Re: OpenDKIM v2.7.0 released

From: Quanah Gibson-Mount <>
Date: Fri, 26 Oct 2012 16:46:47 -0700

--On Wednesday, October 24, 2012 1:48 PM -0700 "Murray S. Kucherawy"
<> wrote:

> Among the major changes in this release:
> o SECURITY: The library will now decline to generate a signature, or pass
> even a valid signature, if the signing key is compirsed of too few
> bits, thus being insecure. The default is 1024. This can be
> controlled through the API, and the setting can also be adjusted in the
> filter via the new "MinimumKeyBits" setting.

Hi Murray,

What about this part of the CVE (<>)?
Does OpenDKIM already correctly not verify testing mode messages? I'm
going to guess yes, but I didn't see that explicitly stated in the docs.
Further, the documentation about:

On-BadSignature (string)

Selects the action to be taken when a signature fails to validate. Possible
values (with abbreviated forms in parentheses): accept (a) accept the
message; discard (d) discard the message; quarantine (q) quarantine the
message; reject (r) reject the message; tempfail (t) temp-fail the message.
The default is accept. Note that the "t" (testing) flag in a DKIM key does
not alter this behaviour; even keys marked as test keys whose signatures
fail will still be subjected to the selected action.

seems to imply that perhaps OpenDKIM treats testing keys normally?

>From the CVE:

1) CWE-347: Improper Verification of Cryptographic Signature: DKIM
information is conveyed in an email header called a DKIM-Signature header
field. A Signer can indicate that a domain is testing DKIM by setting the
DKIM Selector Flag (t=) flag to t=y. Some verifiers accept DKIM messages in
testing mode when the messages should be treated as if they were not DKIM
signed. From RFC 6376:

t= Flags, represented as a colon-separated list of names (plain-
   text; OPTIONAL, default is no flags set). Unrecognized flags MUST
   be ignored. The defined flags are as follows:

   y This domain is testing DKIM. Verifiers MUST NOT treat messages
      from Signers in testing mode differently from unsigned email,
      even should the signature fail to verify.


Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration
Received on Fri Oct 26 2012 - 23:47:52 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:44 PST