Re: [gentoo-user] OT: amavis and DKIM verification
On 10 Jan 2010, at 21:26, Matt Harrison wrote: I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm just not sure who to ask or even if it could be something Gentoo related. I've recently updated my postfix home mail server ... I'm not able to help with this, but it's something I want to look at myself this year. However the postfix-users mailing list postfix-us...@postfix.org would probably be a useful resource. Stroller.
Re: [gentoo-user] OT: amavis and DKIM verification
Le 10/01/2010 22:26, Matt Harrison a écrit : I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm just not sure who to ask or even if it could be something Gentoo related. I've recently updated my postfix home mail server to use amavis-new for virus and spam filtering rather than procmail/spamassassin. It seems to be working well and I've also enabled some other goodies like DKIM signing and verification. I haven't confirmed signing is working yet, so maybe a side effect of this email is that someone can confirm this for me ;) Your mail is not DKIM-Signed, check your setup. The main query I have is that a lot of the mail I get, in this case from various mailing lists, appears to failed DKIM verification. For example, several of the posters on this list are DKIM signing their mail either as part of gmail policy (or another big provider) or personal intent. Something in the region of 50% of signed mail on this list contains headers such as: Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail (fail, message has been altered) header...@gmail.com Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=softfail (fail, message has been altered) header.from=xxx...@gmail.com Whereas the rest looks like this: Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass header...@gmail.com Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass header.from=xxx...@gmail.com Now I find it unreasonable to assume that 50% of the mail I receive is being actively tampered with, so it must be something getting twisted out of shape. All I'm trying to discover is whether it's something at my end that I need to fiddle with. I followed a few different guides to piece my setup together so it's quite possible I've overlooked or misconfigured something. 90% chance the emails failing DKIM verification had their email subject modified to add [gentoo-user] in it by the mlmmj program that manage the mailing-list, which mainly concerns topic starts (ie first mails about one topic). If anyone knows about DKIM and might be able to shed a light on this, I'd love to hear. It's not a big problem, just a puzzle I'm interested in. Thanks Matt Harrison -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] OT: amavis and DKIM verification
On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote: Le 10/01/2010 22:26, Matt Harrison a ??crit : I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm just not sure who to ask or even if it could be something Gentoo related. I've recently updated my postfix home mail server to use amavis-new for virus and spam filtering rather than procmail/spamassassin. It seems to be working well and I've also enabled some other goodies like DKIM signing and verification. I haven't confirmed signing is working yet, so maybe a side effect of this email is that someone can confirm this for me ;) Your mail is not DKIM-Signed, check your setup. Ok, thanks for checking, it appears that outbound messages weren't being passed to amavis, I think I've rectified that now. I can see the message being scanned in the logs, but not necessarily being signed though. Inbound messages generate warnings such as: dkim: not signing, no applicable private key for domains ruby-forum.com. but my outbound messages just scan clean. I've tried without sender maps and with limiting them to my domain. The main query I have is that a lot of the mail I get, in this case from various mailing lists, appears to failed DKIM verification. For example, several of the posters on this list are DKIM signing their mail either as part of gmail policy (or another big provider) or personal intent. Something in the region of 50% of signed mail on this list contains headers such as: Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail (fail, message has been altered) header...@gmail.com Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=softfail (fail, message has been altered) header.from=xxx...@gmail.com Whereas the rest looks like this: Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass header...@gmail.com Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass header.from=xxx...@gmail.com Now I find it unreasonable to assume that 50% of the mail I receive is being actively tampered with, so it must be something getting twisted out of shape. All I'm trying to discover is whether it's something at my end that I need to fiddle with. I followed a few different guides to piece my setup together so it's quite possible I've overlooked or misconfigured something. 90% chance the emails failing DKIM verification had their email subject modified to add [gentoo-user] in it by the mlmmj program that manage the mailing-list, which mainly concerns topic starts (ie first mails about one topic). That would make a lot of sense, I'm not sure if it's just the first messages that are doing it, but I have a feeling that others in a thread are also failing. Thanks for your input Xavier, I think I need to get over to the amavis or postfix guys, like Stroller said, to really figure out what is happening. pgpVyPTHMgb8k.pgp Description: PGP signature
Re: [gentoo-user] OT: amavis and DKIM verification
Le 11/01/2010 16:31, Matt Harrison a écrit : On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote: Le 10/01/2010 22:26, Matt Harrison a ??crit : I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm just not sure who to ask or even if it could be something Gentoo related. I've recently updated my postfix home mail server to use amavis-new for virus and spam filtering rather than procmail/spamassassin. It seems to be working well and I've also enabled some other goodies like DKIM signing and verification. I haven't confirmed signing is working yet, so maybe a side effect of this email is that someone can confirm this for me ;) Your mail is not DKIM-Signed, check your setup. Ok, thanks for checking, it appears that outbound messages weren't being passed to amavis, I think I've rectified that now. I can see the message being scanned in the logs, but not necessarily being signed though. Inbound messages generate warnings such as: dkim: not signing, no applicable private key for domains ruby-forum.com. Seems that either you forgot to setup the DNS for ruby-forum.com with the public key, or you don't own ruby-forum.com, as well as his private key. Keep in mind that signing is done according to the From: header content. but my outbound messages just scan clean. I've tried without sender maps and with limiting them to my domain. The main query I have is that a lot of the mail I get, in this case from various mailing lists, appears to failed DKIM verification. [SNIP] 90% chance the emails failing DKIM verification had their email subject modified to add [gentoo-user] in it by the mlmmj program that manage the mailing-list, which mainly concerns topic starts (ie first mails about one topic). That would make a lot of sense, I'm not sure if it's just the first messages that are doing it, but I have a feeling that others in a thread are also failing. After some checking, it appears that Reply-To: header is also modified by mlmmj, and so DKIM verification fails too for these ones. Thanks for your input Xavier, I think I need to get over to the amavis or postfix guys, like Stroller said, to really figure out what is happening. -- Xavier Parizet YaGB : http://gentooist.com GPG :C7DC B10E FC21 63BE B453 D239 F6E6 DF65 1569 91BF signature.asc Description: OpenPGP digital signature
