Hello, you are right. I enabled $enable_dkim_verification; now it works.
thank you very much! Johannes 2017-10-04 20:55 GMT+02:00 A. Schulze <[email protected]>: > > > Am 04.10.2017 um 14:41 schrieb Johannes Feigl: > > hello, > > > > on my debian system with amavisd-new-2.10.1 i found a problem with > DKIM-verify and big messages. > > > > if there is a standard mail it works, but when it got an attachment it > fails. > > > > the debug message looks like this: > > > > Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: eval: From 2nd > level domain: gmail.com <http://gmail.com>, EnvelopeFrom 2nd level > domain: gmail.com <http://gmail.com> > > Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: performing > public key lookup and signature verification > > Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: DKIM, i=@ > gmail.com <http://gmail.com>, d=gmail.com <http://gmail.com>, s=20161025, > a=rsa-sha256, c=relaxed/relaxed, fail, matches author domain > > Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: signature > verification result: FAIL (BODY HAS BEEN ALTERED) > > Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp > ignored, message was truncated, invalid author domain signature > > Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp result: > - (truncated, ignored), author domain 'gmail.com <http://gmail.com>' > > Hello, > > DKIM validation require access to full message body. > For performance reasons amavisd-new present only $sa_mail_body_size_limit > to spamassassin. > > > FAIL (BODY HAS BEEN ALTERED) > > > > when i run spamassassin manually on the eml-file there is no problem > > i finally found, that MAIL::DKIM is NOT getting the hole message. > yes > > > whe i alter /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm, > > about lile 771 (in my case), there is "my $str = > $pms->{msg}->get_pristine; ... $verifier->PRINT($str);" > > > > when i simply save the content of $str to a file, then i see that it has > > been cutted. > ... at $sa_mail_body_size_limit ... > > > this seams to be the problem. > no > > > do you have any idea how to prevent this? > amavisd-new itself must do verify DKIM and inform SA about the result. > That way DKIM signatures for any message (even large then > $sa_mail_body_size_limit) can be verified. > > To enable that feature, set $enable_dkim_verification=1 > Without that setting SA don't "see" DKIM verification results and start > verification itself. > That fail for messages larger the $sa_mail_body_size_limit because SA > can't access the full message... > > This feature is mentioned on https://amavis.org/ > "supports optional verification of DKIM and DomainKeys signatures > regardless of mail size (even for mail not passed to SpamAssassin)" > > Andreas >
