Mailing List Archive

Exim DKIM fails to import some keys?
I have just discovered that Exim DKIM appears to fail to parse some DKIM
keys that other systems claim are okay:

19 00:50:18 RCPT: SPF Result2=pass (Partnersresponse.dell.com /
mail04.response.dell.com [142.0.168.187])
19 00:50:19 1hHGnL-0002nj-0r PDKIM: d=dell.com s=dk2016 [failed key import]
19 00:50:19 1hHGnL-0002nj-0r DKIM START:
domain=Partnersresponse.dell.com possible_signer=dell.com status=invalid
(reason=pubkey_dns_syntax)
19 00:50:19 1hHGnL-0002nj-0r no IP address found for host
localhost.localdomain
19 00:50:19 1hHGnL-0002nj-0r DKIM DEFER:
domain=Partnersresponse.dell.com cannot obtain public key

Running Exim 4.92, compiled from source on Devuan Beowulf with GCC8.3
... everything compile clean and works.

We have a strict DKIM policy that is "you sign it - we check and enforce
it", for failed keys ('pub_key_unavailable' and 'failed_key_import') we
defer with a 421 and appropriate message in the hope that the other
party will fix their problem(s).

The problem is that ProtoDave.com says 'Success' when parsing Dell's key:

SELECTOR
Selectors <http://www.dkim.org/info/dkim-faq.html#technical>enable a
single domain to have multiple keys. Some domains, like Twitter and
eBay, use “*dkim*”. Google Apps domains typically use “*google*”. Others
simply use “*default*”. Enter yours here. (Note: Do not include
“_domainkey”)

DOMAIN

Base Domain Name. (e.g. example.com)


DNS QUERY:dk2016._domainkey.dell.com
QUERY STATUS:Success
TXT RECORD:

"v=DKIM1; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn7EiK3r/vRRde/oD9XAsACz44UTrt2j+hGKdqQ093/QBbPZS99TKxBkcKeWEnu+TzV+WigS8eD424pZVNP2Y4Ta5qbWdtJa+jtoc9953m7WOkTYMM4/iiDxPzhg2yxWdxu3VvuyiZBLhPXzX54mj8rXaTyXXWry2+CRQqDds9pwIDAQAB\\; t=s"

KEY LENGTH (BITS):1024
VERSION:DKIM1
KEY TYPE:
GRANULARITY:
HASHES:sha256
SERVICE TYPE:
FLAGS:
NOTES:
PUBLIC KEY:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn7EiK3r/vRRde/oD9XAsACz44
UTrt2j+hGKdqQ093/QBbPZS99TKxBkcKeWEnu+TzV+WigS8eD424pZVNP2Y4Ta5q
bWdtJa+jtoc9953m7WOkTYMM4/iiDxPzhg2yxWdxu3VvuyiZBLhPXzX54mj8rXaT
yXXWry2+CRQqDds9pwIDAQAB
-----END PUBLIC KEY-----


How to fix?


Mike



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim DKIM fails to import some keys? [ In reply to ]
The double backslash at the end of Dell's dell.com DKIM record is not
correct; this was presumably added incorrectly to escape the escaped
semicolon, resulting in a bad key.

You can confirm this at https://dkimcore.org/c/keycheck instead of
protodave.

With no backslash (which of course is not in the base64 character set)
their record should be:

v=DKIM1; h=sha256;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn7EiK3r/vRRde/oD9XAsACz44UTrt2j+hGKdqQ093/QBbPZS99TKxBkcKeWEnu+TzV+WigS8eD424pZVNP2Y4Ta5qbWdtJa+jtoc9953m7WOkTYMM4/iiDxPzhg2yxWdxu3VvuyiZBLhPXzX54mj8rXaTyXXWry2+CRQqDds9pwIDAQAB;
t=s



Andrew

El vie., 19 abr. 2019 a las 11:05, Mike Tubby via Exim-users (<
exim-users@exim.org>) escribió:

> I have just discovered that Exim DKIM appears to fail to parse some DKIM
> keys that other systems claim are okay:
>
> 19 00:50:18 RCPT: SPF Result2=pass (Partnersresponse.dell.com /
> mail04.response.dell.com [142.0.168.187])
> 19 00:50:19 1hHGnL-0002nj-0r PDKIM: d=dell.com s=dk2016 [failed key
> import]
> 19 00:50:19 1hHGnL-0002nj-0r DKIM START:
> domain=Partnersresponse.dell.com possible_signer=dell.com status=invalid
> (reason=pubkey_dns_syntax)
> 19 00:50:19 1hHGnL-0002nj-0r no IP address found for host
> localhost.localdomain
> 19 00:50:19 1hHGnL-0002nj-0r DKIM DEFER:
> domain=Partnersresponse.dell.com cannot obtain public key
>
> Running Exim 4.92, compiled from source on Devuan Beowulf with GCC8.3
> ... everything compile clean and works.
>
> We have a strict DKIM policy that is "you sign it - we check and enforce
> it", for failed keys ('pub_key_unavailable' and 'failed_key_import') we
> defer with a 421 and appropriate message in the hope that the other
> party will fix their problem(s).
>
> The problem is that ProtoDave.com says 'Success' when parsing Dell's key:
>
> SELECTOR
> Selectors <http://www.dkim.org/info/dkim-faq.html#technical>enable a
> single domain to have multiple keys. Some domains, like Twitter and
> eBay, use “*dkim*”. Google Apps domains typically use “*google*”. Others
> simply use “*default*”. Enter yours here. (Note: Do not include
> “_domainkey”)
>
> DOMAIN
>
> Base Domain Name. (e.g. example.com)
>
>
> DNS QUERY:dk2016._domainkey.dell.com
> QUERY STATUS:Success
> TXT RECORD:
>
> "v=DKIM1; h=sha256;
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn7EiK3r/vRRde/oD9XAsACz44UTrt2j+hGKdqQ093/QBbPZS99TKxBkcKeWEnu+TzV+WigS8eD424pZVNP2Y4Ta5qbWdtJa+jtoc9953m7WOkTYMM4/iiDxPzhg2yxWdxu3VvuyiZBLhPXzX54mj8rXaTyXXWry2+CRQqDds9pwIDAQAB\\;
> t=s"
>
> KEY LENGTH (BITS):1024
> VERSION:DKIM1
> KEY TYPE:
> GRANULARITY:
> HASHES:sha256
> SERVICE TYPE:
> FLAGS:
> NOTES:
> PUBLIC KEY:
>
> -----BEGIN PUBLIC KEY-----
> MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn7EiK3r/vRRde/oD9XAsACz44
> UTrt2j+hGKdqQ093/QBbPZS99TKxBkcKeWEnu+TzV+WigS8eD424pZVNP2Y4Ta5q
> bWdtJa+jtoc9953m7WOkTYMM4/iiDxPzhg2yxWdxu3VvuyiZBLhPXzX54mj8rXaT
> yXXWry2+CRQqDds9pwIDAQAB
> -----END PUBLIC KEY-----
>
>
> How to fix?
>
>
> Mike
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/