DKIM - Possible Bug?

Submitted by sonoracomm on Fri, 05/17/2013 - 12:56 Pro Licensee

Hello again,

I re-enabled DKIM on our server a week or so ago.

I ran into an issue, but I'm not sure if it's a bug, a configuration issue or a display issue...but I suspect it's a bug.

See this maillog snippet:

May 13 12:11:47 www postfix/smtpd[32055]: connect from mail-pb0-f41.google.com[209.85.160.41]
May 13 12:11:47 www postgrey[2398]: action=pass, reason=client whitelist, client_name=mail-pb0-f41.google.com, client_address=209.85.160.41, sender=andy@hemospat.com, recipient=norman@bloody1.com
May 13 12:11:47 www postfix/smtpd[32055]: 9C071113846A: client=mail-pb0-f41.google.com[209.85.160.41]
May 13 12:11:47 www postfix/cleanup[31282]: 9C071113846A: message-id=<CAAQ1erJiM1POJEirub2U_azCu3Jv9LBqERWTekXtLx9grAF04g@mail.gmail.com>
May 13 12:11:47 www dkim-filter[2385]: (unknown-jobid) no signing keylist match for `andy@hemospat.com'
May 13 12:11:47 www dkim-filter[2385]: (unknown-jobid) not internal
May 13 12:11:47 www dkim-filter[2385]: (unknown-jobid) not authenticated
May 13 12:11:47 www dkim-filter[2385]: (unknown-jobid) mode select: verifying
May 13 12:11:48 www dkim-filter[2385]: message has signatures from hemospat.com, forident.com
May 13 12:11:48 www dkim-filter[2385]: 9C071113846A: key retrieval failed (s=google, d=hemospat.com): res_query(): `google._domainkey.forident.com' Unknown host
May 13 12:11:48 www postfix/cleanup[31282]: 9C071113846A: milter-reject: END-OF-MESSAGE from mail-pb0-f41.google.com[209.85.160.41]: 4.7.1 Service unavailable - try again later; from=<andy@hemospat.com> to=<norman@bloody1.com> proto=ESMTP helo=<mail-pb0-f41.google.com>
May 13 12:11:48 www postfix/smtpd[32055]: disconnect from mail-pb0-f41.google.com[209.85.160.41]

Why the "milter-reject"?

As I understand it, the milter should never "reject", rather, it is only supposed to be a Spamassassin test that acrues points, right?

In this case, the remote mail sender sending messages to a local user says that some of his messages are bouncing (I saw at least one NDR):

The error that the other server returned was:
451 4.7.1 Service unavailable - try again later

In this case, the remote sender has messages signed with a DKIM signature, but has invalid DNS records (wrong selector, I think).

It appears Spamassassin is scoring the DKIM test normally, though I didn't go too far down that road.

Also, I think it would be great if the milter returned/logged a more-descriptive message than:

451 4.7.1 Service unavailable - try again later

How would I go about changing that?

Any clues for me on troubleshooting this issue further?

Thanks,

G

Status: 
Active

Comments

Ilia's picture
Submitted by Ilia on Fri, 05/17/2013 - 13:49

Not sure about dkim-milter but with opendkim it should be easy to fix! I suppose it's the same thing!

If you used opendkim I would think that you might have an linking error in your /etc/opendkmi/KeyTable which is trying to find a key for your exampledomain.com which path is not specified correctly.

Check from shell what is says when you restarts milters, but at first check paths to your certificates in whatever configuration file you could have them.

Best regards, Ilia

Submitted by JamieCameron on Sat, 05/18/2013 - 11:49

On the DKIM page in Virtualmim, do you have "Verify DKIM signatures on incoming email?" set to "Yes" ?

Submitted by sonoracomm on Sat, 05/18/2013 - 13:55 Pro Licensee

Hi,

Thanks for both of you getting back to me. I appreciate it.

I installed DKIM using the Virtualmin Pro -> Email Messages -> DomainKeys Identified Mail -> Install option.

Frankly, I'm not sure what it actually installed, but this is the package that's installed: dkim-milter-2.8.3-4.el5

Do I have "Verify DKIM signatures on incoming email?" enabled? YES

I assumed that was required...

Also, please note this problem occurs when a non-client (external) tries to send mail to a client (Virtualmin hosted, internal).

These are some applicable maillog entries:

May 13 12:11:47 www postfix/smtpd[32055]: connect from mail-pb0-f41.google.com[209.85.160.41]
May 13 12:11:47 www postgrey[2398]: action=pass, reason=client whitelist, client_name=mail-pb0-f41.google.com, client_address=209.85.160.41, sender=andy@hemospat.com, recipient=norman@bloody1.com
May 13 12:11:47 www postfix/smtpd[32055]: 9C071113846A: client=mail-pb0-f41.google.com[209.85.160.41]
May 13 12:11:47 www postfix/cleanup[31282]: 9C071113846A: message-id=<CAAQ1erJiM1POJEirub2U_azCu3Jv9LBqERWTekXtLx9grAF04g@mail.gmail.com>
May 13 12:11:47 www dkim-filter[2385]: (unknown-jobid) no signing keylist match for `andy@hemospat.com'
May 13 12:11:47 www dkim-filter[2385]: (unknown-jobid) not internal
May 13 12:11:47 www dkim-filter[2385]: (unknown-jobid) not authenticated
May 13 12:11:47 www dkim-filter[2385]: (unknown-jobid) mode select: verifying
May 13 12:11:48 www dkim-filter[2385]: message has signatures from hemospat.com, forident.com
May 13 12:11:48 www dkim-filter[2385]: 9C071113846A: key retrieval failed (s=google, d=hemospat.com): res_query(): `google._domainkey.forident.com' Unknown host
May 13 12:11:48 www postfix/cleanup[31282]: 9C071113846A: milter-reject: END-OF-MESSAGE from mail-pb0-f41.google.com[209.85.160.41]: 4.7.1 Service unavailable - try again later; from=<andy@hemospat.com> to=<norman@bloody1.com> proto=ESMTP helo=<mail-pb0-f41.google.com>
May 13 12:11:48 www postfix/smtpd[32055]: disconnect from mail-pb0-f41.google.com[209.85.160.41]

Thanks again,

G

p.s. dkim-milter seems to start fine:

/etc/init.d/dkim-milter restart
Shutting down DomainKeys Identified Mail Milter:           [  OK  ]
Starting DomainKeys Identified Mail Milter (dkim-filter):  [  OK  ]

Submitted by JamieCameron on Sat, 05/18/2013 - 19:49

The "Verify DKIM signatures on incoming email?" option will cause Postfix to reject incoming messages that don't have a valid DKIM signature - this is separate from signing of outgoing messages.

Submitted by sonoracomm on Mon, 05/20/2013 - 11:10 Pro Licensee

Hi Jamie,

Signing outbound messages is great, but isn't the integration with Spamassassin on incoming mail where the primary antispam benefit would come from?

I don't know, but shouldn't the integration with Spamassassin be the primary focus? And if it is, why would we have the milter do any rejections at all?

Also, it doesn't seem to reject everything that has DKIM signature errors, only some incoming messages. Why is that? I say this because SOME messages from the sender with DKIM record problems are delivered normally while some are not.

Any idea how to configure the milter NOT to reject any traffic itself but leave that to Spamassassin?

Thanks,

G

Ilia's picture
Submitted by Ilia on Tue, 05/21/2013 - 03:50

Plese take a look at:

/etc/mail/dkim-milter/dkim-filter.conf

It has the following options

##  Indicates which mode(s) of operation should be provided.  "s" means
##  "sign", "v" means "verify".
# Mode sv

By default it runs in sv mode, change it to s only by uncommenting Mode s

Restart dkim-milter, service dkim-milter restart Restart postfix service postfix restart

Submitted by sonoracomm on Mon, 05/20/2013 - 14:34 Pro Licensee

Thanks much for your assistance, but I think your comments are going in the wrong direction.

I want DKIM signatures added to outgoing mail.

I want DKIM signatures to be tested on inbound messages and I want the results to count for something.

However, I would like the DKIM test results (incoming) to be reflected in the Spamassassin score...like everything else. I don't want dkim-milter to reject messages outright...and it doesn't sound like it is supposed to.

I DO believe this issue in this thread IS A BUG.

See this thread:

http://thread.gmane.org/gmane.mail.sendmail.dkim-milter.general/1626/foc...

Thanks,

G

p.s. Maybe something here could be adjusted? :

(from the dkim-filter.conf man page)

/etc/mail/dkim-milter/dkim-filter.conf

   ADSPDiscard (Boolean)
          If  "true",  requests rejection of messages which are determined
          to be suspicious according  to  the  author  domain’s  published
          signing  practises  (ADSP) record if that record also recommends
          discard of such messages.

   ADSPNoSuchDomain (Boolean)
          If "true", requests rejection of messages which  are  determined
          to  be  from  nonexistent domains according to the author domain
          signing practises (ADSP) test.

   On-BadSignature (string)
          Selects  the  action to be taken when a signature fails to vali-
          date.  Possible values (with abbreviated forms in  parentheses):
          accept  (a) accept the message; discard (d) discard the message;
          tempfail (t) temp-fail the message; reject (r) reject  the  mes-
          sage.  The default is accept.

Submitted by JamieCameron on Mon, 05/20/2013 - 23:49

Spamassassin should already do DKIM checks by default, even if you don't enable DKIM for outgoing messages in Virtualmin.

Submitted by sonoracomm on Tue, 05/21/2013 - 14:04 Pro Licensee

Finally, I'm catching on...

So, since DKIM is already enabled in Spamassassin, all I should have to do is disable "Verify DKIM signatures on incoming email?" and enable "Signing of outgoing mail enabled?" and everyone should be happy. Right?

I now understand that that is what you intimated in the first place.

Thanks again,

G

Submitted by JamieCameron on Tue, 05/21/2013 - 23:44

Yes, that's the best solution. Setting "Verify DKIM signatures on incoming email?" to "Yes" enables a hard block in the mail server, which isn't usually recommended.

Submitted by aitte on Sun, 06/02/2013 - 12:52

Jamie, the official recommendation by the DKIM designers is that messages should never be rejected due to failure to validate, since validation could fail for loads of reasons without being a forgery. They recommend that DKIM only be used to assign an advisory score that an email is either VALID or UNKNOWN.

In fact, if I was the Virtualmin maintainer, I'd remove the option and write an upgrade-script that changes the dkim-milter config to remove the rejection-flag for all installations on the next Virtualmin upgrade, and then refer future users to manually editing their config file if they TRULY have a reason to do so.

It does no good from an anti-spoofing standpoint (just omit the signature and you pass through dkim-milter) and only does harm (you risk losing legitimate emails due to simple DNS errors, which is exactly why the DKIM spec recommends that you never reject based on failure), so I don't think anyone needs the option. Spammers/spoofers never try to sign their emails - that would just be silly of them. If they sign them, it would be because they've already cracked the key and know that they're using the correct one to add authenticity. Otherwise they never, ever bother signing with an invalid key. That would just be dumb.

I can only imagine that dkim-milter added the option just as a simple "well, it's like a 10 line of code addition so we might as well include a reject-feature if someone feels like doing this crazy crazy stuff."

As for actual anti-spoofing, that is the job of SPF, which ensures that only authorized mailservers can send email for your particular domain. DKIM tackles a different issue, which is PROVING VALIDITY. DKIM says nothing about spoofing. All it can say is that an email is either VALID or UNKNOWN. Therefore, you should never reject emails that fail DKIM validation.

Submitted by JamieCameron on Sun, 06/02/2013 - 20:17

I agree, this option is potentially dangerous to enable. However, other users have asked for it to be included, despite the risks.

Submitted by sonoracomm on Sun, 06/02/2013 - 22:24 Pro Licensee

Perhaps tweaking the text of the option or help would keep others from falling into the trap I fell into.

Thanks all for the detailed info,

G

Submitted by JamieCameron on Mon, 06/03/2013 - 12:54

That's a good idea - I'll make the message clearer in the next release.