domain enforces signing (it's up to them to decide, so when they set #discardable, do them a favor and discard that message) ADSPAction discard #Don't throw away signed mails, when the domain doesn't contain an ADSP record ADSPNoSuchDomain no #Tolerance for signature generation times (15min) ClockDrift 900 #Always add authentication-result header AlwaysAddARHeader yes #Add the id of the job to the authentication-result header AuthservIDWithJobID yes #Old DomainKey-Signatures are OK DomainKeysCompat yes #Use DKIM-Reputation (Calculates something like a "score" for dkim-messages) (currently not enabled on debian) #DKIMReputationRoot "al.dkim-reputation.org" #Signing: #For signing, don't ingore whitespaces etc in header(=simple) and body(=simple) Canonicalization simple/simple #Remove old signatures when we sign our mail RemoveOldSignatures yes #Only sign first x bytes of a mail body MaximumSignedBytes 65000 #Always sign these fields (even if they don't exist) (prevents modification) OversignHeaders From #Sign from these hosts every time InternalHosts file:./TrustedHosts #Sign from these hosts, even if they didn't authenticated themselfes ExternalIgnoreList file:./TrustedHosts #List of hosts which aren't touched by dkim (no signing, no validating, no rejecting... nothing!) PeerList file:./PeerHosts #Which Key to use for which domain SigningTable file:./SigningTable KeyTable file:./KeyTable #Don't automatically sign subdomains SubDomains no #Used to overwrite ADSP-Rules LocalADSP file:./ADSPOverwrite #Reports: #Sender of reports ReportAddress [email protected] RequestReports yes #If we verify a mail and it fails and the sender request reports, send him one SendADSPReports yes SendReports yes # List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures # (ATPS) (experimental) #ATPSDomains example.com -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
