[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qmail
Subject:    Re: Broken DomainKey Implementation
From:       Russ Nelson <nelson () crynwr ! com>
Date:       2007-04-17 4:09:29
Message-ID: 17956.18553.952869.496451 () desk ! crynwr ! com
[Download RAW message or body]

Erik A. Espinoza writes:
 > A bad sig e-mail w/ hard reject set in DKVERIFY will result in hard
 > rejection regardless of whether the test flag is set or not. My
 > example for correct behavior would be spf, which will not cause a hard
 > rejection if ?all is set in the spf record.

See below.

 > I'm not the only one that brought this up. Test it for yourself.

See below.

$ (echo From: nelson@tn.crynwr.com; echo Subject: test; echo To:
nelson@crynwr.com; echo ""; echo "test") | /var/qmail/bin/qmail-inject -n >/tmp/email
$ printf "Fnelson@crynwr.com\0Tnelson@crynwr.com\0\0" > /tmp/email.env
$ (dktest -s /etc/domainkeys/dog </tmp/email; cat /tmp/email) >/tmp/email.signed
$ DKVERIFY=DEFIJKfh ./qmail-dk </tmp/email.signed 1</tmp/email.env 
$ echo $?
0
$ (echo "Received: blah blah";echo "    blah blah"; cat /tmp/email.signed) | \
DKVERIFY=DEFIJKfh ./qmail-dk 1</tmp/email.env $ echo $?
0
$ dnstxt  dog._domainkey.tn.crynwr.com
t=y; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAK4va7P4JhZMSg4ZTE9F354eVpcrfxnlB1KwPdAX6e9YZvw0lnedDNSxZRR/JlfOqQIDAQAB
 $ (cat /tmp/email.signed; echo "makeitbad") | DKVERIFY=DEFIJKfh ./qmail-dk \
1</tmp/email.env  $ echo $?
0

 > >  > The fact that qmail-dk doesn't honor the h= flag for incoming mail
 > >  > means that qmail-dk will set DomainKey status as bad when the mail is
 > >  > good (verifies via dktest).
 > >
 > > Bullshit on a stick without test cases, sorry.  h= is actuallly
 > > completely useless, and anyway, if there's a problem, it's in
 > > libdomainkeys, for which I no longer bear responsibility.
 > 
 > I can provide you full e-mails off list if you are interested:

I can't reproduce this.  Feel free to send the full email as a file
attachment to the list so everyone interested can reproduce.

-- 
--my blog is at    http://blog.russnelson.com   | You can do any damn thing
Crynwr sells support for free software  | PGPok | you want, as long as you
521 Pleasant Valley Rd. | +1 315-323-1241       | don't expect somebody else
Potsdam, NY 13676-3213  |     Sheepdog          | to pick up the pieces.


[prev in list] [next in list] [prev in thread] [next in thread]