https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8270
Bug ID: 8270
Summary: DKIM_INVALID when _domainkey query failed/blocked
Product: Spamassassin
Version: 4.0.0
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: Undefined
It appeared that in case querying DKIM key (like
default._domainkey.somedomain.org) is either blocked on configuration level or
fails on some reason, the DKIM_INVALID symbol is set with adding spam score for
the message that can be in fact legitimate one.
For example:
Jun 28 09:21:56.419 [75520] dbg: dkim: performing public DKIM key lookup and
signature verification
Jun 28 09:21:56.419 [75520] dbg: dns: bgsend, query
TXT/default._domainkey.somedomain.org blocked by dns_query_restriction:
somedomain.org
Jun 28 09:21:56.419 [75520] dbg: dkim: DKIM signature [email protected]
d=somedomain.org
Jun 28 09:21:56.420 [75520] dbg: dkim: FAILED DKIM, [email protected],
d=somedomain.org, s=default, a=rsa-sha256, c=simple/simple, unknown key size,
invalid, matches author domain
In fact DKIM check itself didn't fail but instead it was not performed, so the
real DKIM check status is unknown and not invalid, and the message was not
altered, so if query would be successful, it wouldn't fail. According to RFC
6376 section 6.1.2 the result should be "PERMFAIL" that is not equal to "DKIM
INVALID", so corresponding symbol should not be set and score should not be
added.
This is in fact disputable case but it was found that due to DNS query failing
legitimate mail is handled as spam, so false positive result.
--
You are receiving this mail because:
You are the assignee for the bug.
