Re: opendkim 2.1.3 and signing subdomains

From: Richard Rognlie <>
Date: Fri, 27 Aug 2010 06:14:30 -0400

On Thu, Aug 26, 2010 at 11:08:22PM -0700, Murray S. Kucherawy wrote:
> On Thu, 26 Aug 2010, Richard Rognlie wrote:
> >using SigningTable and KeyTable, I've got opendkim 2.1.3
> >happily signing subdomains.
> >
> >/etc/mail/siglist.txt
> >=====================
> >* testdkim
> >*_at_* testdkim
> >
> >/etc/mail/keylist.txt
> >=====================
> >testdkim
> >
> >However, if I have the selector in question set up to declare
> >that it is not valid for signing subdomains... it still signs
> >them.
> The filter doesn't verify that you're using your keys the way you've
> restricted them, so that's normal.


> >And those signatures happily verify
> That part's a bit odd. What software is doing the verifying?

OpenDKIM 2.1.3

> >Now, I know I could fix part of this (suppress the signing of the
> >domain) by removing that 2nd line from the siglist.txt.
> >
> >But why is the signature validating at all?
> Good question. We do have a unit test for this case and it passed at the
> time of release (libopendkim/tests/t-test82), so I presume this is a bug
> at the verifier.
> >I note that there is no "i=" clause in the signature, and looking at
> >the opendkim code, I see that the t=s check is done by comparing the
> >d= and the i=. If either is NULL, it skips the check.
> "d=" can't be NULL, but the absence of "i=" does mean the check gets
> skipped because a missing "i=" has an inferred default value of
> "_at_<domain>" where "<domain>" is the "d=" value.

So... how do I make the i= part the domain of the sender (not the
domain of the selector)?

> >Shouldn't i= default to the sender domain if missing from the
> >dkim-signature?
> That would mean we're enforcing a default that's not present in the RFC.
> Absent a reason for making tha tassertion, I don't think we should do so.
> >I see mention of something in SignatureTable about the i= clause, but
> >for the life of my I can't parse what it's saying, nor can I find an
> >example anywhere...
> >
> > values in this data set should include one field that refers
> > to a name found in the KeyTable (see above) that identifies
> > which key should be used in generating the signature, and an
> > optional second field naming the signer of the message that will
> > be included in the "i=" tag in the generated signature.
> So the SignatureTable might look like:
> *
> ...and you'd always have "" in your signatures.

which is not the domain I want as the i= clause. I want i= to be
the sender. (which in the above case, is,
but in the *_at_* case is @mumble.gamer.znet)

> >I've tried
> >
> > *_at_* testdkim:%
> >
> >(hoping that the % would exhibit the same behaviour as mentioned in
> >KeyTable)
> That's not currently supported, but why would you want to do this when
> it's the default anyway?
> >but 1. I didn't get an i= flag at all, and
> > 2. on inspection of the code, I can't find anything that appears to
> > parse the key returned from the signature table for post processing.
> >
> >Or is there some option I'm not including in either the opendkim.conf or
> >SignatureTable or KeyTable to turn that on?
> The feature isn't actually available in 2.1.3. It's available in 2.2.0.
> What documentation are you reading?

I thought 2.1.3 (since that's the only version available from the download
page on sorceforge)

I ass-u-me-d that would be
the same. There's no indication on that page which version it refers to.

 /  \__  | Richard Rognlie / Sendmail Ninja / Gamerz.NET Lackey
 \__/  \ |    <rrognlie at>
 /  \__/ | Creator of
 \__/    |                Helping reduce world productivity since 1994
Received on Fri Aug 27 2010 - 10:15:04 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:48 PST