Issue
I'am trying to sign a message sent with SMTP commands (using telnet) with DKIM protocole , i applied in the official dkim website all the steps , it remains how i can calculate the 'b' parameter , should i validate it with the private key ? Or using another method? Thank you
Solution
It's all explained in this document: https://www.ietf.org/rfc/rfc6376.txt
First, you must canonicalize the header fields that you wish to sign including the DKIM-Signature
header that you are about to generate and then you sign it using the signature algorithm you've chosen.
The "simple" Header Canonicalization Algorithm
The "simple" header canonicalization algorithm does not change header fields in any way. Header fields MUST be presented to the signing or verification algorithm exactly as they are in the message being signed or verified. In particular, header field names MUST NOT be case folded and whitespace MUST NOT be changed.
The "relaxed" Header Canonicalization Algorithm
The "relaxed" header canonicalization algorithm MUST apply the following steps in order:
Convert all header field names (not the header field values) to lowercase. For example, convert "SUBJect: AbC" to "subject: AbC".
Unfold all header field continuation lines as described in RFC5322; in particular, lines with terminators embedded in continued header field values (that is, CRLF sequences followed by WSP) MUST be interpreted without the CRLF. Implementations MUST NOT remove the CRLF at the end of the header field value.
Convert all sequences of one or more WSP characters to a single SP character. WSP characters here include those before and after a line folding boundary.
Delete all WSP characters at the end of each unfolded header field value.
Delete any WSP characters remaining before and after the colon separating the header field name from the header field value. The colon separator MUST be retained.
Canonicalizing the DKIM-Signature header
Once you've canonicalized all of the other headers that you wish to sign, you then need to apply the same canonicalization to the DKIM-Signature that you are in the process of generating.
Obviously, at this point you will not have the b=
value yet because the result of signing the canonicalized headers is the value for the b=
tag.
What you need to do is to construct the header but leave the b=
tag empty.
For example:
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
c=simple; q=dns/txt; i=@eng.example.net;
t=1117574938; x=1118006938;
h=from:to:subject:date;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=
Signing the canonicalized headers
Once you've canonicalized all of the headers you want to sign (plus the portion of the DKIM-Signature header that you are generating), you need to sign the result using the algorithm and the private key (not public key!!) and then base64 encode the result and append it to the DKIM-Signature header you've generated.
In the above example, you would use the RSA-SHA256 algorithm.
Update:
If the original message headers that you want to sign look like this:
Subject: ddddd
From: btt@domain.com
To: email@gmail.com
And if the DKIM-Signature header that PowerMTA generates looks like this:
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=Subject:From:To; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=j/jYKloUFEbmzj5JdwmR7MCBB+UtuJq5V0wImYElaY/xob8CnRY39Z0TfPonp4y2qtIE/wpqwnT0
YrHcNM8BY3uQ3ovm3pq7lTmwvM6XqA4rgnlhcyZnQO9uoUSGebsbR8KBhwZSpolF7UEcr8TSQdfO
OG+fDZIHeq6G7DAg5cQ=
Then the text you should be signing would look like this (assuming you want your b=
value to match the b=
value that PowerMTA generates):
subject:ddddd
from:btt@domain.com
to:email@gmail.com
dkim-signature:v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=domain.com; h=Subject:From:To; i=btt@domain.com; bh=rcr9nmkeqsjAGn29CUiUNJFRSmc=; b=
Answered By - jstedfast Answer Checked By - Mildred Charles (PHPFixing Admin)
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.