02-12-2008 09:34 AM
Hi there all,
I was wondering if anyone has got DKIM implemented and working ?
So far, all my tests to DKIM verification services fail miserably with an error regarding the headers.
What's the proper way to configure DKIM signing, based on the RFC ?
I was also wondering about the key size... maybe that's my problem (I'm testing with a key-size of 1536...). What are you using out-there ?
As for my parameters, they are as follow :
- Canonicalization : relaxed/relaxed
- Headers to sign : all
- Body length : do not use
Important note (maybe :) ) : my Ironports are behind loadbalancers which modify their IP's... maybe this has an impact ?
Last thing, I've just tried using a Plain Text message, and full body length scanning and it worked (DKIM result : passed). Yet, with the same setting, when I send a test message in HTML, it fails... ? I'm confused now :roll:
Thanks for your feedback !
Frederic
02-12-2008 05:38 PM
What are the DKIM authentication result when sending an HTML message?
02-13-2008 10:49 AM
Hi there,
From check-auth@verifier.port25.com I get :
Result: fail (wrong body hash: expected odi6j1ZNhENu/D3skEIt8zKhvUjdyEGwO//oQmXrFjE=)
From dktest@blackops.org I get :
X-DKIM: Sendmail DKIM Filter v2.5.0.Beta2 medusa.blackops.org m1DAbehp026156
Authentication-Results: medusa.blackops.org; dkim=neutral (verification failed)
The thing I don't get here is that I have set the body length parameter to "Do not use"... ?
BTW, I tested some more with different key length, I setup a new one with 512 bits and setup a new DNS record, all the same. HTML messages fail verification, Text message have no problem.
Cheers,
Fred
02-13-2008 06:52 PM
"Do not use" tells the DKIM module to not use the “l=” tag to determine body length. The entire message is signed and no changes are allowed. I suspect that something is changing in the body of the HTML message during transit.
Can you set this to "Entire Body" and run another test.
02-14-2008 08:40 AM
Hello !
OK so the settings for this test :
Canonicalization : Relaxed / Simple
Headers to sign : standard
Body length : entire body
Expiration time : 31536000
Result when testing in HTML : Failed (wrong body hash)
I've contacted the Ironport support through my reseller, they also believe it is a problem with the Encoding ...
Will let you know :)
Cheers,
Fred
02-15-2008 06:08 PM
Hello Fred
You are most likely running into an issue we discovered recently. The problem is with lines that start with a "." (like CSS class selectors).
The defect ID is 39622. I don't have a release date for the fix yet, but it is coming soon. I'll send an update when I have more information.
Karl Young
Customer Support Engineer
IronPort Systems
Hello !
OK so the settings for this test :
Canonicalization : Relaxed / Simple
Headers to sign : standard
Body length : entire body
Expiration time : 31536000
Result when testing in HTML : Failed (wrong body hash)
I've contacted the Ironport support through my reseller, they also believe it is a problem with the Encoding ...
Will let you know :)
Cheers,
Fred
02-18-2008 08:30 AM
Hello Fred
The defect ID is 39622. I don't have a release date for the fix yet, but it is coming soon. I'll send an update when I have more information.
02-27-2008 01:30 AM
Today's maintenance release has a fix for this issue. For a complete listing check the release notes on the support portal.
regards
02-27-2008 11:00 AM
great news :)
I'll upgrade my cluster this afternoon and let you know if DKIM signing is working at my place !
Cheers,
Fred
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: