I am getting a signature verification failed from a simple email sent by
cron. The signature is created using filter-dkimsign. All other messages
pass DKIM signature verification tests, including messages from cron
(though they use only the first domain listed in the filter no matter
the domain sending the message, a problem I've reported previously that
does not cause a signature verfication failure).
Here is the cron job:
/usr/local/bin/curl https://www.cloudflare.com/ips-v4/ >
cloudflareipv4.list
The recipient is on a different server. However, even when I send
messages to appdevmail.com [1] by adding them as an alias, the signature
fails just the same, so it does not seem an issue with my receiving
server.
$ cat /etc/mail/smtpd.conf
# $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
pki "int_net" cert "/etc/ssl/private.ec.256.pem.crt"
pki "int_net" key "/etc/ssl/private/private.ec.256.key"
table aliases file:/etc/mail/aliases
include "/etc/mail/dkimsign.filters"
listen on socket
listen on lo0 filter "dkimsign_loc"
listen on vio1 tls pki "int_net" filter "dkimsign_int" tag "int_net"
action "local_mail" mbox alias <aliases>
action "local_redirect" relay host smtp://127.0.0.1:25
action "outbound" relay
match tag "int_net" for local reject
match from socket for any action "local_redirect"
match for local action "local_mail"
match from any for any action "outbound"
(Note that I use firewall rules to limit which IP addresses can send
mail and vio1 is the private network.)
$ cat /etc/mail/dkimsign.filters
filter dkimsign_loc_rsa proc-exec "filter-dkimsign \
-d smtp.mostlybsd.com \
-s 10272023r -k /etc/mail/dkim/10272023r.rsa.1024.key" user _dkimsign
group _dkimsign
filter dkimsign_loc_ed25519 proc-exec "filter-dkimsign -a ed25519-sha256
\
-d smtp.mostlybsd.com \
-s 10272023e -k /etc/mail/dkim/10272023e.ed25519.key" user _dkimsign
group _dkimsign
filter dkimsign_loc chain { dkimsign_loc_rsa, dkimsign_loc_ed25519 }
filter "dkimsign_int_rsa" proc-exec "filter-dkimsign \
-d example.com \
-d mostlybsd.com \
-d subdomain1.mostlybsd.com \
-d subdomain2.mostlybsd.com \
-s 10272023r -k /etc/mail/dkim/10272023r.rsa.1024.key" user _dkimsign
group _dkimsign
filter "dkimsign_int_ed25519" proc-exec "filter-dkimsign -a
ed25519-sha256 \
-d example.com \
-d mostlybsd.com \
-d subdomain1.mostlybsd.com \
-d subdomain2.mostlybsd.com \
-s 10272023e -k /etc/mail/dkim/10272023e.ed25519.key" user _dkimsign
group _dkimsign
filter dkimsign_int chain { dkimsign_int_rsa, dkimsign_int_ed25519 }
I can see on my receiving server (it is not OpenBSD or OpenSMTPD), the
body of the received message is identical in both maildir file and
message printed in Roundcube:
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0 100 230 100 230 0 0 2327 0 --:--:--
--:--:-- --:--:-- 2346
But in OpenBSD, mbox file message body for the user running the job is:
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0^M100 230 100 230 0 0 2327 0 --:--:--
--:--:-- --:--:-- 2346
While mail outputs message body as:
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
100 230 100 230 0 0 2327 0 --:--:-- --:--:-- --:--:--
2346
I don't know details of differences in mbox or maildir file formats or
the different clients, so maybe this is expected.
I freely accept that I am no expert in how to configure OpenSMTPD. The
above configuration started with a lot of guess-and-check to get things
running in a way that works for my servers. However, note that when this
configuration was much simpler, the message was still was failing DKIM,
and it fails even for local users running the above cron job or client
servers running the same job and no matter which user is running the
job.
Thank you,
Paul
[1] https://www.appmaildev.com/site/testfile/dkim?lang=en
