From henrik at morsing.cc  Sun Mar 31 14:30:47 2024
From: henrik at morsing.cc (Henrik Morsing)
Date: Sun, 31 Mar 2024 15:30:47 +0100
Subject: [GLLUG] British Gas DKIM failure?
In-Reply-To: <ZaFfQZBgOzxj456x@morsing.cc>
References: <ZaFfQZBgOzxj456x@morsing.cc>
Message-ID: <Zglzl0dDjuZWS3AF@morsing.cc>


Hi all,

Happy Easter. I have some days off, so finally had some time to look at this.

Having disabled rejection in January gave me some more data to look at and it became obvious that anyone using 1024-bit keys failed the check and anyone using 2048-bit passed.

I found one person out there who said his DKIM checks started failing on 1024-bit keys after he upgraded from OpenSSL 0.9.8 to 1.1.1 (My current version) but sadly no replies.

So, my OpenSSL has a bug, I assume, but it's not really publicly known and no-one seems very concerned about it? Seem very odd.

Tried to find somewhere in the configuration where a limit was set but couldn't find anything and also find it odd if that was the case.

Regards,
Henrik Morsing




On Fri, Jan 12, 2024 at 03:48:17PM +0000, Henrik Morsing via GLLUG wrote:
>
>Good afternoon,
>
>Not dircetly Linux, sorry, but British Gas has spent the last year sending me letters saying they can't email me. When I look into it, their emails are rejected based on a bad DKIM signature.
>
>The problem is, not receiving the email, how can I find out what the problem is? mxtoolbox says their setup is fine, but that surely can't check the signature inside one of their emails.
>
>What is slightly odd is that DMARC policy is set to none, so shouldn't reject anything anyway.
>
>I can't say I'm a DKIM/DMARC expert, but this is what I see:
>
>Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature
>Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail
>Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.CAAABPhWdncAAAAAAAAAAKg7aSYAAYCqUv4AAAAAABBDggBlhYBF at a1065858.bnc3.mailjet.com> to=<morsing at morsing.cc> proto=ESMTP helo=<o94.p12.mailjet.com>
>
>Not sure where to go from here though. Smells like their problem to me, but I don't want to tell them that without proof. Any hints?
>
>Regards,
>Henrik Morsing
>-- 
>
>
>-- 
>GLLUG mailing list
>GLLUG at mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/gllug

-- 



From henrik at morsing.cc  Sun Mar 31 17:12:48 2024
From: henrik at morsing.cc (Henrik Morsing)
Date: Sun, 31 Mar 2024 18:12:48 +0100
Subject: [GLLUG] British Gas DKIM failure?
In-Reply-To: <Zglzl0dDjuZWS3AF@morsing.cc>
References: <ZaFfQZBgOzxj456x@morsing.cc>
 <Zglzl0dDjuZWS3AF@morsing.cc>
Message-ID: <ZgmZkDUBVHbKg9sq@morsing.cc>


Hi again,

I just installed the DKIM Verifier extension to Thunderbird on my laptop and that fails the email as well. My laptop has OpenSSL 3.1.4, so that has the bug as well.

Still no closer to fixing this though.

Regards,
Henrik Morsing



On Sun, Mar 31, 2024 at 03:30:47PM +0100, Henrik Morsing via GLLUG wrote:
>
>Hi all,
>
>Happy Easter. I have some days off, so finally had some time to look at this.
>
>Having disabled rejection in January gave me some more data to look at and it became obvious that anyone using 1024-bit keys failed the check and anyone using 2048-bit passed.
>
>I found one person out there who said his DKIM checks started failing on 1024-bit keys after he upgraded from OpenSSL 0.9.8 to 1.1.1 (My current version) but sadly no replies.
>
>So, my OpenSSL has a bug, I assume, but it's not really publicly known and no-one seems very concerned about it? Seem very odd.
>
>Tried to find somewhere in the configuration where a limit was set but couldn't find anything and also find it odd if that was the case.
>
>Regards,
>Henrik Morsing
>
>
>
>
>On Fri, Jan 12, 2024 at 03:48:17PM +0000, Henrik Morsing via GLLUG wrote:
>>
>>Good afternoon,
>>
>>Not dircetly Linux, sorry, but British Gas has spent the last year sending me letters saying they can't email me. When I look into it, their emails are rejected based on a bad DKIM signature.
>>
>>The problem is, not receiving the email, how can I find out what the problem is? mxtoolbox says their setup is fine, but that surely can't check the signature inside one of their emails.
>>
>>What is slightly odd is that DMARC policy is set to none, so shouldn't reject anything anyway.
>>
>>I can't say I'm a DKIM/DMARC expert, but this is what I see:
>>
>>Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature
>>Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail
>>Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.CAAABPhWdncAAAAAAAAAAKg7aSYAAYCqUv4AAAAAABBDggBlhYBF at a1065858.bnc3.mailjet.com> to=<morsing at morsing.cc> proto=ESMTP helo=<o94.p12.mailjet.com>
>>
>>Not sure where to go from here though. Smells like their problem to me, but I don't want to tell them that without proof. Any hints?
>>
>>Regards,
>>Henrik Morsing
>>-- 
>>
>>
>>-- 
>>GLLUG mailing list
>>GLLUG at mailman.lug.org.uk
>>https://mailman.lug.org.uk/mailman/listinfo/gllug
>
>-- 
>
>
>-- 
>GLLUG mailing list
>GLLUG at mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/gllug

--