How to connect DKIM to EXIM + phpMailer on CentOS?

S

Stepan2016-03-29 14:26:57

Exim

Stepan, 2016-03-29 14:26:57

Hello everyone
I have already read several articles on setting up DKIM, digging into the engine files, etc., but so far everything does not work as it should. I can say that I have no experience in setting up servers.
I started traffic rules from Yandex. I planned to use the web interface for working correspondence, and send notifications from the engine using the server, so that (in the future) I would not spend the daily limit on the number of recipients of letters (5000 pieces).
I received a public key that I registered in DNS. I also pulled out a private key through the API, which, as I understand it, is necessary to configure sending mail from the server.
What I have:
CentOS 7 x64, Exim 4.84_2, bulletin board script that sends notifications via phpMailer.
The domain has PTR records, everything seems to be correct in DNS too. It looks like there is an error in the message signature when sending. The result of checking the letter on dkimvalidator.com/:
Error: Details: OpenSSL error: data too small for key size
I'm not sure where to specify the DKIM signature parameters, in phpMailer or in Exim? What else can cause the error to appear?
I tried to save the contents of the key file in one line to avoid "crooked" line breaks, to no avail.
In general, this is what I see in the results of checking emails:
Original Message:

To: [email protected]
Subject: =?UTF-8?B?0J/RgNC+0LLQtdGA0LrQsCDQvtGC0L/RgNCw0LLQutC4INC/0L7Rh9GC0Ys=?=
Date: Tue, 29 Mar 2016 13:46:49 +0300
From: "Gdevpenze.ru" <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="b1_b631a487d150b490ef6cd711c309b0d9"
Content-Transfer-Encoding: 8bit

--b1_b631a487d150b490ef6cd711c309b0d9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

РџРѕРјРµРЅСЏР» DKIM_selector РЅР° "mail."


--b1_b631a487d150b490ef6cd711c309b0d9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

РџРѕРјРµРЅСЏР» DKIM_selector РЅР° "mail."



--b1_b631a487d150b490ef6cd711c309b0d9--

DKIM Information:

DKIM Signature


Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha1; q=dns/txt; l=366; s=mail;
  t=1459248409; c=relaxed/simple;
  h=From:To:Subject;
  d=gdevpenze.ru;
  z=From:=20"Gdevpenze.ru"=20
  |To:[email protected]
  |Subject:=20=3D?UTF-8?B?0J/RgNC+0LLQtdGA0LrQsCDQvtGC0L/RgNCw0LLQutC4INC/0L7Rh9GC0Ys=3D?=3D;
  bh=KuD169v+YVCDEGNNZp3X7DK6SxU=;
  b=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha1
c= Method:          relaxed/simple
d= Domain:          gdevpenze.ru
s= Selector:        mail
q= Protocol:        dns/txt
bh=                 KuD169v+YVCDEGNNZp3X7DK6SxU=
h= Signed Headers:  From:To:Subject
b= Data:            
Public Key DNS Lookup


Building DNS Query for mail._domainkey.gdevpenze.ru
Retrieved this publickey from DNS: v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7HPB88p6JYjToUcmMBSBzwtNGQrL9O81Pa4CRW/KuR30kDBYP84EUJohnL5bV33c931VH+PuZEhK4y6ymmvSrjzArKFcM/L1hFQK3zUsMpAG96T5bynvTl7hH31Zj9TwC+FvDgzCA2enD3V7Y37Tl/980NhfY60Ctlj4N4FxHOwIDAQAB
Validating Signature


result = fail
Details: OpenSSL error: data too small for key size

SPF Information:

Using this information that I obtained from the headers


Helo Address = gdevpenze.ru
From Address = [email protected]
From IP      = 178.62.251.40
SPF Record Lookup


Looking up TXT SPF record for gdevpenze.ru
Found the following namesevers for gdevpenze.ru: ns1.reg.ru ns2.reg.ru
Retrieved this SPF Record: zone updated 20160329 (TTL = 21599)
using authoritative server (ns1.reg.ru) directly for SPF Check
Result: pass (Mechanism 'ip4:178.62.251.40' matched)


Result code: pass
Local Explanation: gdevpenze.ru: 178.62.251.40 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ip4:178.62.251.40' matched)
spf_header = Received-SPF: pass (gdevpenze.ru: 178.62.251.40 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ip4:178.62.251.40' matched)) receiver=ip-172-31-3-128.us-west-1.compute.internal; identity=mailfrom; envelope-from="[email protected]"; helo=gdevpenze.ru; client-ip=178.62.251.40

Please help.
Thank you.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Stepan, 2016-03-29
@steff

Vladimir, just looked at class.phpmailer.php:

...
    public function DKIM_Add($headers_line, $subject, $body)
    {
        $DKIMsignatureType = 'rsa-sha1'; // Signature & hash algorithms
        $DKIMcanonicalization = 'relaxed/simple'; // Canonicalization of header/body
        $DKIMquery = 'dns/txt'; // Query method
        $DKIMtime = time(); // Signature Timestamp = seconds since 00:00:00 - Jan 1, 1970 (UTC time zone)
        $subject_header = "Subject: $subject";
        $headers = explode($this->LE, $headers_line);
        $from_header = '';
        $to_header = '';
        $current = '';
        foreach ($headers as $header) {
            if (strpos($header, 'From:') === 0) {
                $from_header = $header;
                $current = 'from_header';
            } elseif (strpos($header, 'To:') === 0) {
                $to_header = $header;
                $current = 'to_header';
            } else {
                if ($current && strpos($header, ' =?') === 0) {
                    $current .= $header;
                } else {
                    $current = '';
                }
            }
        }
        $from = str_replace('|', '=7C', $this->DKIM_QP($from_header));
        $to = str_replace('|', '=7C', $this->DKIM_QP($to_header));
        $subject = str_replace(
            '|',
            '=7C',
            $this->DKIM_QP($subject_header)
        ); // Copied header fields (dkim-quoted-printable)
        $body = $this->DKIM_BodyC($body);
        $DKIMlen = strlen($body); // Length of body
        $DKIMb64 = base64_encode(pack("H*", sha1($body))); // Base64 of packed binary SHA-1 hash of body
        $ident = ($this->DKIM_identity == '') ? '' : " i=" . $this->DKIM_identity . ";";
        $dkimhdrs = "DKIM-Signature: v=1; a=" .
            $DKIMsignatureType . "; q=" .
            $DKIMquery . "; l=" .
            $DKIMlen . "; s=" .
            $this->DKIM_selector .
            ";\r\n" .
            "\tt=" . $DKIMtime . "; c=" . $DKIMcanonicalization . ";\r\n" .
            "\th=From:To:Subject;\r\n" .
            "\td=" . $this->DKIM_domain . ";" . $ident . "\r\n" .
            "\tz=$from\r\n" .
            "\t|$to\r\n" .
            "\t|$subject;\r\n" .
            "\tbh=" . $DKIMb64 . ";\r\n" .
            "\tb=";
        $toSign = $this->DKIM_HeaderC(
            $from_header . "\r\n" . $to_header . "\r\n" . $subject_header . "\r\n" . $dkimhdrs
        );
        $signed = $this->DKIM_Sign($toSign);
        return $dkimhdrs . $signed . "\r\n";
    }
    ...

As I understand it, the limit on the size of the signed content is just the length of this content itself (what is in the "body"). And all other labels are defined here. Can they really be removed? Are they not all required?
Maybe I screwed up somewhere else. Are there any tracks that point to this?

V

Vladimir Dubrovin, 2016-03-29
@z3apa3a

You have a signed content size limit configured (l=366) and this limit conflicts with the key size. Remove this limit, its use is highly discouraged.
PS I would also recommend removing the timestamp (t =) from the signature, otherwise you can get errors if your clock is at least a second ahead of the recipient.
PPS and normalization use relaxed/relaxed, there will be less problems.