Raul Dias writes:
> I have being getting a lot of this in my logs:
>
> Feb 14 21:55:13 s spamd[7249]: dkim: invalid DKIM-Signature: invalid
> (unsupported protocol)
> at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/DKIM.pm
> line 339
>
> Is this something I should worry about?
I believe it is due to a DomainKeys signature with a missing q tag
(the query protocol). The DomainKeys draft mandates this tag,
even though its only possible value is q=dns. Some broken signers
leave it out.
As the newer DKIM protokol draft makes this tag optional, I just
suggested relaxing the check for DomainKeys signatures too,
sending a mail to Jason Long (the author of Mail::DKIM module)
just last week. The change will be in 0.23 I believe.
Below is my patch, please apply it to Mail::DKIM files
DkSignature.pm and Verifier.pm and see if it fixes the warnings
you are seeing.
> AFAIS, it is related to broken DK implementation on the sender,
> shouldnt this be reflect as some score instead of a warning?
Can't say. A general policy of SA is to add score points only
when some item is an indicator of spam, not just because it
violates some standard.
--- DkSignature.pm~ Wed Jan 17 22:41:25 2007
+++ DkSignature.pm Fri Feb 9 19:47:55 2007
@@ -273,5 +273,7 @@
$self->set_tag("q", shift);
- return $self->get_tag("q");
+ # although draft-delany-domainkeys-base-06 does mandate presence of a
+ # q=dns tag, it is quote common that q tag is missing - be merciful
+ return !defined($self->get_tag("q")) ? 'dns' : $self->get_tag("q");
}
--- Verifier.pm~ Fri Jan 19 15:03:52 2007
+++ Verifier.pm Fri Feb 9 19:43:31 2007
@@ -183,5 +183,5 @@
# unsupported algorithm
$self->{signature_reject_reason} = "unsupported algorithm";
- if ($signature->algorithm)
+ if (defined $signature->algorithm)
{
$self->{signature_reject_reason} .= " " .
$signature->algorithm;
@@ -194,5 +194,5 @@
# unsupported canonicalization method
$self->{signature_reject_reason} = "unsupported
canonicalization";
- if ($signature->method)
+ if (defined $signature->method)
{
$self->{signature_reject_reason} .= " " .
$signature->method;
@@ -203,17 +203,17 @@
unless ($signature->check_protocol)
{
- # unsupported protocol
- $self->{signature_reject_reason} = "unsupported protocol";
- if ($signature->protocol)
- {
- $self->{signature_reject_reason} .= " " .
$signature->protocol;
- }
+ # unsupported query protocol
+ $self->{signature_reject_reason} =
+ !defined($signature->protocol) ? "missing q tag"
+ : "unsupported query protocol, q=" .
$signature->protocol;
return 0;
}
- unless ($signature->domain)
+ unless ($signature->domain ne '')
{
# no domain specified
- $self->{signature_reject_reason} = "missing d= parameter";
+ $self->{signature_reject_reason} =
+ !defined($signature->domain) ? "missing d tag"
+ : "invalid domain in d tag"
return 0;
}
@@ -222,5 +222,5 @@
{
# no selector specified
- $self->{signature_reject_reason} = "missing s= parameter";
+ $self->{signature_reject_reason} = "missing s tag";
return 0;
}
@@ -546,7 +546,9 @@
fail (body has been altered)
invalid (unsupported canonicalization)
- invalid (unsupported protocol)
- invalid (missing d= parameter)
- invalid (missing s= parameter)
+ invalid (unsupported query protocol)
+ invalid (invalid domain in d tag)
+ invalid (missing q tag)
+ invalid (missing d tag)
+ invalid (missing s tag)
invalid (unsupported v=0.1 tag)
invalid (no public key available)
Mark
