DKIM problem

Report bugs and workarounds
Post Reply
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

DKIM problem

Post by nicola.piazzi »

I have Outlook -> Exchange 2016 -> EFA
Opendkim on efa ADD signatures, i tried 1024 and 2048
I tested with several programs

When Outlook send a TXT email (or smtp manual mail) DKIM is valid
When I use HTML in Outlook DKIM is invalid

any suggestions ?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: DKIM problem

Post by shawniverson »

What is Outlook using for its Envelope From address? (not the one you can see). If it doesn't match the DKIM record, it won't get signed...

Another thought...

Are any signatures getting appended to the original email? If so, that will break DKIM.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: DKIM problem

Post by pdwalker »

Nicola and I have tracked down the problem.

under /etc/MailScanner/MailScanner.conf he had:
Non Spam Actions = <blah blah> custom(nonspam)

and I did not.

It appears that the custom(nonspam) action modifies the message body after the dkim signing which will then cause a dkim verification failure.

Therefore, if you have a custom action on the message handling for outgoing mail, you'll break dkim.

Solutions? Not sure how exacty, but the custom actions have to be performed before the dkim signing.

Shawn, do you have any ideas on how this could be fixed? Should I post something over in the MailScanner forums?
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: DKIM problem

Post by nicola.piazzi »

I tried to test dkim with custom(nonspam) and without custom(nonspam)
Temporary files are identical because dkim milter act before mailscanner
but results are :
whit custom(nonspam) it fail because it add an extra 0d0a after some lines :
Test'20'di'20'un'20'formato'20'txt'20'con'20'attach'0D''0A'
'0D''0A'
'0D''0A'
whitout custom(nonspam) it pass :
Test'20'di'20'un'20'formato'20'txt'20'con'20'attach'0D''0A'
'0D''0A'

Can you correct /usr/share/MailScanner/perl/custom/CustomAction.pm ?
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: DKIM problem

Post by nicola.piazzi »

This is too simple
Routine skips in case of localhost, i added 10. to skip also my Exchange
It is trivial but works,
Still remain the problem that mailscanner runs after dkim so nothing can be added
I think that the only solution is to have a dkim smarthost, but is not possible to have a vm for each action we want to do

vi /usr/share/MailScanner/perl/custom/CustomAction.pm

# EFA Non Spam Modification Token Generation,
#
sub EFANonSpam {
my($message) = @_;
my($token);
my($file);
my($spamwhitelisted);

# Generate Token/Sign unless message is originates from localhost or is inbound and whitelisted
my($clientip) = $message->{clientip};

if ($clientip =~ /^127|^10./) {
return $message;
} else {
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: DKIM problem

Post by ovizii »

I checked and this is from my MailScanner.conf

Code: Select all

Non Spam Actions = store deliver header "X-Spam-Status:No" custom(nonspam)
I haven't edited that manually though.

Assuming I apply Nicola's patch, what will be skipped for my outgoing emails? What exactly is this TOKEN/SIGN? Is SIGN the signature and TOKEN the watermark?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: DKIM problem

Post by pdwalker »

Sorry ovizii, I've been away from EFA for a few months.

Are you still having an issue, or is it all resolved now?
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: DKIM problem

Post by ovizii »

no worries, problem solved but I can't remember 100% what exactly did the trick. It could either be that I disabled signatures completely so EFA wasn't changing the headers anymore or that I went back to a 1024bit key instead of 2048 as I had read in a thread that some DNS servers had problems with such long keys.
Post Reply