Fixed DKIM authentication fails ins some scenarios

K

Kirby

Well-known member
Affected version
2.2.9
Steps to reproduce
  1. Setup an installation at domain.com/xf-install-1, configure it to send emails as xf-install-1@domain.com and activate DKIM
  2. After activation is completed and DNS has propagated setup another installation at domain.com/xf-install-2, configure it to send emails as xf-install-2@domain.com, activate DKIM and follow the instructions
  3. Send Test Emails from installation 1 and 2 after DKIM setup on installation 2 has been completed (eg. DNS has propagated)
Expected Results
Test emails from both installations validate

Actual Result
E-Mails from installation 1 fail DKIM checks as only the key for installation 2 is published

Proposed Solution
Create a unique selector every time DKIM does get activated instead of always using xenforo, this would also allow to rotate keys (as recommended)
 
Last edited:
Could make the selector be something like xf_ . md5($xf.options.boardUrl). Although if you are going to run multiple instances on the same domain, you could just copy the key from install 1 to install 2 rather than trying to manage DNS entries and keys that are unique to sub-directories/installs.
 
digitalpoint said:
Could make the selector be something like xf_ . md5($xf.options.boardUrl).
Click to expand...
While this would fix the specific issue, it IMHO still wouldn't be much beter than using a constant value as it doesn't allow to rotate keys.
Ideally, the selector should be unique and unpredictable - just a random value (that must be valid as a hostname though).

digitalpoint said:
Although if you are going to run multiple instances on the same domain, you could just copy the key from install 1 to install 2 rather than trying to manage DNS entries and keys that are unique to sub-directories/installs.
Click to expand...
I (or any other developer) for sure would be able to do that, a normal user wouldn't as there is no documentation/GUI to to that.
Anyway, this was just an example to show how the current design would break.
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.3.8).

Change log:
Include random string with DKIM selector (#1217)
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

K
Fixed phpBB3 password validation fails in some scenarios
Replies
1
Views
788
XF Bug Bot
XF Bug Bot
PaulB
Fixed convertIpStringToBinary fails in some scenarios
Replies
1
Views
818
Chris D
Chris D
Back
Top Bottom