Mailing List Archive | ports@openbsd.org

Hello Kirill. Kirill A. Korinsky wrote in <98c1f03bc1d6c722@mx1.catap.net>: ... |> Kirill A. Korinsky wrote in |> <2fdd33f2325e6817@mx2.catap.net>: |>|>|I imply that using ed25519 usually leads to malformed signature, \ ... |>|> Then these are not standard compliant. The DKIM standard 6376 |>|> *explicitly* supports multiple signatures. |>| |>|Yes, RFC may imply that but OpenDKMI was released quite a while ago \ |>|and the |>|last stable release seems that doesn't handle well this case. |> |> OpenDKIM cannot. I looked at its code in about January and there |> is no notion of it. zdkimfilter as of courier bases upon it, and |> supports it. (Very preprocessor sprinkled crypto code in between |> several libraries that uses, though, and the OpenSSL 3.0 thing |> even fiddles with openssl parameters which i have *not* |> understood from my short glance..) | |And here the issue and my point: until OpenDKIM is supporting anything else |than RSA may lead to delivery emails into Junk. No, Kirill, you are misunderstanding a little bit how DKIM works. ... |> I could very much imagine that if you change to RSA-SHA256 then |> your problem will vanish. | |Nope, it doesn't | |See mxtoolbox [1] for the case of RSA-SHA256 and icloud says, let me quote: | | Authentication-Results: dkim-verifier.icloud.com; dkim=permerror \ | (0-bit key) header.d=korins.ky header.i=@korins.ky header.b=VNwI9oir | Authentication-Results: dkim-verifier.icloud.com; dkim=pass (2048-bit \ | key) header.d=korins.ky header.i=@korins.ky header.b=qwDQ6QCD | |The issue that one of signatures is invalid, and icloud moves mail to the |Junk folder. Because DKIM says that as long as *one* signature passes correctly, DKIM has succeeded. The introduction of new algorithms and key changes etc is quite broadly foreseen in a lot of RFCs regarding public key infrastructure in the last two decades (my view is very limited however, but, still..). |As soon as I use only RSA signatures, emails are delivered to inbox. This is broken behaviour of these people, see RFC 6376, 6.1: INFORMATIVE NOTE: The rationale of this requirement is to permit messages that have invalid signatures but also a valid signature to work. ... the message should succeed even in the presence of the known-broken signature. What they are doing is wrong. Maybe if you move it out of Junk a few times their algorithm learns or what, i do not know. I would start screaming, but normally noone listens anyhow, sure. |Footnotes: |[1] https://mxtoolbox.com/deliverability/86e2b0ff-ba95-47f3-b71e-4ead73\ |653a73 Ah, you, i do not look, this required Javascript and whatnot. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)

2024-05-11 20:27 Steffen Nurpmeso:
patch dkimproxy: use rsa-sha256 in sample signing config
- 2024-05-11 21:34 Kirill A. Korinsky:
  patch dkimproxy: use rsa-sha256 in sample signing config
- - 2024-05-11 23:26 Steffen Nurpmeso:
    patch dkimproxy: use rsa-sha256 in sample signing config
  - - 2024-05-12 10:13 Kirill A. Korinsky:
      patch dkimproxy: use rsa-sha256 in sample signing config
    - 2024-05-12 12:42 Matthieu Herrb:
      OT: dkim (was Re: patch dkimproxy: use rsa-sha256 in sample signing config)