Ubuntu
dkimpy package

error on verifying inbound mail

  1. Focal (20.04)
  2. Bug #1954573
Bug #1954573 reported by Jan W
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dkimpy (Ubuntu)
Fix Released
High
Unassigned
Focal
Triaged
High
Unassigned

Bug Description

Inbound email is marked with header "Authentication-Results: <xxxxx.xxx>; dkim=fail (0) "
Syslog shows the following entry: "check_dkim: Internal program fault while verifying: 0". This turns out to be a KeyError
I tried setting debugLevel to 5 in dkimpy-milter.conf, but that does not show additional useful info.

This is on Ubuntu 20.04.3 LTS with dkimpy-milter version 1.2.1-1

I used the default conf file with the following changes:

MacroList daemon_name|ORIGINATING
MacroListVerify daemon_name|VERIFYING

Canonicalization relaxed/simple
MinimumKeyBits 1024
ExternalIgnoreList refile:/etc/dkim/TrustedHosts
InternalHosts refile:/etc/dkim/TrustedHosts
KeyTable refile:/etc/dkim/KeyTable
KeyTableEd25519 refile:/etc/dkim/KeyTableEd25519
SigningTable refile:/etc/dkim/SigningTable
Socket inet:8892@127.0.0.1
RequireSafeKeys false
AlwaysAddARHeader true

Yes, I know, some options are OpenDKIM only.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Can you provide the domain and selector for the DKIM signature in the message that failed?

Revision history for this message
Jan W (ubuntu-kiekerjan) wrote (last edit ):

Thanks for looking into this.

Headers from a failed message (verified by dkimpy-milter):

Authentication-Results: box.opamolen.nl; dkim=fail (0) header.d=zunt.nl
    header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=zunt.nl; s=soverin;
    t=1639301818; bh=pdCsjgdUGC9ngruiBr/RTGpZwMaQSHZtMBMugF68NFU=;
    h=Date:From:To:Subject:From;
    b=R66g6/JMyM1M3CGe05fSiHYrPSh9az/eqTkvXJx/FvgOWaihFp/fmYTQNIOp3vmUS
    DiPfngQRWUkE8gJWc16Jmq/GSkXiAwkfMOIMsjMdDKRPpFZ0vwib0Uu460QS8fVXAC
    G1aTeFaEQGdTawSndj8bUP61/7k2ow3IxQWbgpn8dZSS1R3vyZKnztkndylj2EdW5T
    Cz3qy9lPaldsaRbghrmV8bwc/GxKWZP4J80c5SnD4F5eCrZWylKQbja5Y1jTZ3QN36
    Bkrwyq0LlMm/vTnvCQfKNMaNsSnJCuT35Si1mAqSDn701wpcR/uU0IE4RXbfWySjnF
    v0jqmT9/mmJPg==

Selector would be "soverin", sender domain "zunt.nl" receiver domain: opamolen.nl

A similar message, received using openDKIM:

Authentication-Results: box.opamolen.nl;
    dkim=pass (2048-bit key; secure) header.d=zunt.nl <email address hidden> header.a=rsa-sha256 header.s=soverin header.b=fii7McOD;
    dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=zunt.nl; s=soverin;
    t=1639302102; bh=ZbpseU1KQZauIUDI9RQmSYejOdBdpS+3yj8WmES6XHM=;
    h=Date:From:To:Subject:From;
    b=fii7McODpjIQxyH13+GtuoztGS6KQGdcz4qVlucEU5rO72eyo1PkHcAK/0PlTzKTo
    8jJUg4zOSrm6YQrG0SsCePeb6Iid0ekV2FkIX7JbasAMJjCFzunlKSEbl25wl5ign6
    0HboXqBso9QWlGPxEHdJQK5jGR/uBwKN8DjrMP6wF+5JJiWM8MMPZOJvMWo3Jvoqcx
    ReP03t2YP5G77qXhpBu8FELQxiKceMuezldVYI3O1xFwRwK4SNG/otDKc33rwVoXaB
    KiEDO6tdHDflEAgnOarkoDbZfieHKlY4BdDDLL49nJ3y6Xd3P89rtz3CdMDBX6v4Hl
    mq53dNZa8RoeQ==

Revision history for this message
Scott Kitterman (kitterman) wrote :

When you said "This turns out to be a KeyError", how did you determine that?

Revision history for this message
Jan W (ubuntu-kiekerjan) wrote (last edit ):

I looked around in the code located at /usr/lib/python3/dist-packages/dkimpy_milter and /usr/lib/python3/dist-packages/dkim.
Specifically the file dkimpy_milter/__init__.py contains the following line:

    syslog.syslog("check_dkim: Internal program fault while verifying: {0}".format(x))

Because the output in syslog said "check_dkim: Internal program fault while verifying: 0" I wondered how the exception could be translated to "(0)", so I added the following line after that

    syslog.syslog(repr(x))

Which gave me the following output: "KeyError(0)"

Not sure if this is a legit way of debugging. I figured the 0 pointed to the first DKIM header in the mail, not sure though. I couldn't really follow the rest of the code, so I left it at that and entered the bug report.
Apologies for omitting this info, there's probably more I'm forgetting to report :(

Update: one more thing I forgot. I'm using postfix. Used the following based on the readme to configure it:

    smtps inet n - - - - smtpd
        ...
        -o smtpd_milters=inet:127.0.0.1:8892
        -o milter_macro_daemon_name=VERIFYING
        ...

    submission inet n - - - - smtpd
        ...
        -o milter_macro_daemon_name=ORIGINATING
        -o smtpd_milters=inet:127.0.0.1:8892
        ...

Signing of outgoing messages seems to work fine, both rsa and ed25519.

Revision history for this message
Jan W (ubuntu-kiekerjan) wrote :

I did some more debugging and found the error is raised by dnsplug.py in the dkim package. The function get_txt_dnspython has the line (34)
    return b"".join(r.items[0].strings)

which does not work. I changed it into
    return b"".join(list(r.items)[0].strings)

which does work. I now get a verified dkim signature. Indeed, I noticed that the official source (https://git.launchpad.net/dkimpy/tree/dkim/dnsplug.py) has the same change made to the code.

Also fun, now that I know what to look for, I found #1888583 which fixed this already :)

Revision history for this message
Scott Kitterman (kitterman) wrote :

Thanks. I'll reassign this to Ubuntu's dkimpy package. They should consider doing a stable release update to fix this.

affects: dkimpy-milter → dkimpy (Ubuntu)
Changed in dkimpy (Ubuntu):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Scott Kitterman (kitterman) wrote (last edit ):

Fixed in dkimpy 1.0.5, so all releases after Focal are already fixed.

Changed in dkimpy (Ubuntu Focal):
status: New → Triaged
importance: Undecided → High
Changed in dkimpy (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.