DKIM issue

[daxis]

I'm having a DKIM issue I can't get a handle on.

I have an EFA server in front of multiple different types of mailservers.
Those mailservers use EFA as a smarthost to send out emails too.
All are trusted hosts within EFA.

One of them is an ISPConfig perfect server based mailserver which includes DKIM signing.
And only that server is causing issues in EFA.

Every email send out through EFA has an invalid DKIM signature according to EFA.

Spam report:

Code: Select all

-1.00	ALL_TRUSTED	Passed through trusted hosts only via SMTP
-1.90	BAYES_00	Bayes spam probability is 0 to 1%
0.10	DKIM_INVALID	DKIM or DK signature exists, but is not valid
0.10	DKIM_SIGNED	Message has a DKIM or DK signature, not necessarily valid
0.00	HTML_MESSAGE	HTML included in message
-0.03	TXREP		Score normalizing based on sender's reputation
0.00	URIBL_BLOCKED	ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.

Emails send to mail-tester.com all score 10/10! No DKIM issues there.

So why is EFA complaining about an invalid DKIM signature??

[daxis]

It gets weirder and weirder.

Found one domain on that servers that seems to always pass DKIM in EFA.

And another domain where pass/fail seems completely trivial.
Two emails send by the same person within minutes of which one fails dkim and the other passes.

Every attempt with every domain on that server to test dkim among other things at mail-tester.com always passes everything over there, scoring 10/10.

I'm completely clueless about what's happening with EFA.

[shawniverson]

I believe this is the DKIM code in SpamAssassin that is the culprit here. I'd be curious how this compares to the Authentication-Results header in the same email. I'm betting that opendkim says it is passing and SpamAssassin is erroneously saying otherwise.

[amaclach]

That's correct Shawn. I have an override score to 0.0 for that SpamAssassin rule

[daxis]

I'd be curious how this compares to the Authentication-Results header in the same email. I'm betting that opendkim says it is passing

There are no Authentication-Results headers because mail comes from a trusted host, as I said in the first post.
EFA is used as smarthost when this occurs.
All servers that use EFA as smarthost are trusted hosts within EFA, so no authentication is performed.
Except by SpamAssassin, which isn't doing it properly half the time.

[amaclach]

In that case you can create a file with extension .cf in /etc/spamassassin and put a line like this in it so that spamassassin ignores your internal server.

Code: Select all

trusted_networks 12.34.56.78    #a.trusted.sender

[daxis]

Shouldn't something like that be done by EFA?
I mean, what's the point of being able to add trusted hosts when it's done only half.