That would definitely do it - does it have the ability to sign DKIM?
Maybe you should do it there, instead of on exchange. Typically you want
to sign DKIM at the edge.
On 3/4/2023 5:48 PM, Salvatore Jr Walter P via mailop wrote:
Something just accored to me, we have a sophos email appliance. All
incoming and outgoing email go through that box and it scans
everything. Do you think that may be modifying the headers before it
leaves our network?
*From:* Josh Daynard <josh.dayn...@icloud.com>
*Sent:* Saturday, March 4, 2023 6:37 PM
*To:* Salvatore Jr Walter P <walter.p.salvat...@warwickri.gov>
*Cc:* Alessandro Vesely <ves...@tana.it>; mailop@mailop.org
*Subject:* [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: New member,
trying to bring our mail server inline.
On Mar 4, 2023, at 3:11 PM, Salvatore Jr Walter P via mailop
<mailop@mailop.org> wrote:
Sorry, but I have no idea what any of that means?
what is a z tag?
I was curious as well and managed to find a decent resource here:
What-are-DKIM-Tags_.jpg
What are DKIM Tags? <https://easydmarc.com/blog/what-are-dkim-tags/>
easydmarc.com <https://easydmarc.com/blog/what-are-dkim-tags/>
Bottom line is that the verification error you’re seeing (“signature
verification failed”) is an indication that one of the header fields
being used to generate the DKIM signature (listed in the h= tag potion
of the signature) is being altered *after* the signature has been
generated but before the message is relayed to the destination domain.
Looks like z tags can be used in the DKIM signature for debugging
purposes … you can copy the original header values that were present
during signing into this tag and then when signature verification
fails, you can compare those values to what was actually received to
see what was altered (assuming whatever altered the header(s) won’t
touch the z= tag in your DKIM sig!).
We had this problem early on due to some header fix-ups happening by
the MTA post DKIM signing. You need to be sure that DKIM Signing is
basically the last thing that happens before a message is relayed or
at least that none of the header fields used to generate the sig are
altered!
You would get a different error if the public key couldn’t be
retrieved or if the body of the message was altered (body hash mismatch).
- Josh
___________________________
Walter P Salvatore Jr
Systems Administrator
Information Technology
City of Warwick
(401) 921-9663
https://www.warwickri.gov
walter.p.salvat...@warwickri.gov
________________________________
From: Alessandro Vesely <ves...@tana.it>
Sent: Saturday, March 4, 2023 7:12 AM
To: Salvatore Jr Walter P; 'mailop@mailop.org'
Subject: [EXT] - Re: [mailop] [EXT] - Re: New member, trying to
bring our mail server inline.
On Fri 03/Mar/2023 21:39:46 +0100 Salvatore Jr Walter P via mailop
wrote:
Thanks Mark. I sent an email as suggested and it came back as
a fail for DKIM.
“I see you've included a DKIM signature. I've retrieved the
public key from
1._domainkey.warwickri.gov
The signature failed validation. The Auth Result is fail.”
A failing signature should mean a header change. That's also what
I get from
your posts on mailop, signature verification failed (otherwise
would 've been
body hash mismatch). Can you turn on z= tags? Otherwise try
carefully
comparing the signed fields, from: subject: to: date:, message-id:
and the
signature itself.
Check that no other filters alter those fields after signing. Can
you sign
messages off-line? Do Bcc: copies verify? (Use any off-line dkim
verifier.)
Good luck
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
