4
DOMAINKEY Signature in SmarterMail Still Uses SHA1 - Needs to be Upgraded
Problem reported by Bruce Barnes - May 10, 2015 at 1:46 PM
Submitted
 
Given the fact that both Microsoft and US Cert have depreciated SHA1, it is imperative that SmarterMail updates the SHA1 key used to generate DOMAINKEY signatures to use SHA256. 
 
The effective date, announced on 12 November, 2013, is 1 January, 2016, just over six months from now.

While Google will accept SHA1 based certificates until the end of 2016, Microsoft will completely depreciate SHA1 based certificates in April, 2016
 
See: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx, which states:

"Today Microsoft has announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates, in favor of SHA2. The policy affects CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.  It will allow CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA2 certificates only."


Qualys Security Labs, via their blog, at: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know, states:

The news is that SHA1, a very popular hashing function, is on the way out. Strictly speaking, this development is not new. The first signs of weaknesses in SHA1 appeared (almost) ten years ago. In 2012, some calculations showed how breaking SHA1 is becoming feasible for those who can afford it. In November 2013, Microsoft announced that they wouldn't be accepting SHA1 certificates after 2016.

Shown below is the header information from a SmarterMail 13.4.5603 transaction showing that DOMAINKEYS are still generated with SHA1.

 Return-Path: <smartermailtest@REDACTED.com>
Received: from server.REDACTED.com (server.REDACTED.com XXX.XXX.198.67]) by securemail.chicagonettech.com with SMTP
	(version=TLS\Tls
	cipher=Aes256 bits=256);
   Sun, 10 May 2015 15:02:28 -0500
X-SmarterMail-Authenticated-As: smartermailtest@REDACTED.com
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
        d=REDACTED.com; s=secure;
        h=received:from:to:subject:date:reply-to:message-id:mime-version
          :content-type:x-originating-ip;
        b=sEiA58U6oVAoGb0W6rSEaGf2D1FavpOXwdP+aGYDTxzGnC8obfu9YgRrrmzn6ELJw
          OAGcOXTXT5J4eCgO/xKBwDNqOp0W9JMfVRznrU94bOXiyu3WJ+ZCcGe7+JVwAGZx+
          HJnKeEBq6x5vNnOREfnu1E+Xz4ET2zoTYyL4B3SumTTjy54zJYYYlH9tcBaUvEXu5
          6smlfDMX6VXTxiEPXOxzeoQIycfebLtAqdSns4CLbl5rzVwas5UZxT7c2L9yZKhLu
          /EltltfqcF1Bt+PgK4PD8/Ga+f39OHMEMdD6xxHb9CMSSsCOBWeBQT1LNVCe2JBFZ
          AbcqzvQqZrpzK1Lvw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=REDACTED.com; s=secure;
        h=x-originating-ip:content-type:mime-version:message-id:reply-to
          :date:subject:to:from;
        bh=o1o/WcZFGHwKZGad8xSO5Y5OvMdperW4N/Oi1ZWJdxQ=;
        b=DhMxl61olhsLzY/U/trHjRNhz7n7+5fhcEQRCf4sOam9Uhv5NSqfngw/NXYBeSKU8
          04eSnOeZIvWOa7HzueyLXshbzj6pqv23qCOz8mnROmNmcqnc8JskT7UWG1pPPLrJL
          p0okImWxxqnigoukhJZjUYuuYJY16PZOdnU9enKC6Q4s+BEUT3tL09vhZ66OCk57s
          FhKQpZ/sxeZ0emAP2LqZeOy07g4YWWIJP1K7vdHmEl/gU583sPcjAocmTBOQ2ptVT
          4fJK1xmqpYZaIQ6q/FvWZcMi8L1zpyKcU993S2LUDodRj4uYX/DI8fTO40LXtslyv
          jf148UnXDWnmR0sAw==
Received: by server.REDACTED.com via HTTP;
	Sun, 10 May 2015 16:02:17 -0400
From: "SmarterMail DomainKey Test Account" <smartermailtest@REDACTED.com>
To: <mailtest@unlocktheinbox.com>
Subject: MailTest REDACTED.com 201505100150219
Date: Sun, 10 May 2015 16:02:17 -0400
Reply-To: smartermailtest@REDACTED.com
Message-ID: <a5d755234c1f4c5995be9c058524a468@REDACTED.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=1f719ff854ef4371b15d61ea7f201347
X-Originating-IP: [173.165.112.149]
X-Rcpt-To: <bbarnes@chicagonettech.com>
X-SmarterMail-Spam: SPF_Pass, Message Sniffer 0 [code:0], DK_Pass, DKIM_Pass
X-MessageSniffer-ResultCode: 0
X-SmarterMail-TotalSpamWeight: 0
 
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

2 Replies

Reply to Thread
1
Scarab Replied
May 11, 2015 at 10:23 AM
I thought that DomainKeys was deprecated as of STD76 which made RFC 4871 and RFC 5672 obsolete. This means that DKIM-Signature is the current standard and that DomainKey-Signature is retained in SmarterMail v13 only for historical purposes and backwards compatibility with older MTAs that have not yet been updated to the STD76 standard. Although the DKIM-Signature must be written in SHA256 the new standards states that MTAs must verify both SHA1 and SHA256 signatures until the time comes that DomainKey-Signatures are no longer utilized.

So if DomainKeys-Signatures is essentially dead is there a need to update an obsolete and deprecated format? Although I am sure there will be old MTAs that will still check for this signature and verify them as opposed to looking at the DKIM-Signature, but if they aren't upgrading their MTA to use DKIM-Signatures it is doubtful they are upgrading their MTAs to tombstone SHA1 which in the interim is allowed until no one is using DomainKey-Signatures any longer. 
0
Bruce Barnes Replied
May 11, 2015 at 12:31 PM
Since Google is still recommending that DomainKeys be used to support authentication, pursuant to: https://support.google.com/a/answer/174124, citing the DKIM standard, linked via, http://www.dkim.org/, in the article originally referenced, I seriously doubt we will see DomainKeys go away any time soon.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread