Possible hMailServer DKIM Validation Bug (5.3.3-B1879)

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
Lee Thompson
Normal user
Normal user
Posts: 35
Joined: 2009-01-15 11:18

Possible hMailServer DKIM Validation Bug (5.3.3-B1879)

Post by Lee Thompson » 2012-09-01 02:00

hMailServer 5.3.3-B1879

I've recently caught hMailServer in passing invalid DKIM signatures as valid. I'm just going to be posting small snippets in this message, for more detail please visit:

http://pastebin.com/XqyekxBu for the hMailServer log (debug) of the session.
http://pastebin.com/heMexJVn for the domain keys in question.

(NOTE: my server name and e-mail address have been changed to [REDACTED] in the hMailServer log.)

Specifically, an incoming message with this,

Code: Select all

DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=guildwars2.com; q=dns/txt;
 s=pic; t=1346455856; h=From: To: Subject: Mime-Version: Content-Type:
 Date: Message-Id: Sender;
 bh=vZBGcr2sceviitXkrWu8/ZPFxw4tCTM3x0Wq/z8ah5w=; b=c+hnumT1YoKBNn8oob3nlWGNRaFOMjl+96xqHldxru6z2A69nQVOQtcfvlVY70Lt64mfWDvX
 RtWLbUry6Ln3fQhjjAW1ox0xzuxYZP8/ynYenZFlDgKEwKGjP0Y0hzhKhM8t4htAADjBxRt9
 lvTlaYrV3G9wxsmhUppexcr/67I=
when matched against this,

Code: Select all

pic._domainkey.guildwars2.com   TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzhrED4vbOz1gcgG1Xpv
rhh7oiWI5zodcXge8pCvtvznex8ZvAFNCxB5rW1c8IkICAwsV6MGCS0sdiSrUSHR9hCW1jNjppUX
uf14ainCYeFvg1gGjwdyhKJyISi8j077Wxhfbbr/KPyZaZZxUwSFPDofjdMUsLxEEBNQIDAQAB"
resulted in hMailServer saying this.

Code: Select all

"DEBUG"	1496	"2012-08-31 16:26:15.834"	"DKIM: Message passed validation."
"DEBUG"	1496	"2012-08-31 16:26:15.834"	"Spam test: SpamTestDKIM, Score: 0"
I will be the first to say that I am not a DKIM signature expert but as far as I know the DKIM signature in the header isn't even valid syntax. (no k=, and bh=, b= aren't even valid). (And, I would expect, that if hMailServer does encounter an invalid syntax DKIM header, it should treat it as a fail.)



hMailServer settings:
I have no whitelists defined.
anti-spam is enforced for all IP ranges.

spam mark threshold: 2
[x] Add X-hMailServer-Spam
[x] Add X-hMailServer-Reason

tests:
[x] Use SPF (5)
[x] Check host in the HELO command (2)
[x] Check that sender has DNS-MX records (3)
[x] Verify DKIM-Signature header (5)

[ ] SpamAssassin
tarpitting is off.

Post Reply