[Users] List server: bad DKIM?

Pierre Fortin pf at pfortin.com
Sun Feb 18 06:15:33 CET 2018


On Fri, 16 Feb 2018 17:54:35 -0500 Pierre Fortin wrote:

>Hi,
>
>Did something change on the list server recently?
>
>With the list more active lately, I've noticed that I'm seeing replies
>to messages I haven't seen. Tracked this down to my MTA (luxsci.com)
>deleting messages with DKIM issues. Rather than delete, I've changed the
>MTA action to modify the message by adding "DKIM" in the Subject and it's
>now passing more list messages with DKIM in the subject. Strangely,
>some messages pass the DKIM test while others don't...
>
>Is the list server's DKIM failing?

This is getting convoluted; but before going to bed, here's what I've
found...

I see threads where only Paul's emails appear -- really weird to see lots
of answers to questions never seen...  :]  I can't see those missing
messages; but since allowing messages failing DKIM to pass (about 48
hours ago), a pattern is emerging...

Every message my provider flags (previously discarded) contains an
Authentication-Results header:

Received: by mx.colino.net (Postfix, from userid 1024)
 id 7FAD22100522; Sun, 18 Feb 2018 00:03:36 +0100 (CET)
Authentication-Results: mx.colino.net; dkim=fail
 reason="verification failed; insecure key"
 header.d=gmail.com header.i=@gmail.com header.b=htu2K9Mi;
 dkim-adsp=none (insecure policy); dkim-atps=neutral
Received: from marv.colino.net (localhost [IPv6:::1])
 by mx.colino.net (Postfix) with ESMTP id F305A2100499;
 Sun, 18 Feb 2018 00:01:44 +0100 (CET)

while messages that aren't flagged

a) do not contain this header, nor DKIM signatures from previous MTAs:

Received: by mx.colino.net (Postfix, from userid 1024)
 id 17B6921004D7; Sat, 17 Feb 2018 22:10:49 +0100 (CET)
Received: from marv.colino.net (localhost [IPv6:::1])
 by mx.colino.net (Postfix) with ESMTP id A863F210049B;
 Sat, 17 Feb 2018 22:09:31 +0100 (CET)

b) have DKIM signatures before arriving at marv.colino.net and a new one
gets inserted between marv.colino.net and mx.colino.net:

Received: by mx.colino.net (Postfix, from userid 1024)
 id CEACB21004A4; Sat, 17 Feb 2018 19:10:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=claws-mail.org;
 s=mail; t=1518891054;
 bh=FscXU3w6gLWcDd2bLXeHroxP6fLq5HgHN7D9qA0o8og=;
 h=Date:From:To:In-Reply-To:References:Subject:List-Id:
  List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe;
 b=J41KSmxFTa2rPmpVb+CTsfeZHTm8OiB6utD0IYYk/snvJCYFWH0hzSB4Oug3+P/g8
  JPGjM7lPPvr0b/39QTFAZ0HZHYeBcIgxpLCGboRl4+zSm/6AiCZ0JPrq+3qU+ZNQKA
  3ZGwhC3rUaQRzY8+9B1CnKfFrucwOYrtcixswLWc=
Received: from marv.colino.net (localhost [IPv6:::1])
 by mx.colino.net (Postfix) with ESMTP id 755D8210048A;
 Sat, 17 Feb 2018 19:10:27 +0100 (CET)

Questions I hope to dig into in the morning:
- colino.net can't sign a message if it doesn't like the prev sig, can it?
- Is the preceding DKIM signature really bad, or is colino.net glitchy?
- In the case of invalid.tld, is Google inserting signatures in the
  correct order?:
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=invalid.tld;
     s=google;
     v=1; a=rsa-sha256; c=relaxed/relaxed;
- Is colino.net reading these Google signatures correctly?
- Is the X-Google-DKIM-Signature included in its DKIM-Signature?
- Is colino.net being confused by this dual Google sig?
- Other?

Those who get up 5-6 hours ahead of me are welcome to add questions, or a
fix...  :)


Hope I didn't screw up in collecting data while groggy...
G'nite,
Pierre



More information about the Users mailing list