Join Log in
Score:2
philolegein avatar Server

How to diagnose opendkim RSA signatures

cv flag
philolegein

I'm having an issue where my DKIM signatures are failing everywhere. There was a question on this here, but the original poster answered his own question, and the answer seems unrelated. After some digging, I had thought this might be a canonicalization problem with OpenDKIM and that the FixCRLF config setting might fix it, but it seems not to have done so. Now I'm thinking there might be some problem with my openssl implementation (see why below). How do I progress from here to further diagnose and fix this?

My diagnostic steps to date

This originally surfaced when I noticed that emails from my self-hosted domains to my gmail account had DKIM failures in the header. After some googling for how to test this, I discovered that the OpenDKIM README includes a section on testing. It seems a little out of date, as a couple of the resources don't really work ([email protected] seems not to exist, and [email protected] bounces the message as spam, which ... isn't really ideal for a testing service :) ); however, the Port25 verifiers seemed initially to be really useful, because they don't just tell you that you fail, they include the canonicalized headers. So, my first test came back with this:

Canonicalized Headers:
   from:My'20'Name'20'<[email protected]>'0D''0A'
   subject:Port25'20'check-auth'20'1'0D''0A'
   date:Fri,'20'1'20'Oct'20'2021'20'07:10:19'20'+0200'0D''0A'
   to:[email protected]'0D''0A'
   dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=mydomain.com;'20's=default;'20't=1633065019;'20'bh=2ZDQvBeN3kIWoOxg0Ccz1E/Pi+j4hDPFKwXDhxotTAA=;'20'h=From:Subject:Date:To:From;'20'b=

I had turned on KeepTemporaryFiles in opendkim.conf, and the saved conanicalized headers on my server side look like this:

from:My Name <[email protected]>
subject:Port25 check-auth 1
date:Fri, 1 Oct 2021 07:10:19 +0200
to:[email protected]
dkim-signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=default; t=1633065019; bh=2ZDQvBeN3kIWoOxg0Ccz1E/Pi+j4hDPFKwXDhxotTAA=; h=From:Subject:Date:To:From; b=

To my eyes, those looked identical, but I started to wonder about the '0D''0A' on the Port25 side of things. I'm sending the original message from a Mac, and actually didn't know off the top of my head what MacOS uses for EOL. Some more googling and I stumbled upon this stackoverflow Q&A. That led me first to try sending plain-text email, but the same failure problem occurred. Going for the other option, I turned on FixCRLF in OpendDKIM. Indeed, opening the local temp file with vim in binary mode, it seems the setting is working:

from:My Name <[email protected]>^M
subject:Test with CRLF fixed(?)^M
date:Fri, 1 Oct 2021 07:40:52 +0200^M
to:[email protected]^M
dkim-signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=default; t=1633066853; bh=tt5a2hZTsPGjeXhj9bcF3Kt9N5uk4aYb/j8ciXTYUZA=; h=From:Subject:Date:To:From; b=

Unfortunately, still no love from the Port25 verifier.

As my last-ditch effort, it occurred to try this on my own server — sending an email between two different domains that are both hosted locally. This got at least a little interesting.

The mail log says:

...
Oct  1 05:50:27 ip-10-0-200-157 opendkim[22246]: 654F98004C: DKIM-Signature field added (s=default, d=mydomain.com)
...
Oct  1 05:50:27 ip-10-0-200-157 amavis[21845]: (21845-06) Checking: hRgGGArUlLf0 [88.101.121.213] <[email protected]> -> <[email protected]>
...
Oct  1 05:50:29 ip-10-0-200-157 amavis[21845]: (21845-06) hRgGGArUlLf0 FWD from <[email protected]> -> <[email protected]>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5248A80051
Oct  1 05:50:29 ip-10-0-200-157 amavis[21845]: (21845-06) Passed CLEAN {RelayedInbound}, [88.101.121.213]:63859 [88.101.121.213] <[email protected]> -> <[email protected]>, Queue-ID: 654F98004C, Message-ID: <[email protected]>, mail_id: hRgGGArUlLf0, Hits: -0.799, size: 3683, queued_as: 5248A80051, 1878 ms

HOWEVER, in the actual headers of the received mail, I see

...
X-Spam-Status: No, score=-0.799 tests=[ALL_TRUSTED=-1, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001] autolearn=no autolearn_force=no
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=default; t=1633067427; bh=+FsxBlX8LDcIVqvq7tKOtml1vsfEjh0rYTRVokBgmQ4=; h=From:Subject:Date:To:From; b=yDkI63wnvN8deIU4AtruGu4r/ybCTBLzmdwkTEhSYNCU56oGp0lP8n4FnXW7H67TL DFtlw/U9/MZPhR0Jeorl3gBdLebBV02v60wpLlFKXF5N4NL/cZbp8/U0liGZGVPoWj PP+OV/uOwNMDUhLG2I8jN88Zi9sHduo8xr7DOmy4=
...
Dkim-Filter: OpenDKIM Filter v2.11.0 ip-10-0-200-157.eu-central-1.compute.internal 654F98004C
...
Authentication-Results: mx.mymaildomain.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (OpenSSL error: data too large for modulus)" header.d=mydomain.com

That last line is my only remaining clue. I ... can't imagine that any data is actually too large, but maybe I'm having some OpenSSL problem? In particular, even though it's applying a signature, the signature is somehow wrong? I'm really quite at a loss as to where to go from here.

Any suggestions on what's wrong, or what to do next, much appreciated.

This is with OpendDKIM, AmavisD, Postfix:

# opendkim -V
opendkim: OpenDKIM Filter v2.11.0
    Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        QUERY_CACHE
        USE_DB
        USE_LDAP
        USE_ODBX
    libopendkim 2.11.0: query_cache

# amavisd -V
amavisd-new-2.12.0 (20190725)

# postconf mail_version
mail_version = 2.10.1
131
0 + 0
dave_thompson_085 avatar
jp flag
dave_thompson_085
'too large' on RSA verify (or decrypt) can be caused if you don't use halves of the same keypair; different RSA keyparis have different modulus (n) values and a signature or cryptogram valid for one n can be invalid for another n. Make sure the publickey you are serving (and fetching) for verifying matches the privatekey being used for signing.
1
Reply
us flag
glts
I noticed that your OpenSSL and Postfix versions are ancient, from 2013. Perhaps try to update the system and components first, if at all possible?
1
Reply
Patrick Ferreira avatar
ph flag
Patrick Ferreira
Hello @philolegein, i know this is very old... but did you found what was going on and how did you solved this issue ? I'm having more or less the same issue
0
Reply
philolegein avatar
cv flag
philolegein
@PatrickFerreira, unfortunately — yes, it now works, but this is long enough ago that I don't know how I fixed it. My email config is here: https://github.com/cwrichardson/flurdymail, but I don't address this in the DKIM section :( Sorry.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.