Page 1 of 1

Possible hMailServer DKIM Validation Bug (5.3.3-B1879)

Posted: 2012-09-01 02:00
by Lee Thompson
hMailServer 5.3.3-B1879

I've recently caught hMailServer in passing invalid DKIM signatures as valid. I'm just going to be posting small snippets in this message, for more detail please visit: for the hMailServer log (debug) of the session. for the domain keys in question.

(NOTE: my server name and e-mail address have been changed to [REDACTED] in the hMailServer log.)

Specifically, an incoming message with this,

Code: Select all

DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed;; q=dns/txt;
 s=pic; t=1346455856; h=From: To: Subject: Mime-Version: Content-Type:
 Date: Message-Id: Sender;
 bh=vZBGcr2sceviitXkrWu8/ZPFxw4tCTM3x0Wq/z8ah5w=; b=c+hnumT1YoKBNn8oob3nlWGNRaFOMjl+96xqHldxru6z2A69nQVOQtcfvlVY70Lt64mfWDvX
when matched against this,

Code: Select all   TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzhrED4vbOz1gcgG1Xpv
resulted in hMailServer saying this.

Code: Select all

"DEBUG"	1496	"2012-08-31 16:26:15.834"	"DKIM: Message passed validation."
"DEBUG"	1496	"2012-08-31 16:26:15.834"	"Spam test: SpamTestDKIM, Score: 0"
I will be the first to say that I am not a DKIM signature expert but as far as I know the DKIM signature in the header isn't even valid syntax. (no k=, and bh=, b= aren't even valid). (And, I would expect, that if hMailServer does encounter an invalid syntax DKIM header, it should treat it as a fail.)

hMailServer settings:
I have no whitelists defined.
anti-spam is enforced for all IP ranges.

spam mark threshold: 2
[x] Add X-hMailServer-Spam
[x] Add X-hMailServer-Reason

[x] Use SPF (5)
[x] Check host in the HELO command (2)
[x] Check that sender has DNS-MX records (3)
[x] Verify DKIM-Signature header (5)

[ ] SpamAssassin
tarpitting is off.