Mailing List Archive

Exim DKIM: exim<->Exim verifies but not on Gmail or Office 365
Hi I have exim configured to sign mail from a domain. It does this and passing through another Exim server that other server verifies the signature,but, Gmail and Office 365 fail it. I am using 2048 bit keys all are well published in the DNS. Port 25 reports that the signature check fails, It finds the keys correctly. This is with exim version 4.90_1 #2 built 14-Mar-2018 08:32:15 from EPEL on Redhat 7.3. The transport config is correctly picking the key from a table and signing the message. Port25 reports as below is there some other config I need to do. I have even cutdown the signed headers to


dkim_sign_headers = From:Date:Subject:Message-ID:Content-Type:MIME-Version


to try and avoid problems with headers being mangled. No amount og googeling solves this.


:




----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: fail (signature doesn't verify)
ID(s) verified:

Canonicalized Headers:
message-id:1525368258-test.sh@sllv-mr03.arts.local'0D''0A'
date:Thu,'20'3'20'May'20'2018'20'16:15:50'20'+0000'0D''0A'
subject:DKIM'20'Test'20'4'0D''0A'
from:r.bannocks@naln.ac.uk'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=naln.ac.uk;'20's=537-1525350337-pub.mailrelay;'20'h=Message-id:Date:subject:From:Content-Type:'20'MIME-Version;'20'bh=pZvvKsjXAM/6uncB9f5zyvKqs9c+J7vZeZgqFM0pduk=;'20'b=;

Canonicalized Body:
TEST'20'MAIL'0D''0A'
Subject:'20'DKIM'20'Test'20'4'0D''0A'
----'20'Diagnostic'20'----'0D''0A'
HOST=sllv-mr04.arts.local'0D''0A'
PORT=smtp'0D''0A'
RECIPIENT=check-auth@verifier.port25.com'0D''0A'
SENDER=r.bannocks@naln.ac.uk'0D''0A'
SUBJECT=DKIM'20'Test'20'4'0D''0A'
HOSTNAME=sllv-mr03.arts.local'0D''0A'
MESSAGEID=1525368258-test.sh@sllv-mr03.arts.local'0D''0A'


DNS record(s):
537-1525350337-pub.mailrelay._domainkey.naln.ac.uk. 60 IN TXT "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmV+yM4c/LE4RWwPhXGBotF7AchoNvWsgiJgxUCIGb7CVWbiQFDw0Qthd5jesidVVR1y9YCndHYJWhipHjVrO/5ks5UlAY8ZGbiPAe21yxIfZ4c90C8Pzbf81DhuJChP7MWjjwJEt8b91GQaEKNGcF5psoIbIudkKfzDtShnOdl/uV43ITZslu3wSKoYFS2P+2a4UyBPYQvkhcI/YWEcqYRBfIz3E8AUT+YEH2QquEyZbnrr11baGalIUT8E0eM/pEvUDroquioJSSlvclINhIYs3w8pski7Qv2zZsfFNcKTEfzaqBXwelwwVnDSpPO+uWvhaWmJqISBl7axBnwbmTQIDAQAB"

Public key used for verification: 537-1525350337-pub.mailrelay._domainkey.naln.ac.uk (2048 bits)

NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions. If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim DKIM: exim<->Exim verifies but not on Gmail or Office 365 [ In reply to ]
On 03/05/18 18:28, Robert Bannocks via Exim-users wrote:
> Hi I have exim configured to sign mail from a domain. It does this and passing through another Exim server that other server verifies the signature,but, Gmail and Office 365 fail it. I am using 2048 bit keys all are well published in the DNS. Port 25 reports that the signature check fails, It finds the keys correctly. This is with exim version 4.90_1 #2 built 14-Mar-2018 08:32:15 from EPEL on Redhat 7.3. The transport config is correctly picking the key from a table and signing the message. Port25 reports as below is there some other config I need to do. I have even cutdown the signed headers to

> DKIM check details:

Where was this report from? A very brief search gets far too many hits
for "port 25" but I assume this is some organisation?

What do Gmail say? What do Office365 say?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim DKIM: exim<->Exim verifies but not on Gmail or Office 365 [ In reply to ]
Hi, Robert -

I'm using 2048-bit keys here: both on our on-site mail gateways running
Exim (version 4.86.1 at present un Ubuntu) and at Google. That setup is
working OK re DKIM verification.

If you'd like to do an extra check, I find this DKIM validation site very
useful:

http://www.appmaildev.com/en/dkim/


?Click the *Next Step* button to get a temporary address?, send your test
message to it, and as soon as it arrives the page fills in with details
about whether SPF, DKIM and DMARC tests pass or fail.

Cheers,
Mike B-)

--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/