Re: problem with DKIM and big messages

Wed, 04 Oct 2017 12:05:17 -0700 


Am 04.10.2017 um 14:41 schrieb Johannes Feigl:
> hello,
> 
> on my debian system with amavisd-new-2.10.1 i found a problem with 
> DKIM-verify and big messages.
> 
> if there is a standard mail it works, but when it got an attachment it fails.
> 
> the debug message looks like this:
> 
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: eval: From 2nd level 
> domain: gmail.com <http://gmail.com>, EnvelopeFrom 2nd level domain: 
> gmail.com <http://gmail.com>
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: performing public 
> key lookup and signature verification
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: DKIM, 
> [email protected] <http://gmail.com>, d=gmail.com <http://gmail.com>, s=20161025, 
> a=rsa-sha256, c=relaxed/relaxed, fail, matches author domain
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: signature 
> verification result: FAIL (BODY HAS BEEN ALTERED)
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp ignored, 
> message was truncated, invalid author domain signature
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp result: - 
> (truncated, ignored), author domain 'gmail.com <http://gmail.com>'

Hello,

DKIM validation require access to full message body.
For performance reasons amavisd-new present only $sa_mail_body_size_limit to 
spamassassin.

> FAIL (BODY HAS BEEN ALTERED)
> 
> when i run spamassassin manually on the eml-file there is no problem
> i finally found, that MAIL::DKIM is NOT getting the hole message.
yes

> whe i alter /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm,
> about lile 771 (in my case), there is "my $str = $pms->{msg}->get_pristine; 
> ... $verifier->PRINT($str);"
> 
> when i simply save the content of $str to a file, then i see that it has
> been cutted.
... at $sa_mail_body_size_limit ... 

> this seams to be the problem.
no

> do you have any idea how to prevent this?
amavisd-new itself must do verify DKIM and inform SA about the result.
That way DKIM signatures for any message (even large then 
$sa_mail_body_size_limit) can be verified.

To enable that feature, set $enable_dkim_verification=1
Without that setting SA don't "see" DKIM verification results and start 
verification itself.
That fail for messages larger the $sa_mail_body_size_limit because SA can't 
access the full message...

This feature is mentioned on https://amavis.org/
"supports optional verification of DKIM and DomainKeys signatures regardless of 
mail size (even for mail not passed to SpamAssassin)"

Andreas

Reply via email to