OK, I've done a LOT of research today to find out what is causing this problem, and it appears I've found the problem.
I started noticing that mail being sent by some mail clients through my server would produce DKIM-signed messages that validated correctly, while mail being sent by other mail clients (i.e. Eudora, my phone, some web mail applications) would produce DKIM-signed messages that failed to validate. Doing a bunch of testing and looking at the message headers, I narrowed down what the difference is: The DKIM validation fails on email sent by those mail clients that do NOT include a message-ID as part of their message header. Two clients I have found that do not send a message-ID: Eudora, and the Palm Pre phone. If the client generates and includes a message-ID as part of the message header, the DKIM validation passes. If it does not generate the message-ID header, and allows ASSP to insert it, the DKIM validation fails. I have DoMsgIDSig enabled. I tried turning it off, but it made no difference: the messages coming from clients that do not insert the message-id still failed DKIM validation. Any idea where I should be looking next, Thomas? At 06:35 AM 11/5/2010, Thomas Eckardt wrote: > >So your server has to use a 'FROM:' address with @hollsco.com ! > >Sorry - the 'mail from:' address (envelope sender) is the one that is used >to detect if a DKIM signature should be added or not - not the 'FROM:' >address that is in the header . > > > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 > ><[email protected]> to: [email protected] > >DKIM: self signature check: result: pass - detail: pass > >If this is shown in the log, ASSP has successfuly checked the created >signature using your DNS records! There is nothing more I can do. > >Thomas > > > >Von: Scott MacLean <[email protected]> >An: ASSP development mailing list <[email protected]> >Datum: 04.11.2010 16:04 >Betreff: Re: [Assp-test] Antwort: Two DKIM problems > > > > >At 05:10 AM 11/4/2010, Thomas Eckardt wrote: > > > >The second problem > > > >ASSP is looking for the email address of the sender - a DKIM signature > >will be added if a valid DKIM configuration is found for the sending > >domain. So your server has to use a 'FROM:' address with @hollsco.com ! > >The email definitely has a FROM address. Here is an example header: > >Return-Path: [email protected] >Delivered-To: [email protected] >Received: from mail.frogstar.com ([192.168.0.160]) > by mail.frogstar.com > ; Thu, 4 Nov 2010 02:19:37 -0400 >Received: from fs1.netbound.com ([67.159.45.157] helo=frogstar.com) by > mail.frogstar.com with ESMTP (2.0.2); 4 Nov 2010 02:19:36 -0400 >Received: from FS1 ([192.168.0.161]) by frogstar.com with Microsoft >SMTPSVC(6.0.3790.4675); > Thu, 4 Nov 2010 02:19:36 -0400 >From: "Domain Admin" <[email protected]> >To: "Domain Admin" <[email protected]> >Subject: Subject of message >Date: Thu, 04 Nov 2010 02:19:36 -0400 >Message-ID: ><frog.89255cfc63.frog.5924a9e48a.frog.59249a2c46.20101104-02193663-...@fs1> >MIME-Version: 1.0 >Content-Type: text/html >Return-Path: [email protected] >X-OriginalArrivalTime: 04 Nov 2010 06:19:36.0634 (UTC) >FILETIME=[412DC9A0:01CB7BE8] > > >This email, when routed through the IIS SMTP server, does not get a >DKIM header added. However, the same email, sent directly to ASSP >instead of through the IIS SMTP server, gets the DKIM header added >correctly: > > >Return-Path: [email protected] >Delivered-To: [email protected] >Received: from mail.frogstar.com ([192.168.0.160]) > by mail.frogstar.com > ; Thu, 4 Nov 2010 02:52:29 -0400 >DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=domain.com; > h=Message-ID:From:Subject:To:MIME-Version:Content-Type; s=alpha; > bh=Ub+UOLDhHFPhUsX++81Ve9689E4=; >b=Frgb9rvA7adGunn0pDVpHMk+FY6cHveJI2ADVvdrAG2s3TPGcFtFQ9zqopJqsP7CrpW8eRDtMgxxwE8WbE8ZlIgv/KfAoOwN8n0sdB+vC5sLBQUXMfMzUq/BLu7hx4CSjMHw4i2RPDO2dQcqyfJsotsmDscWKsdS+lbOBDAkiYI= >Received: from FS1 ([67.159.45.157] helo=FS1) by mail.frogstar.com with >ESMTP > (2.0.2); 4 Nov 2010 02:52:28 -0400 >From: "Domain Admin" <[email protected]> >To: "Domain Admin" <[email protected]> >Subject: Subject of message >Date: Thu, 04 Nov 2010 02:52:29 -0400 >Message-ID: <frog.99248f6996.20101104-02522915-1...@fs1> >MIME-Version: 1.0 >Content-Type: text/html > > > > > >The first one is > > > > > >Set 'DKIMlogging' to diagnostic. In this case assp will do an complete > >reverse check for every created signature. Tell me what assp is logging > >about this. > >I did so, and it is showing the signature is OK: > >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 ><[email protected]> to: [email protected] >recipient accepted: [email protected] >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 ><[email protected]> to: [email protected] >[Plugin] calling plugin ASSP_AFC >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] [MessageOK] 12.34.56.78 ><[email protected]> to: [email protected] >message ok [relaxed test] -> d:/assp/notspam/13130.eml >Nov-04-10 10:20:23 [Worker_1] DKIM: Selector = alpha >Nov-04-10 10:20:23 [Worker_1] DKIM: Domain = hollsco.com >Nov-04-10 10:20:23 [Worker_1] DKIM: KeyFile = >d:/assp/certs/dkim_private_key_alpha.pem >Nov-04-10 10:20:23 [Worker_1] DKIM: Method = relaxed/relaxed >Nov-04-10 10:20:23 [Worker_1] DKIM: Headers = >Message-ID:From:Subject:To:MIME-Version:Content-Type >Nov-04-10 10:20:23 [Worker_1] DKIM: Mode = DKIM >Nov-04-10 10:20:23 [Worker_1] DKIM: Algorithm = rsa-sha1 >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 ><[email protected]> to: [email protected] >info: successful added DKIM-Signature >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 ><[email protected]> to: [email protected] >DKIM: self signature check: result: pass - detail: pass >Nov-04-10 10:20:23 FS-80423-13130 [Worker_1] 12.34.56.78 ><[email protected]> to: [email protected] >finished message - received size: 0 Byte - sent size: 1.70 kByte >Nov-04-10 10:20:23 [Worker_1] Disconnected: 12.34.56.78 - command >list was 'EHLO,AUTH,RSET,MAIL FROM,RCPT TO,DATA,QUIT' - used 11 >SocketCalls > >However the response still shows a fail: > >The results are as follows: > >DKIM Signature validation: fail (verification failed) >DKIM Author Domain Signing Practices: "dkim=all" > >ADSP is not required for DKIM signature validation. > > >So I suspect the problem may be on the DNS side, in that the >receiving mail server is not getting the key properly from DNS in >order to validate the signature? >------------------------------------------------------------------------------ >The Next 800 Companies to Lead America's Growth: New Video Whitepaper >David G. Thomson, author of the best-selling book "Blueprint to a >Billion" shares his insights and actions to help propel your >business during the next growth cycle. Listen Now! >http://p.sf.net/sfu/SAP-dev2dev >_______________________________________________ >Assp-test mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/assp-test > > > > >DISCLAIMER: >******************************************************* >This email and any files transmitted with it may be confidential, legally >privileged and protected in law and are intended solely for the use of the > >individual to whom it is addressed. >This email was multiple times scanned for viruses. There should be no >known virus in this email! >******************************************************* > > > >------------------------------------------------------------------------------ >The Next 800 Companies to Lead America's Growth: New Video Whitepaper >David G. Thomson, author of the best-selling book "Blueprint to a >Billion" shares his insights and actions to help propel your >business during the next growth cycle. Listen Now! >http://p.sf.net/sfu/SAP-dev2dev >_______________________________________________ >Assp-test mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
