You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by leeyc0 <le...@yahoo.com> on 2010/04/08 15:01:40 UTC
the dkim sigature is valid, but still triggered T_DKIM_INVALID in
mail server
http://old.nabble.com/file/p28178215/dkim-failed.eml dkim-failed.eml
I manage multiple mail servers, and recently decided to implement DKIM, but
I met a very strange problem.
I tried to send a DKIM-signed email to both @iwtek.net and @ieaa.org, as in
the attachment (both mail servers are managed by me), but I got
T_DKIM_INVALID in iwtek.net while I got DKIM_VALID,DKIM_VALID_AU in ieaa.org
(it is the same email simultaneous sent to both email addresses). This is
weird enough, but there is even stranger thing. I tried to feed the supposed
failed email (exactly the one attached) to spamd in ieaa.org, and I got
DKIM_VALID,DKIM_VALID_AU. I have really no idea what's wrong here. Is there
anyone here have some clue?
--
View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28178215.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID
in mail server
Posted by leeyc0 <le...@yahoo.com>.
Mark Martinec wrote:
>
> leeyc0,
>> I have to comment a line Net/DNS/Resolver/Base.pm to fix this problem.
>>
>> (below is some lines in Net/DNS/Resolver/Base.pm send_tcp function)
>> $buf = read_tcp($sock, $len, $self->{'debug'});
>>
>> # comment this line, this should be a class property but used as a
>> function
>> # apparently mixed up with Net::DNS::Packet
>> #$self->answerfrom($sock->peerhost);
>>
>> print ';; received ', length($buf), " bytes\n"
>> if $self->{'debug'};
>
> Thanks, good work - except that I can't reproduce the problem,
> and the fallback to TCP in Net::DNS 0.66 works just fine
> with your first sample message.
>
> Which version of Net::DNS are you using?
>
I am using 0.66, installed using CPAN.
Turns out that, the problem is not in the Net::DNS package, but rather the
function call $sock->peerhost (which is a Socket object). $sock->peerhost
runs normally until some data is read from the socket (to be exact, that
particular failing line is in Net::DNS::Base read_tcp function, the line
that reads "unless ($sock->recv($read_buf, $nread))". After the $sock->recv
call "$sock->peerhost" fails with "Bad arg length for
Socket::unpack_sockaddr_in". At this point I gave up to trobleshoot, since I
knew that it would be futile to proceed further, because seems that the
problem is because the mail server OS is too old, and having some
compatibility problems with new software.
--
View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28201004.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
Posted by Mark Martinec <Ma...@ijs.si>.
leeyc0,
> > After some struggle and tracing every bit of code (including tracing
> > installing cpan packages!), apparently it is a bug in the latest
> > Net::DNS::Packet::Resolver::Base send_tcp function call...
>
> Yes, it is caused by a bug in Net::DNS::Resolver::Base (sorry, there was a
> typo before about the package name).
>
> I have to comment a line Net/DNS/Resolver/Base.pm to fix this problem.
>
> (below is some lines in Net/DNS/Resolver/Base.pm send_tcp function)
> $buf = read_tcp($sock, $len, $self->{'debug'});
>
> # comment this line, this should be a class property but used as a function
> # apparently mixed up with Net::DNS::Packet
> #$self->answerfrom($sock->peerhost);
>
> print ';; received ', length($buf), " bytes\n"
> if $self->{'debug'};
Thanks, good work - except that I can't reproduce the problem,
and the fallback to TCP in Net::DNS 0.66 works just fine
with your first sample message.
Which version of Net::DNS are you using?
Does the SpamAssassin dkim test produce any errors?
$ prove t/dkim2.t
$ export RES_OPTIONS="debug"
$ perl -MMail::DKIM::Verifier -ne '
BEGIN{$dkim=Mail::DKIM::Verifier->new_object};
s/\r?\n\z/\015\012/; $dkim->PRINT($_); END{$dkim->CLOSE;
printf("%s\n",$_->result_detail) for $dkim->signatures}' dkim-failed.eml
;; query(ns4._domainkey.iwtek.net, TXT)
;; Trying to set up a AF_INET6() family type UDP socket with srcaddr: 0.0.0.0 ... done
;; setting up an AF_INET() family type UDP socket
;; send_udp(::1:53)
;; answer from ::1:53 : 478 bytes
;; HEADER SECTION
;; id = 29254
;; qr = 1 opcode = QUERY aa = 0 tc = 1 rd = 1
;; ra = 1 ad = 0 cd = 0 rcode = NOERROR
;; qdcount = 1 ancount = 1 nscount = 0 arcount = 0
;; QUESTION SECTION (1 record)
;; ns4._domainkey.iwtek.net. IN TXT
;; ANSWER SECTION (1 record)
ns4._domainkey.iwtek.net. 2095 IN TXT "v=DKIM1\; k=rsa\; t=y\; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEnzzPme"
"RPW8s51DoJqu4ShXkFxLZVoSwPapc1HUGWCNBFbMvKReIYLxQoCWMC" "h6E1Pv5GITqWC1LrA9dluupPHIuyu7vXMMkecq6o1e4T0J5ZspzNMa"
"TtPrvwlZEE5KZ5bWXuDTDjK6e24KfkPgWPg5jjMWs/fkEjPBNsNNmh" "kHkXMulHb4+LkTSgDWxE6WgMc8R7KvUuY6AedeY3CUpzzBqn/UNZgu"
"w8Z9y7y2GPJK9lm4ERkbqZuiRB+iCDYmlSgUClWGk4cywkWK3AaAB/" "7w+2xLJ2DgVDGrgxLQCVLlpHnybGrh6FN0R8mlffZy9RJpmq3raO/e" "YkD1t2eeWQIDAQAB"
;; AUTHORITY SECTION (0 records)
;; ADDITIONAL SECTION (0 records)
;;
;; packet truncated: retrying using TCP
;; attempt to send_tcp(::1:53) (src port = 0)
;; sending 42 bytes
;; read_tcp: expecting 2 bytes
;; read_tcp: received 2 bytes
;; read_tcp: expecting 614 bytes
;; read_tcp: received 614 bytes
;; received 614 bytes
;; HEADER SECTION
;; id = 29254
;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 1
;; ra = 1 ad = 0 cd = 0 rcode = NOERROR
;; qdcount = 1 ancount = 1 nscount = 4 arcount = 4
;; QUESTION SECTION (1 record)
;; ns4._domainkey.iwtek.net. IN TXT
;; ANSWER SECTION (1 record)
ns4._domainkey.iwtek.net. 2095 IN TXT "v=DKIM1\; k=rsa\; t=y\; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEnzzPme"
"RPW8s51DoJqu4ShXkFxLZVoSwPapc1HUGWCNBFbMvKReIYLxQoCWMC" "h6E1Pv5GITqWC1LrA9dluupPHIuyu7vXMMkecq6o1e4T0J5ZspzNMa"
"TtPrvwlZEE5KZ5bWXuDTDjK6e24KfkPgWPg5jjMWs/fkEjPBNsNNmh" "kHkXMulHb4+LkTSgDWxE6WgMc8R7KvUuY6AedeY3CUpzzBqn/UNZgu"
"w8Z9y7y2GPJK9lm4ERkbqZuiRB+iCDYmlSgUClWGk4cywkWK3AaAB/" "7w+2xLJ2DgVDGrgxLQCVLlpHnybGrh6FN0R8mlffZy9RJpmq3raO/e" "YkD1t2eeWQIDAQAB"
;; AUTHORITY SECTION (4 records)
iwtek.net. 2029 IN NS ns6.iwtek.net.
iwtek.net. 2029 IN NS ns3.iwtek.net.
iwtek.net. 2029 IN NS ns4.iwtek.net.
iwtek.net. 2029 IN NS ns5.iwtek.net.
;; ADDITIONAL SECTION (4 records)
ns3.iwtek.net. 2095 IN A 116.92.10.96
ns4.iwtek.net. 2095 IN A 116.92.10.97
ns5.iwtek.net. 2095 IN A 116.92.10.98
ns6.iwtek.net. 2095 IN A 218.213.70.126
pass
Mark
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID
in mail server
Posted by leeyc0 <le...@yahoo.com>.
leeyc0 wrote:
>
>
> After some struggle and tracing every bit of code (including tracing
> installing cpan packages!), apparently it is a bug in the latest
> Net::DNS::Packet::Resolver::Base send_tcp function call...
>
Yes, it is caused by a bug in Net::DNS::Resolver::Base (sorry, there was a
typo before about the package name).
I have to comment a line Net/DNS/Resolver/Base.pm to fix this problem.
(below is some lines in Net/DNS/Resolver/Base.pm send_tcp function)
$buf = read_tcp($sock, $len, $self->{'debug'});
# comment this line, this should be a class property but used as a function
# apparently mixed up with Net::DNS::Packet
#$self->answerfrom($sock->peerhost);
print ';; received ', length($buf), " bytes\n"
if $self->{'debug'};
(end)
--
View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28186929.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID
in mail server
Posted by leeyc0 <le...@yahoo.com>.
leeyc0 wrote:
>
>> I changed to use 1024 bit RSA key, and seems the email passed DKIM
>> validation. Seems that my perl installation at iwtek.net somehow cannot
>> validate 2048 bit RSA DKIM signatures. Does anyone have some clue?
>
> That is possible too, the DNS packet is probably larger than 512 bytes,
> and perhaps your DNS resolver does not fallback to TCP or EDNS0, or
> you have TCP on port 53 blocked at a firewall.
>
> Mark
>
>
Turns out the problem is here is the classic problem of "I got a old (or
broken?) system". I tried to use Mail::DKIM library directly to debug the
problem, and got this error message when a email with RSA 2048 bit signature
is fed into.
verify result: invalid (public key: Bad arg length for
Socket::unpack_sockaddr_in, length is 4095, should be 16 at
/usr/local/lib/perl5/5.8.6/i686-linux/Socket.pm line 370, <STDIN> line 41.)
Feeding a email with RSA 1024 bit signature doesn't have any problem.
After some struggle and tracing every bit of code (including tracing
installing cpan packages!), apparently it is a bug in the latest
Net::DNS::Packet::Resolver::Base send_tcp function call...
--
View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28186774.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID
in mail server
Posted by leeyc0 <le...@yahoo.com>.
> I changed to use 1024 bit RSA key, and seems the email passed DKIM
> validation. Seems that my perl installation at iwtek.net somehow cannot
> validate 2048 bit RSA DKIM signatures. Does anyone have some clue?
That is possible too, the DNS packet is probably larger than 512 bytes,
and perhaps your DNS resolver does not fallback to TCP or EDNS0, or
you have TCP on port 53 blocked at a firewall.
Mark
Turns out the problem is here is the classic problem of "I got a old (or
broken?) system". I tried to use Mail::DKIM library directly to debug the
problem, and got this error message when a email with RSA 2048 bit signature
is fed into.
verify result: invalid (public key: Bad arg length for
Socket::unpack_sockaddr_in, length is 4095, should be 16 at
/usr/local/lib/perl5/5.8.6/i686-linux/Socket.pm line 370, <STDIN> line 41.)
Feeding a email with RSA 1024 bit signature doesn't have any problem.
--
View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28186154.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
Posted by Mark Martinec <Ma...@ijs.si>.
> I tried, but still have no clue, but discovered another horrible thing.
> I tried to send another email from gmail to iwtek.net, the DKIM signature
> validates at iwtek.net (see attachment). I am running mad now...
> http://old.nabble.com/file/p28178961/gmail.eml gmail.eml
One thing I noticed: this second message contains a header field:
X-mail-iwtek-net-MailScanner-SpamCheck: not spam, SpamAssassin (not cached
but the first one does not say "not cached".
Could it be a MailScanner issue, that it was reusing a cached SpamAssassin
results from some earlier mail sample. Having a trivial message with a
single '=' line in a body makes it very likely to hit a body hash of some
earlier test message.
> I changed to use 1024 bit RSA key, and seems the email passed DKIM
> validation. Seems that my perl installation at iwtek.net somehow cannot
> validate 2048 bit RSA DKIM signatures. Does anyone have some clue?
That is possible too, the DNS packet is probably larger than 512 bytes,
and perhaps your DNS resolver does not fallback to TCP or EDNS0, or
you have TCP on port 53 blocked at a firewall.
Mark
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID
in mail server
Posted by leeyc0 <le...@yahoo.com>.
Mark Martinec wrote:
>
>
> The dkim-failed.eml message looks fine, the DKIM signature validates.
>
> If both domains are under your control/access, the simplest is to
> collect the message from both mailboxes and compare them.
>
> Mark
>
>
I changed to use 1024 bit RSA key, and seems the email passed DKIM
validation. Seems that my perl installation at iwtek.net somehow cannot
validate 2048 bit RSA DKIM signatures. Does anyone have some clue?
--
View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28180044.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID
in mail server
Posted by leeyc0 <le...@yahoo.com>.
Mark Martinec wrote:
>
> The dkim-failed.eml message looks fine, the DKIM signature validates.
>
> If both domains are under your control/access, the simplest is to
> collect the message from both mailboxes and compare them.
>
> Mark
>
>
I tried, but still have no clue, but discovered another horrible thing. I
tried to send another email from gmail to iwtek.net, the DKIM signature
validates at iwtek.net (see attachment). I am running mad now...
http://old.nabble.com/file/p28178961/gmail.eml gmail.eml
--
View this message in context: http://old.nabble.com/the-dkim-sigature-is-valid%2C-but-still-triggered-T_DKIM_INVALID-in-mail-server-tp28178215p28178961.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: the dkim sigature is valid, but still triggered T_DKIM_INVALID in mail server
Posted by Mark Martinec <Ma...@ijs.si>.
On Thursday 08 April 2010 15:01:40 leeyc0 wrote:
> http://old.nabble.com/file/p28178215/dkim-failed.eml dkim-failed.eml
>
> I manage multiple mail servers, and recently decided to implement DKIM, but
> I met a very strange problem.
>
> I tried to send a DKIM-signed email to both @iwtek.net and @ieaa.org, as in
> the attachment (both mail servers are managed by me), but I got
> T_DKIM_INVALID in iwtek.net while I got DKIM_VALID,DKIM_VALID_AU in
> ieaa.org (it is the same email simultaneous sent to both email addresses).
> This is weird enough, but there is even stranger thing. I tried to feed
> the supposed failed email (exactly the one attached) to spamd in ieaa.org,
> and I got DKIM_VALID,DKIM_VALID_AU. I have really no idea what's wrong
> here. Is there anyone here have some clue?
The dkim-failed.eml message looks fine, the DKIM signature validates.
If both domains are under your control/access, the simplest is to
collect the message from both mailboxes and compare them.
Mark