Re: all gmail bad signature data

From: Murray S. Kucherawy <>
Date: Wed, 10 Sep 2014 13:15:15 -0700 (PDT)

On Wed, 10 Sep 2014, wrote:

What changes are you making with ReplaceRules? This could be the problem.

> opendkim[8332]: : [] not internal

This might be a bug, but not related to verification problems. It looks
as if postfix is giving us an empty queue ID. I'll have to adjust our
code to accommodate that.

> opendkim[8332]: 6956780003A: s=20120113 SSL
> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
> opendkim[8332]: 6956780003A: bad signature data

This basically means the signature broke. The unfortunate thing is that
the crypto function that decides this only returns 0 or 1; it doesn't tell
us what changed.

I just tried it and signatures pass arriving here, also with
OpenDKIM 2.9.2, which suggests there's something in your message handling
setup or your opendkim.conf that might be to blame.

Can you post your entire configuration, without your private keys? The
ReplaceRules is the most interesting thing at the moment.

> postfix/sendmail[9018]: fatal: No recipient
> addresses found in message header

This might be caused by your MTACommand setting, which you said is:

MTACommand /usr/sbin/sendmail -C /etc/postfix/ -vv -t

opendkim tries to build a complete command using its own arguments, so
you should drop from "-vv" to the end and try it again. All it really
needs to know is the path to the executable and the "-C' argument.

Either way, it's essentially impossible for opendkim to hand it a message
with no To: field or an empty To: field unless it's crashing. (Is it?)
opendmarc could, but only if were advertising an empty "ruf="
tag in their DMARC record, which they are not.

Received on Wed Sep 10 2014 - 20:15:33 PST

This archive was generated by hypermail 2.3.0 : Wed Sep 10 2014 - 20:18:02 PST