emailhashdkimjames

DKIM bad Signature. Expeted Body Hash is the same as the BH sended. Apache James

I made a lot of research about this topic. I have an Apache James 2.3.2.1 Mail Server. I'm configuring it as a production server. I got it running, and stable, but implementing jDKIM have been troublesome. I found these links to get it right. http://www.nailedtothex.org/roller/kyle/entry/configuring-james-to-sign-dkim https://github.com/smoradi/config/blob/master/noften/apache-james.txt

Until now, I verified the public and private keys repetitively. Mailets libraries. Java code and configuration for the Mailet. But I'm stuck.

While testing with www.appmaildev.com/en/domainkeys/, I finally solve some errors over the themes named above. But now It's just toying with me. In the DKIM Test result it says that the expected body hash must be Expected Body Hash: 

  : frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=

But in the Message Header says that the body hash is just that.

bh : frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=

And It's just the same so this test should be OK. Maybe I'm missing something over de DNS or in the Mailet configuration, I just dont know i have been trying to approach in different ways but this is were I get every time.

As a note, before getting this point, every time I send a mail over Outlook or Homail, it was getting to the Junk immediately, now is kind of random almost every 3 or 5 sends. While Gmail since the SPF got them always in the Inbox. And The server does not have an PTR record properly configured in the DNS.

This is the Mail from appmaildev.

I change my domain name over example.com

And change the IPs to xxx.xxx.xxx.xxx

this test in particular was made over telnet using ehlo

I marked the puzzling part of code with ** **.

================================================================

DKIM result: fail (bad signature)

Signed by: webmaster@example.com
**Expected Body Hash: frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=**

PublicKey: selector._domainkey.example.com
    IN TXT = "k=rsa; p=
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtLBczKGEysTT6QuRgApyn6yvM
XOU9Sjkx6YMomuFujqPk2XgMuBbgafckRX+1F18h9G1rURmvc3EmPxegFxim6wrE
1RJGfddO+OHEjTBOsuXa7BK29P/bhCOehVeYG4o0L5DH8z3izfmvNuC3dC4N5G3R
8ZrNd7k/196TCZIaMwIDAQAB;"

---Original Message Header---
x-sender: webmaster@example.com
x-receiver: AAAA4AcCCxQA@appmaildev.com
Received: from james ([xxx.xxx.xxx.xxx]) by mail.appmaildev.com with Microsoft SMTPSVC(7.5.7600.16385);
     Thu, 11 Feb 2016 22:05:19 -0500
DKIM-Signature: v=1; d=example.com; b=V9gPNU9Gjky7fFov5cYuTGN/gQEoBgaAkctwnME17pT/Uket4PDsVixMQbyiKvgQF3ADK8HTrKyd1L+9bBiesJAQaD1L1lH0ualjO/Ctf8jjzLyDUfB6cu4TEuAD+aVkIUVVbd0LNhcpxiOMsd5cADRBqZy60Mw9fQOaqyjh0QU=; s=selector; a=rsa-sha256; **bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;** h=from:to:received:received;
Message-ID: <1848510914.01455246317306.JavaMail.root@james>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-UserIsAuth: true
Received: from localhost.localdomain ([127.0.0.1])
by james (JAMES SMTP Server 2.3.2.1) with SMTP ID 101
for <AAAA4AcCCxQA@appmaildev.com>;
Fri, 12 Feb 2016 03:05:17 +0000 (UTC)
Date: Fri, 12 Feb 2016 03:05:17 +0000 (UTC)
From: webmaster@example.com
subject: prueba ehlo
ehlo.:
Bcc:
Return-Path: webmaster@example.com
X-OriginalArrivalTime: 12 Feb 2016 03:05:20.0069 (UTC) FILETIME=[34ED9F50:01D16542]
Solution

  • After more research and testing, I made it to work. It seems that I had missing values in the DKIM-Signature. This was my original tag in config.xml for Apache James in the DKIMSign mailet:

      <signatureTemplate>v=1; s=selector; d=example.com;
 h=from:to:received:received; a=rsa-sha256; bh=;
 b=;</signatureTemplate>

    I was missing the "c" and I made a change over the "h" 

    c=relaxed/relaxed;

h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type;

    After the modification I got this:

      <signatureTemplate>v=1; s=selector; d=example.com; 
  h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type; 
  a=rsa-sha256; bh=; b=;c=relaxed/relaxed;</signatureTemplate>

    Another Detail, that I made several test about was the DNS Record. Mine was over Windows Server , so just for caution, I checked these details.

    First , The escape char before the semicolon in the "k"

    k=rsa\;

    Second, That the "p" value, was the last value and that does not have a semicolon or escape char.

    p=MIG...QAB

    So that, after a host command I got something like

    selector._domainkey.example.com descriptive text "k=rsa\;p=\010...QAB"

    After those changes and checkings. It pass every test :)

    Another link i found usefull for the configuration was this. http://mail-archives.apache.org/mod_mbox/james-server-user/201410.mbox/%3C544FD474.2040906%40malcolms.com%3E