Re: [mailop] [EXT] - Re: [EXT] - Re: New member, trying to bring our mail server inline.

Sat, 04 Mar 2023 15:52:16 -0800


On Mar 4, 2023, at 3:11 PM, Salvatore Jr Walter P via mailop <mailop@mailop.org> wrote:

Sorry, but I have no idea what any of that means?

what is a z tag?

I was curious as well and managed to find a decent resource here:


Bottom line is that the verification error you’re seeing (“signature verification failed”) is an indication that one of the header fields being used to generate the DKIM signature (listed in the h= tag potion of the signature) is being altered *after* the signature has been generated but before the message is relayed to the destination domain.

Looks like z tags can be used in the DKIM signature for debugging purposes … you can copy the original header values that were present during signing into this tag and then when signature verification fails, you can compare those values to what was actually received to see what was altered (assuming whatever altered the header(s) won’t touch the z= tag in your DKIM sig!).

We had this problem early on due to some header fix-ups happening by the MTA post DKIM signing.  You need to be sure that DKIM Signing is basically the last thing that happens before a message is relayed or at least that none of the header fields used to generate the sig are altered!

You would get a different error if the public key couldn’t be retrieved or if the body of the message was altered (body hash mismatch).

- Josh


___________________________
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov



________________________________
From: Alessandro Vesely <ves...@tana.it>
Sent: Saturday, March 4, 2023 7:12 AM
To: Salvatore Jr Walter P; 'mailop@mailop.org'
Subject: [EXT] - Re: [mailop] [EXT] - Re: New member, trying to bring our mail server inline.

On Fri 03/Mar/2023 21:39:46 +0100 Salvatore Jr Walter P via mailop wrote:
Thanks Mark. I sent an email as suggested and it came back as a fail for DKIM.

“I see you've included a DKIM signature. I've retrieved the public key from
1._domainkey.warwickri.gov

The signature failed validation. The Auth Result is fail.”


A failing signature should mean a header change.  That's also what I get from
your posts on mailop, signature verification failed (otherwise would 've been
body hash mismatch).  Can you turn on z= tags?  Otherwise try carefully
comparing the signed fields, from: subject: to: date:, message-id: and the
signature itself.

Check that no other filters alter those fields after signing.  Can you sign
messages off-line?  Do Bcc: copies verify? (Use any off-line dkim verifier.)


Good luck
Ale
--






_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to