On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote: > Le 10/01/2010 22:26, Matt Harrison a ??crit : > > I say OT because it's my understanding of DKIM that lets me down here, not > > Gentoo. I'm > > just not sure who to ask or even if it could be something Gentoo related. > > > > I've recently updated my postfix home mail server to use amavis-new for > > virus and spam > > filtering rather than procmail/spamassassin. > > > > It seems to be working well and I've also enabled some other goodies like > > DKIM signing > > and verification. I haven't confirmed signing is working yet, so maybe a > > side effect > > of this email is that someone can confirm this for me ;) > > Your mail is not DKIM-Signed, check your setup.
Ok, thanks for checking, it appears that outbound messages weren't being passed to amavis, I think I've rectified that now. I can see the message being scanned in the logs, but not necessarily being signed though. Inbound messages generate warnings such as: dkim: not signing, no applicable private key for domains ruby-forum.com..... but my outbound messages just scan clean. I've tried without sender maps and with limiting them to my domain. > > The main query I have is that a lot of the mail I get, in this case from > > various > > mailing lists, appears to failed DKIM verification. > > > > For example, several of the posters on this list are DKIM signing their > > mail either as > > part of gmail policy (or another big provider) or personal intent. > > Something in the > > region of 50% of signed mail on this list contains headers such as: > > > > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail > > (fail, message has been altered) header...@gmail.com > > Authentication-Results: genesis.genestate.com (amavisd-new); > > domainkeys=softfail > > (fail, message has been altered) header.from=xxx...@gmail.com > > > > Whereas the rest looks like this: > > > > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass > > header...@gmail.com > > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass > > header.from=xxx...@gmail.com > > > > Now I find it unreasonable to assume that 50% of the mail I receive is > > being actively > > tampered with, so it must be something getting twisted out of shape. All > > I'm trying to > > discover is whether it's something at my end that I need to fiddle with. I > > followed a > > few different guides to piece my setup together so it's quite possible I've > > overlooked > > or misconfigured something. > > 90% chance the emails failing DKIM verification had their email subject > modified > to add "[gentoo-user]" in it by the mlmmj program that manage the > mailing-list, > which mainly concerns topic starts (ie first mails about one topic). That would make a lot of sense, I'm not sure if it's just the first messages that are doing it, but I have a feeling that others in a thread are also failing. Thanks for your input Xavier, I think I need to get over to the amavis or postfix guys, like Stroller said, to really figure out what is happening.
pgpVyPTHMgb8k.pgp
Description: PGP signature