Naval saini | 16 Jul 14:06 2012
Picon

DKIM showing bad format


Setting up DKIM on my Postfix/CentOS 5.6 server.

It sends and signs the emails, but Google still showing it neutral. The
errors I'm getting are:

    dkim=neutral (bad format) header.i= <at> r02.lbsmtp.org

from googles "show original" interface.

This is what my DKIM-signature header look like:

    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=r02.lbsmtp.org;
s=lbsmtp.org; t=1342436478; bh=KpPvOZhGUmgR1WIhVC9UH5OXzTnwtnGMf7tEwI0nNfw=;
h=To:Subject:Message-Id:Date:From;
b=lWWQQZjSEWwSjanB0btmP0Xg0izkyqDwKsxzlUqsL/tA9JAQau6dNCYdJx7OWuNiv
M3vXqrBe3uzFnvGIrQ2xbZy9DMMPmjiqUKn+KKsvmr873eYq5iG9bw6b53SkSJ6uV5
et0iLL6i3XNt/VDBQKuY1ILs+qRI60Eek/nGaXos=

please suggest me how can i solve this problem.?

--

-- 
View this message in context: http://old.nabble.com/DKIM-showing-bad-format-tp34167419p34167419.html
Sent from the Postfix mailing list archive at Nabble.com.

Robert Schetterer | 16 Jul 14:53 2012

Re: DKIM showing bad format

Am 16.07.2012 14:06, schrieb Naval saini:
> 
> Setting up DKIM on my Postfix/CentOS 5.6 server.
> 
> It sends and signs the emails, but Google still showing it neutral. The
> errors I'm getting are:
> 
>     dkim=neutral (bad format) header.i= <at> r02.lbsmtp.org
> 
> from googles "show original" interface.
> 
> This is what my DKIM-signature header look like:
> 
>     DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=r02.lbsmtp.org;
> s=lbsmtp.org; t=1342436478; bh=KpPvOZhGUmgR1WIhVC9UH5OXzTnwtnGMf7tEwI0nNfw=;
> h=To:Subject:Message-Id:Date:From;
> b=lWWQQZjSEWwSjanB0btmP0Xg0izkyqDwKsxzlUqsL/tA9JAQau6dNCYdJx7OWuNiv
> M3vXqrBe3uzFnvGIrQ2xbZy9DMMPmjiqUKn+KKsvmr873eYq5iG9bw6b53SkSJ6uV5
> et0iLL6i3XNt/VDBQKuY1ILs+qRI60Eek/nGaXos=
> 
> please suggest me how can i solve this problem.?
> 

you may run in dns caching time problems by changing dkim

send mail to reflectors
to test

i.e

(Continue reading)

Viktor Dukhovni | 16 Jul 17:12 2012

Re: DKIM showing bad format

On Mon, Jul 16, 2012 at 05:06:53AM -0700, Naval saini wrote:

> DKIM-Signature: v=1; a=rsa-sha256;
>   c=simple/simple;
>   d=r02.lbsmtp.org;
>   s=lbsmtp.org;
> 
> please suggest me how can i solve this problem.?

You may get better results with c=relaxed/relaxed.

I see no DNS records for the selector/domain pair you're signing with:

  $ dig -t txt lbsmtp.org._domainkey.r02.lbsmtp.org
  ...
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47502
  ...
  lbsmtp.org. 7200 IN SOA enow.mercury.orderbox-dns.com. ...

This is a serious problem, since the public key needed to verify
the message is not published in your DNS.

--

-- 
	Viktor.

Naval saini | 17 Jul 10:51 2012
Picon

Re: DKIM showing bad format

so viktor How can i publish keys in my DNS.. ?

This is my DNS ZONE file entry:

_domainkey.r02.lbsmtp.org.      IN      TXT     "t=y; o=-;"
lbsmtp.org._domainkey.r02.lbsmtp.org.   IN      TXT "k=rsa; t=y;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+Nk+qAXShe92GLTe8sXXHFeH+lqZpxWMqCPqRdowGTx3Scrq7mgqEPnc49Po5cS0NjZI/eWF/rzD7/qpbpKLR2eZx3/8JEn67EtjKmuVc/uyejL5WSxkHsj4rhHFnX96yqV0iS+odGqy4c/QWvbbF+LB/rcOXDkvOR544O4LGgwIDAQAB"

On 7/16/12, Viktor Dukhovni <postfix-users <at> dukhovni.org> wrote:
> On Mon, Jul 16, 2012 at 05:06:53AM -0700, Naval saini wrote:
>
>> DKIM-Signature: v=1; a=rsa-sha256;
>>   c=simple/simple;
>>   d=r02.lbsmtp.org;
>>   s=lbsmtp.org;
>>
>> please suggest me how can i solve this problem.?
>
> You may get better results with c=relaxed/relaxed.
>
> I see no DNS records for the selector/domain pair you're signing with:
>
>   $ dig -t txt lbsmtp.org._domainkey.r02.lbsmtp.org
>   ...
>   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47502
>   ...
>   lbsmtp.org. 7200 IN SOA enow.mercury.orderbox-dns.com. ...
>
> This is a serious problem, since the public key needed to verify
> the message is not published in your DNS.
(Continue reading)

Viktor Dukhovni | 17 Jul 16:51 2012

Re: DKIM showing bad format

On Tue, Jul 17, 2012 at 02:21:50PM +0530, Naval saini wrote:

> This is my DNS ZONE file entry:
> 
> _domainkey.r02.lbsmtp.org.      IN      TXT     "t=y; o=-;"

The above resource record (RR) has no selector, it has no meaning in DKIM.  

> lbsmtp.org._domainkey.r02.lbsmtp.org.   IN      TXT
>	"k=rsa; t=y;
>	 p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+Nk+qAXShe92GLTe8sXXHFeH+
>	 lqZpxWMqCPqRdowGTx3Scrq7mgqEPnc49Po5cS0NjZI/eWF/rzD7/qpbpKLR2eZx
>	 3/8JEn67EtjKmuVc/uyejL5WSxkHsj4rhHFnX96yqV0iS+odGqy4c/QWvbbF+LB/
>	 rcOXDkvOR544O4LGgwIDAQAB"

Congratulations, you're configured a 1024-bit RSA key (many sites have
foolishly created 512-bit RSA keys, which are too easily factored). That
said, your DNS does not in fact publish this RR to the world at large:

	$ dig -t txt lbsmtp.org._domainkey.r02.lbsmtp.org
	;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18036
	lbsmtp.org.  7200  IN  SOA  enow.mercury.orderbox-dns.com. ...

So your DKIM public key is not available for verification. Over
and out.

--

-- 
	Viktor.

(Continue reading)

Naval saini | 17 Jul 18:15 2012
Picon

Re: DKIM showing bad format

Actually my Domain name is lbsmtp.org and i relay mails from my domain as relayhost through MX record in my dns zone file now i want to sign outbound mails Since i am new postfix user so please can explain me how can i get DKIM signing mails .

Please explain me about which and what kind of entries required in dns. If any tutorial please send me the link...  

On Tue, Jul 17, 2012 at 8:21 PM, Viktor Dukhovni <postfix-users <at> dukhovni.org> wrote:
On Tue, Jul 17, 2012 at 02:21:50PM +0530, Naval saini wrote:

> This is my DNS ZONE file entry:
>
> _domainkey.r02.lbsmtp.org.      IN      TXT     "t=y; o=-;"

The above resource record (RR) has no selector, it has no meaning in DKIM.

> lbsmtp.org._domainkey.r02.lbsmtp.org.   IN      TXT
>       "k=rsa; t=y;
>        p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+Nk+qAXShe92GLTe8sXXHFeH+
>        lqZpxWMqCPqRdowGTx3Scrq7mgqEPnc49Po5cS0NjZI/eWF/rzD7/qpbpKLR2eZx
>        3/8JEn67EtjKmuVc/uyejL5WSxkHsj4rhHFnX96yqV0iS+odGqy4c/QWvbbF+LB/
>        rcOXDkvOR544O4LGgwIDAQAB"

Congratulations, you're configured a 1024-bit RSA key (many sites have
foolishly created 512-bit RSA keys, which are too easily factored). That
said, your DNS does not in fact publish this RR to the world at large:

        $ dig -t txt lbsmtp.org._domainkey.r02.lbsmtp.org
        ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18036
        lbsmtp.org.  7200  IN  SOA  enow.mercury.orderbox-dns.com. ...

So your DKIM public key is not available for verification. Over
and out.

--
        Viktor.

Wietse Venema | 17 Jul 18:58 2012

Re: DKIM showing bad format

Naval saini:
> Actually my Domain name is lbsmtp.org and i relay mails from my domain as
> relayhost through MX record in my dns zone file now i want to sign outbound
> mails Since i am new postfix user so please can explain me how can i get
> DKIM signing mails .
> Please explain me about which and what kind of entries required in dns. If
> any tutorial please send me the link...

I suggest that you read http://tools.ietf.org/html/rfc6376, look
at the examples in the appendices, and come back if you have any
questions.

	Wietse

Robert Schetterer | 17 Jul 19:03 2012

Re: DKIM showing bad format

Am 17.07.2012 18:15, schrieb Naval saini:
> Actually my Domain name is lbsmtp.org <http://lbsmtp.org> and i relay
> mails from my domain as relayhost through MX record in my dns zone file
> now i want to sign outbound mails Since i am new postfix user so please
> can explain me how can i get DKIM signing mails .
> Please explain me about which and what kind of entries required in dns.
> If any tutorial please send me the link...  

Viktor has allready answered
you need to publish your dkim key in the your dns zone file

looks like

nameservers for lbsmtp.org

are

Name Server:ENOW.MARS.ORDERBOX-DNS.COM
Name Server:ENOW.EARTH.ORDERBOX-DNS.COM
Name Server:ENOW.VENUS.ORDERBOX-DNS.COM
Name Server:ENOW.MERCURY.ORDERBOX-DNS.COM

so there should be some interface for publish your dkim key and/or some
admin which will do it for you , then

sign your mail with i.e dkim milter service

perhaps this will help

https://help.ubuntu.com/community/Postfix/DKIM

> 
> On Tue, Jul 17, 2012 at 8:21 PM, Viktor Dukhovni
> <postfix-users <at> dukhovni.org <mailto:postfix-users <at> dukhovni.org>> wrote:
> 
>     On Tue, Jul 17, 2012 at 02:21:50PM +0530, Naval saini wrote:
> 
>     > This is my DNS ZONE file entry:
>     >
>     > _domainkey.r02.lbsmtp.org <http://domainkey.r02.lbsmtp.org>.    
>      IN      TXT     "t=y; o=-;"
> 
>     The above resource record (RR) has no selector, it has no meaning in
>     DKIM.
> 
>     > lbsmtp.org._domainkey.r02.lbsmtp.org
>     <http://domainkey.r02.lbsmtp.org>.   IN      TXT
>     >       "k=rsa; t=y;
>     >      
>      p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+Nk+qAXShe92GLTe8sXXHFeH+
>     >      
>      lqZpxWMqCPqRdowGTx3Scrq7mgqEPnc49Po5cS0NjZI/eWF/rzD7/qpbpKLR2eZx
>     >      
>      3/8JEn67EtjKmuVc/uyejL5WSxkHsj4rhHFnX96yqV0iS+odGqy4c/QWvbbF+LB/
>     >        rcOXDkvOR544O4LGgwIDAQAB"
> 
>     Congratulations, you're configured a 1024-bit RSA key (many sites have
>     foolishly created 512-bit RSA keys, which are too easily factored). That
>     said, your DNS does not in fact publish this RR to the world at large:
> 
>             $ dig -t txt lbsmtp.org._domainkey.r02.lbsmtp.org
>     <http://domainkey.r02.lbsmtp.org>
>             ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18036
>             lbsmtp.org <http://lbsmtp.org>.  7200  IN  SOA
>      enow.mercury.orderbox-dns.com
>     <http://enow.mercury.orderbox-dns.com>. ...
> 
>     So your DKIM public key is not available for verification. Over
>     and out.
> 
>     --
>             Viktor.
> 
> 

--

-- 
Best Regards
MfG Robert Schetterer

Viktor Dukhovni | 18 Jul 00:39 2012

Re: DKIM showing bad format

On Tue, Jul 17, 2012 at 09:45:10PM +0530, Naval saini wrote:

> Actually my Domain name is lbsmtp.org and i relay mails from my domain as
> relayhost through MX record in my dns zone file now i want to sign outbound
> mails Since i am new postfix user so please can explain me how can i get
> DKIM signing mails.

The best way to get help is to ask specific questions. Questions
of the form "please explain everything to me with step-by-step
instructions" are too much to ask of a community of volunteers.

You can search for a step-by-step guide via your favourite search
engine.

> Please explain me about which and what kind of entries required in dns. If
> any tutorial please send me the link...

This is the Postfix users list. Perhaps you can find a DKIM forum
that will help you with the specifics of DKIM. You're already
signing your messages with DKIM, so the Postfix part is done.

The remaining issues are not Postfix related.

Your domain was created on Jul 06 2012 via privacyprotect.org. This
makes it look a bit suspect...

--

-- 
	Viktor.

Naval saini | 18 Jul 06:58 2012
Picon

Re: DKIM showing bad format

Thank u all i'll try to resolve my problem ...if i'll have any query then i'll come here again...

On Wed, Jul 18, 2012 at 4:09 AM, Viktor Dukhovni <postfix-users <at> dukhovni.org> wrote:
On Tue, Jul 17, 2012 at 09:45:10PM +0530, Naval saini wrote:

> Actually my Domain name is lbsmtp.org and i relay mails from my domain as
> relayhost through MX record in my dns zone file now i want to sign outbound
> mails Since i am new postfix user so please can explain me how can i get
> DKIM signing mails.

The best way to get help is to ask specific questions. Questions
of the form "please explain everything to me with step-by-step
instructions" are too much to ask of a community of volunteers.

You can search for a step-by-step guide via your favourite search
engine.

> Please explain me about which and what kind of entries required in dns. If
> any tutorial please send me the link...

This is the Postfix users list. Perhaps you can find a DKIM forum
that will help you with the specifics of DKIM. You're already
signing your messages with DKIM, so the Postfix part is done.

The remaining issues are not Postfix related.

Your domain was created on Jul 06 2012 via privacyprotect.org. This
makes it look a bit suspect...

--
        Viktor.


Gmane