DKIM failures for gitlab mail
Hi Bryan (I assume), I noticed that a small number of Gitlab notification emails end up in my spamfilter. While there is not much you can do about triggering some bayesian style spam filter at my email provider (mailbox.org), I did notice this in the headers: X-Spam-Status: No, score=2.704 tagged_above=2 required=6 tests=[DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HS_RSPAMD_10_11=2.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: spamfilter01.heinlein-hosting.de (amavisd-new); dkim=fail (1024-bit key) reason="fail (bad RSA signature)" header.d=gitlab.haskell.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gitlab.haskell.org; s=mail; t=1669733134; bh=D0NUcHiskEnwSP99umP3zo8Fz8fl74OgAJ8NRDKCsp4=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:List-Id: List-Unsubscribe; b=R+WMLfhRZZdYxMd6K6w+iodDe8EHzwONNArNyboqsU5NnafPRhKZ1UeGxO/BCMvEK M7XHRRrBsPfRYpTph7xSGY427KGXieASVg1GDhAiwKSLBCiqDdkBaoJLLUIfUD02NS ouI3tvQ9mddNdaEK7retq8N+29hzs/ezf9cpgy+Q= It seems the DKIM configuration is broken? There is a DKIM record for the domain that’s valid acccording to https://www.dmarcanalyzer.com/de/dkim-de/dkim-record-check/?dmarcdns%5Btype%5D=dkim&dmarcdns%5Bselector%5D=mail&dmarcdns%5Bdomain%5D=gitlab.haskell.org&g-recaptcha-response=03AEkXODBDl43rk3Ww0q4J1LNooZNlqBYhWGd3spu68KM7nc3js92zXASAuHqVAek5IJj2iV26sx7LzrDQYX08fq2lnL5CvX4P4x7GOekNSV9yG9J48z0I3SxPzy5tQomgP4u9YR8yQqsmZwezj8coIagpBTce9Ubytv_nRg3oKmJjSYsJP5Pwc4Jmgn___e1nbsHUEqNWabdCJHX0Q02oZ3n3sRS5K8LpYOAFhYhOhMQF9QPQ74Uy8fc38lcuK3LJP6Dk5Z2xmgLJypXJiW4svbNTqnndkSehXM-Y5HJ7xdFZ3aMA4yiOwOOYjZwKc2reQDQ6v6TLrYnigFYgA6D4MM2PBRoc6-D5Zr3xbkjPMOlFVXNMGHpu_w4_nTIaTyRhYaBb1ilz7lYa15f8si5-vVuqT-XFe0U1nVsYHWBj-ejC3Ih7QQzaXdlegM3VMLZ94qBeK5b6uA7fbJv_EpMx3K6EbwVyfmsElNx9KnHOciAcQguIXUxU-EOTN900w-lAoqhxVG-VyqIQe8L99_eW6Ns5IV2tLp4qSg but maybe Postfix is not using the right key? Cheers, Joachim -- Joachim Breitner m...@joachim-breitner.de http://www.joachim-breitner.de/ ___ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
Re: DKIM failures for gitlab mail
On Wed, Nov 30, 2022 at 05:33:44PM +0100, Joachim Breitner wrote:
> I noticed that a small number of Gitlab notification emails end up in
> my spamfilter. While there is not much you can do about triggering some
> bayesian style spam filter at my email provider (mailbox.org), I did
> notice this in the headers:
>
> X-Spam-Status: No, score=2.704 tagged_above=2 required=6
> tests=[DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HS_RSPAMD_10_11=2.5,
> HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001,
> URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
> Authentication-Results: spamfilter01.heinlein-hosting.de (amavisd-new);
> dkim=fail (1024-bit key) reason="fail (bad RSA signature)"
> header.d=gitlab.haskell.org
> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
> d=gitlab.haskell.org;
> s=mail; t=1669733134;
> bh=D0NUcHiskEnwSP99umP3zo8Fz8fl74OgAJ8NRDKCsp4=;
> h=Date:From:Reply-To:To:In-Reply-To:References:Subject:List-Id:
> List-Unsubscribe;
> b=R+WMLfhRZZdYxMd6K6w+iodDe8EHzwONNArNyboqsU5NnafPRhKZ1UeGxO/BCMvEK
> M7XHRRrBsPfRYpTph7xSGY427KGXieASVg1GDhAiwKSLBCiqDdkBaoJLLUIfUD02NS
> ouI3tvQ9mddNdaEK7retq8N+29hzs/ezf9cpgy+Q=
Indeed the signature in "b=" was not made by the key at
mail._domainkey.gitlab.haskell.org. Running the below:
sig=$(
printf "%s\n%s\n%s\n" \
R+WMLfhRZZdYxMd6K6w+iodDe8EHzwONNArNyboqsU5NnafPRhKZ1UeGxO/BCMvE \
KM7XHRRrBsPfRYpTph7xSGY427KGXieASVg1GDhAiwKSLBCiqDdkBaoJLLUIfUD0 \
2NSouI3tvQ9mddNdaEK7retq8N+29hzs/ezf9cpgy+Q=
)
pkey=$(
dig +short -t txt mail._domainkey.gitlab.haskell.org |
perl -MMIME::Base64 -ne '
/^"v=DKIM1;/ or next;
print decode_base64($1) if m{;\s*p=(\S+?)(?:;|$)}
' |
openssl pkey -pubin -inform DER
)
openssl rsautl -raw -encrypt -pubin \
-inkey <( printf "%s\n" "$pkey" ) \
-in <(printf "%s\n" "$sig" | openssl base64 -d) |
xxd -p
the output is:
509bfc93a492f1b5328308e51624d9a7ed1378861f577b11413c5034bc0c
673d61660434d4bc30844e7648da0f9605923805973a313a8c3bc82215cc
ac447e47551087c544a0592ac3ae48474584bad7d9ca5b850a67493a7977
d28aaa3a9a7580d165dc4f31ff484bdbc40e94a2be1750e71c51c555b5c1
6bc051947bb07ae4
Which is not a PKCS#1.5 padded signature block. So either the
"b=" value was corrupted in transit, or it was signed by a key
that is different from what is published in DNS.
> but maybe Postfix is not using the right key?
Strictly speaking that's not Postfix itself, but some DKIM milter, but
nits aside, more likely a stale public key is published in DNS.
--
Viktor.
___
ghc-devs mailing list
ghc-devs@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
GHC and type-family rewriting?
Hi, I've managed to code up implications and GADTs, and am now working on adding type families. I've been following the OutsideIn paper, but it seems that GHC is not really following the same plan for the solver. For example, instead of replacing every type family with a metavariable, it only does this for occur-check failures. It talks about "cycle breakers" instead of "flattening substitutions". It creates flatting substitutions for both givens and wanteds (I think). And I see this note: -- | A 'Xi'-type is one that has been fully rewritten with respect -- to the inert set; that is, it has been rewritten by the algorithm -- in GHC.Tc.Solver.Rewrite. (Historical note: 'Xi', for years and years, -- meant that a type was type-family-free. It does *not* mean this -- any more.) type Xi = TcType If I'm understanding correctly, the inert set is now thought of as a "generalized substitution" that replaces either an LHS (untouchable type variables or type family applications) with an RHS. I guess what I'm wondering is: (Q1) Did GHC evolve to this point starting from something fairly close to the OutsideIn paper? (Q2) Is the new approach (i.e. eager type family rewriting) mostly to making rewriting faster? (Q3) Does it sound reasonable to implement the approach from the OutsideIn paper, and than gradually transform it to look more like GHC? -BenRI ___ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
