On 08/07/16 20:57, Scott Kitterman wrote: > On Friday, July 08, 2016 08:46:24 PM Daniel Pocock wrote: >> On 08/07/16 20:44, Scott Kitterman wrote: >>> On Friday, July 08, 2016 06:23:58 PM Daniel Pocock wrote: >>>> Package: opendkim >>>> Version: 2.9.2-2 > ... >>>> I notice that the DKIM-Signature header is repeated with different >>>> values for "b=..." and "t=" while all other values appear the same. >>>> >>>> Are there known issues with OpenDKIM? Is there any way to add any debug >>>> headers to the message to help troubleshoot? >>> >>> I'm not aware of any outstanding issues that would cause this. Do you >>> host >>> any mailing lists on this server that might result in messages being >>> processed (and signed) twice by the MTA? If so, what you might be seeing >>> is body modifications by the MLM. >>> >>> OpenDKIM will only sign once, so the likely answer is something in your >>> Postfix configuration is causing the milter to be triggered twice (I once >>> did this to myself by signing mail received via the Submission port - as >>> an example). >> >> It isn't a mailing list server and I haven't configured it to modify >> messages. >> >> The server does have Amavis and Spamassassin, could they clash with >> OpenDKIM in some way? > > It's possible. I'd like to see unsanitized output of postconf -n and your > master.cf. Direct mail is fine if you'd prefer they weren't memorialized in > the BTS. >
Details sent privately After discussion, I commented out the global milter settings in my main.cf file: #smtpd_milters = inet:localhost:12301 #non_smtpd_milters = inet:localhost:12301 and added the milter directive to the "smtpd" and post-amavis services for inbound authentication and outbound signing respectively: # inbound messages from internet # will be authenticated by OpenDKIM milter on port 12301 smtp inet n - - - - smtpd ....... -o smtpd_milters=inet:localhost:12301 # outbound messages have been through amavis # will be signed by OpenDKIM milter on port 12301 127.0.0.1:10025 inet n - - - - smtpd ....... -o smtpd_milters=inet:localhost:12301 Looking at the logs, I observe that inbound messages are being authenticated: Jul 11 07:31:27 mail opendkim[765]: ......: DKIM verification successful and outbound messages are being signed: Jul 11 07:31:14 mail opendkim[765]: .......: DKIM-Signature field added (s=mail, d=example.org) Should there be a bug report about amavis modifying the messages? It is only meant to pass them through SpamAssassin and clamav. Should OpenDKIM detect when the header already exists and log a warning about adding it twice? Is it ultimately a bug in the receiving system (Office 365), should it accept messages with multiple signaturesr? After all, the port25.com verification appears to do that. Looking at the spec: https://tools.ietf.org/html/rfc6376#section-4.2 If a Verifier module reports signatures whose evaluations produced PERMFAIL results, Identity Assessors SHOULD ignore those signatures (see Section 6.1), acting as though they were not present in the message. So, the spec says Office 365 should have ignored the original signature that is no longer valid, found the good signature in the other header and accepted the message.
