On Tue, 2021-11-23 at 08:47 -0800, Paul Pace wrote: > Hello! > > I have an Ubuntu 18.04 server running Postfix 3.3 that relays through a > local OpenSMTPD mail relay on OpenBSD 7.0. Messages sent from system > messages and directly from mail command are signed by dkimsign as > expected. > > Messages sent from letstencrypt run through cron.weekly are not being > signed by dkimsign with the expected domain. Log entries for correctly > signed and incorrectly signed messages are identical on both client and > relay server. > > Here are the key portions of the header in the received inbox for the > cron.weekly job: > > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021; > bh=rNFy7e0QC/J > YFcHTI8wUywlRSY3eJ4LLLsOZrSC0XBc=; h=date:subject:to:from; > d=example.com; b=KqmB7rxJfpLcF6Nif/4bQRAbcQDDhVmFh+8KDeCqc9ujlr8ogK7... > Received: from relayclient.example.com (<unknown> [172.16.13.2]) > by smtp.example.com (OpenSMTPD) with ESMTPS id 44fa8358 > (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) > for <u...@example.net>; > Sun, 14 Nov 2021 06:47:03 -0800 (PST) > Received: by relayclient.example.com (Postfix) > id 881F75F401; Sun, 14 Nov 2021 06:47:03 -0800 (PST) > Delivered-To: r...@relayclient.example.com > Received: by relayclient.example.com (Postfix, from userid 0) > id 81D885F402; Sun, 14 Nov 2021 06:47:03 -0800 (PST) > From: r...@relayclient.example.com (Cron Daemon) > To: r...@relayclient.example.com > Subject: Cron <root@relayclient> test -x /usr/sbin/anacron || ( cd / && > run-parts --report /etc/cron.weekly ) > MIME-Version: 1.0 > Content-Type: text/plain; charset=ISO-8859-1 > Content-Transfer-Encoding: 8bit > X-Cron-Env: <SHELL=/bin/sh> > X-Cron-Env: > <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin> > X-Cron-Env: <HOME=/root> > X-Cron-Env: <LOGNAME=root> > Message-Id: <20211114144703.81d885f...@relayclient.example.com> > Date: Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > Note in this above headers that d=example.com and expected is > d=relayclient.example.com > > Here are the key portions of the headers in the received inbox from the > same client but for some other system message: > > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021; > bh=r8XLAjeCvrx > jCndiJeywanw7UmGo9LRF4gIb07HheJc=; h=date:to:from:subject; > d=relayclient.example.com; > b=QfD3av5+JxEZyCgzeZ7GcnhIf3/sMmeCNDtEvz/4/hGZf... > Received: from relayclient.example.com (<unknown> [172.16.13.2]) > by relayclient.example.com (OpenSMTPD) with ESMTPS id b3c796f1 > (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) > for <u...@example.net>; > Sat, 20 Nov 2021 06:40:29 -0800 (PST) > Received: by relayclient.example.com (Postfix) > id AFFC95E476; Sat, 20 Nov 2021 06:40:29 -0800 (PST) > Delivered-To: r...@relayclient.example.com > Received: by relayclient.example.com (Postfix, from userid 0) > id A961A5F42E; Sat, 20 Nov 2021 06:40:29 -0800 (PST) > Subject: unattended-upgrades result for relayclient.example.com: True > From: r...@relayclient.example.com > To: r...@relayclient.example.com > Auto-Submitted: auto-generated > MIME-Version: 1.0 > Content-Type: text/plain; charset="utf-8" > Content-Transfer-Encoding: quoted-printable > Message-Id: <20211120144029.a961a5f...@relayclient.example.com> > Date: Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > Note in this above headers that d=relayclient.example.com, as expected. > > Here is smtpd.conf: > > > pki int_net cert "/etc/ssl/176.16.13.1.crt" > pki int_net key "/etc/ssl/private/smtp.example.com.key" > > table aliases file:/etc/mail/aliases > > filter "dkimsign_loc_rsa" proc-exec "filter-dkimsign \ > -d smtp.example.com -s 10172021 \ > -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group _dkimsign > > filter "dkimsign_int_rsa" proc-exec "filter-dkimsign \ > -d example.com \ > -d smtp.example.com \ > -d relayclient.example.com > -s 10172021 -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group > _dkimsign > > listen on socket > listen on lo0 filter "dkimsign_loc_rsa" > listen on vio1 tls pki int_net filter "dkimsign_int_rsa" > > action "local_mail" mbox alias <aliases> > action "local_redirect" relay host smtp+notls://127.0.0.1:25 > action "outbound" relay > > match from socket action "local_redirect" > match for local action "local_mail" > match from any for any action "outbound" > > > The vio1 interface is on the private network and access is controlled > through PF. > > Thank you! > > Paul > I can't reproduce this in the most simple form and I don't notice anything in the code that might point to a bug of this kind. (tried with smtp(1) and a single filter with the subdomains in the same order as you have)
What the code does: it starts with the first domain in the list (in this case example.com) and then gets the domain part of the first e-mail address in the from-list and compares it to all the specified domains, if a match is found that domain is used. If none is found labels are stripped from the from-domain until a match is found. If none is found at all we stick with the first domain in the list. Since I highly doubt that example.com is the domain you're signing with my primary suspicion is that there's a discrepancy between the from- domain and the -d (which causes it to use the default name of example.com), but that this mismatch is obfuscated because of your redaction in this mail. If that's not the case, please provide me with a simple proof of concept, so that I can analyse this further. martijn@
