Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[Benny Pedersen]

Felix Defrance skrev den 2017-08-10 17:09:

Ok but in many other cases, spamassassin not failed at this point and
validate the signing.. why it fail sometimes, and not all time ?


verify when it fails what size the failed mail have, if that its 
truncated with amavisd, then extend mailtruncateing size in amavisd, its 
not a spamassassin problem, if its truncated data you provide for sa


else drop amavisd, and use spampd, where it does not make that problem 
at all

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[Felix Defrance]

Le 10/08/2017 à 16:33, RW a écrit :
> On Thu, 10 Aug 2017 16:12:11 +0200
> Felix Defrance wrote:
>
>
>> In the first lines on log, you could see opendkim results are success.
>>
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
>> successful
>> Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr
>> none
>>
>> That why I think Amavis or Spamassassin is in cause.
> As I already pointed out, Amavis passed SpamAssassin a truncated,
> i.e. incomplete, email; it's inevitable that this will fail
> SpamAssassin's DKIM test. The opendkim result is on the full email.
Ok but in many other cases, spamassassin not failed at this point and
validate the signing.. why it fail sometimes, and not all time ?


-- 
Félix Defrance
PGP: 0x0F04DC57

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[Kevin Golding]

On Thu, 10 Aug 2017 15:12:11 +0100, Felix Defrance   
wrote:



In the first lines on log, you could see opendkim results are success.

Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
successful
Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none

That why I think Amavis or Spamassassin is in cause.


If you read the limitations section regarding milters in postfix  
http://www.postfix.org/MILTER_README.html#limitations you'll see that if  
you call both a milter and a before-queue content scanner they can't both  
process the full untampered with message (as RW has mentioned).


I forget the exact details, it's a long time since I had to look into it,  
but if you skip opendkim and opendmarc you should find that the DKIM check  
in SpamAssassin succeeds.



Microsoft is helpful, but they should be not..


When companies sign up to use Microsoft email it is sent out signed using  
a domain MS control. It seems to work well for them and apparently makes  
it user friendly. I see a lot of ham that is DKIM invalid but I don't  
recall the last time it was from a Microsoft account. (That's probably  
tempting fate.)

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[RW]

On Thu, 10 Aug 2017 16:12:11 +0200
Felix Defrance wrote:


> In the first lines on log, you could see opendkim results are success.
> 
> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
> successful
> Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr
> none
> 
> That why I think Amavis or Spamassassin is in cause.

As I already pointed out, Amavis passed SpamAssassin a truncated,
i.e. incomplete, email; it's inevitable that this will fail
SpamAssassin's DKIM test. The opendkim result is on the full email.

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[Felix Defrance]

Le 09/08/2017 à 18:53, David Jones a écrit :
> On 08/09/2017 10:19 AM, Felix Defrance wrote:
>> Do you have any idea why the body has been altered sometimes ? I
>> don't have any log about amavis alterate body message.
>>
>
> This happens when any server in the path modify some of the headers or
> the body of the email after it was signed by the originator.  Older
> Exchange servers are known to mess with DKIM signing.  I think
> Exchange 2016 and Office 365 now properly handle mail so that DKIM
> doesn't break.
>
> It could be any of the Received: mail servers that broke DKIM.  I
> don't think it was your Amavis that caused it.  You could install
> OpenDKIM and OpenDMARC as a milter on the MTA to get some extra
> information before the message was passed to Amavis.
In the first lines on log, you could see opendkim results are success.

Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
successful
Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none

That why I think Amavis or Spamassassin is in cause.
>
>> You don't think the problem came from this line ?
>>
>> SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com,
>> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
>> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
>>
>
> No.  This didn't cause the problem.  It's just showing that the
> envelope-from domain didn't match the DKIM d= domain.
>
> groupeastek.fr <> groupeastek365.onmicrosoft.com
>
> Microsoft is trying to be helpful here and automatically DKIM signing
> with their own domain.
Ok - i don't read the rfc - but, could I suppose
Mail::SpamAssassin::Plugin::DKIM or Microsoft don't respect the standard ?

Maybe I need to update Mail::SpamAssassin::Plugin::DKIM.

I use libmail-dkim-perl 0.40-1 from Debian Jessie. Do you think the
version is too old ?

Or

Microsoft is helpful, but they should be not..

>
>
>
>> Thx,
>>
>> Le 09/08/2017 à 16:37, David Jones a écrit :
>>> On 08/09/2017 09:33 AM, Felix Defrance wrote:
 Hi all,

 I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
 signature verification instead of opendkim success..

 I see thats issues on domain which use onmicrosoft.com or
 gappssmtp.com

 Here is the mail trace on my MTA, if anybody could help me.

 Thx,

 Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
 signature verification result: FAIL (BODY HAS BEEN ALTERED)

 -- 
 Félix
 PGP: 0x0F04DC57

>>>
>>> This is in the logs above:
>>>
>>> dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)
>>>
>>
>> -- 
>> Félix Defrance
>> PGP: 0x0F04DC57
>>
>

-- 
Félix Defrance
PGP: 0x0F04DC57

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[Felix Defrance]

Le 10/08/2017 à 14:46, Benny Pedersen a écrit :

> RW skrev den 2017-08-10 02:06:
>
>> If  amavis only passes part of the email to SA, it isn't going to pass
>> DKIM.
>
> i think there is more underlaying problems there, amavisd have its own
> dkim verify and signer, even if spamassassin does not see the
> fullmail, amavisd can verify and sign it still, so my next trolling is
> does sa dkim module respect mime ?
>
> is dkim respecting mime verify and signing of mime parts ?, good
> qeustion imho to answer the first problem
>
> one thing i know is that dkim does not support 8bitmime, so why mime
> parts ? :(
>
> why dkim sign all mime parts ?

In my setup, i don't use $enable_dkim_verification, $enable_dkim_signing
amavis.

-- 
Félix Defrance
PGP: 0x0F04DC57

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[Benny Pedersen]

RW skrev den 2017-08-10 02:06:


If  amavis only passes part of the email to SA, it isn't going to pass
DKIM.


i think there is more underlaying problems there, amavisd have its own 
dkim verify and signer, even if spamassassin does not see the fullmail, 
amavisd can verify and sign it still, so my next trolling is does sa 
dkim module respect mime ?


is dkim respecting mime verify and signing of mime parts ?, good 
qeustion imho to answer the first problem


one thing i know is that dkim does not support 8bitmime, so why mime 
parts ? :(


why dkim sign all mime parts ?

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[RW]

On Wed, 9 Aug 2017 16:33:57 +0200
Felix Defrance wrote:

> Hi all,
> 
> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
> signature verification instead of opendkim success..
> 
> I see thats issues on domain which use onmicrosoft.com or
> gappssmtp.com
...
> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
> passed to SA at 211221 bytes, orig 558708

If  amavis only passes part of the email to SA, it isn't going to pass
DKIM. 

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[David Jones]

On 08/09/2017 10:19 AM, Felix Defrance wrote:
Do you have any idea why the body has been altered sometimes ? I don't 
have any log about amavis alterate body message.




This happens when any server in the path modify some of the headers or 
the body of the email after it was signed by the originator.  Older 
Exchange servers are known to mess with DKIM signing.  I think Exchange 
2016 and Office 365 now properly handle mail so that DKIM doesn't break.


It could be any of the Received: mail servers that broke DKIM.  I don't 
think it was your Amavis that caused it.  You could install OpenDKIM and 
OpenDMARC as a milter on the MTA to get some extra information before 
the message was passed to Amavis.



You don't think the problem came from this line ?

SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com, 
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, 
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain




No.  This didn't cause the problem.  It's just showing that the 
envelope-from domain didn't match the DKIM d= domain.


groupeastek.fr <> groupeastek365.onmicrosoft.com

Microsoft is trying to be helpful here and automatically DKIM signing 
with their own domain.




Thx,

Le 09/08/2017 à 16:37, David Jones a écrit :

On 08/09/2017 09:33 AM, Felix Defrance wrote:

Hi all,

I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on 
signature verification instead of opendkim success..


I see thats issues on domain which use onmicrosoft.com or gappssmtp.com

Here is the mail trace on my MTA, if anybody could help me.

Thx,

Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: 
signature verification result: FAIL (BODY HAS BEEN ALTERED)


--
Félix
PGP: 0x0F04DC57



This is in the logs above:

dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)



--
Félix Defrance
PGP: 0x0F04DC57



--
David Jones

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[Felix Defrance]

Do you have any idea why the body has been altered sometimes ? I don't
have any log about amavis alterate body message.

You don't think the problem came from this line ?

SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com,
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain

Thx,

Le 09/08/2017 à 16:37, David Jones a écrit :
> On 08/09/2017 09:33 AM, Felix Defrance wrote:
>> Hi all,
>>
>> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
>> signature verification instead of opendkim success..
>>
>> I see thats issues on domain which use onmicrosoft.com or gappssmtp.com
>>
>> Here is the mail trace on my MTA, if anybody could help me.
>>
>> Thx,
>>
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D:
>> mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135]
>> not internal
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain
>> match for 'groupeastek.fr'
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing
>> subdomain match for 'groupeastek.fr'
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse
>> authentication-results: header field
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
>> successful
>> Aug  9 10:25:43 vmail opendkim[21923]: 0D81A778B1D:
>> s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL
>> Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
>> Aug  9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D:
>> from=, size=558389, nrcpt=1 (queue active)
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024
>> /var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S:
>>  ->  SIZE=558389 Received: from
>> vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com
>> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for
>> ; Wed,  9 Aug 2017 10:25:43 +0200 (CEST)
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr
>> [104.47.0.135]  -> 
>> Aug  9 10:25:43 vmail postfix/smtpd[4885]: disconnect from
>> mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135]
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type:
>> multipart/mixed
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type:
>> multipart/related
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1
>> Content-Type: multipart/alternative
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1
>> Content-Type: text/plain, size: 968 B, name:
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2
>> Content-Type: text/html, size: 5183 B, name:
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2
>> Content-Type: image/png, size: 4414 B, name: image001.png
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type:
>> application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
>> passed to SA at 211221 bytes, orig 558708
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
>> performing public key lookup and signature verification
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
>> DKIM, i=@groupeastek365.onmicrosoft.com,
>> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
>> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
>> signature verification result: FAIL (BODY HAS BEEN ALTERED)
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp:
>> performing lookup on _adsp._domainkey.groupeastek.fr
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp
>> result: U/unknown (dns: unknown), author domain 'groupeastek.fr'
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
>> to see if the message has a Received-SPF header that we can use
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a
>> Received-SPF header added by an internal host: Received-SPF: Pass
>> (sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135;
>> helo=eur01-he1-obe.outbound.protection.outlook.com;
>> envelope-from=t...@groupeastek.fr; receiver=t...@tata.com
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using
>> mfrom result from Received-SPF header: pass
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
>> HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com,
>> ip=104.47.0.135)
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for
>> /104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result:
>> pass, comment: , text: Mechanism 'include:spf.protection.outlook.com'
>> matched
>> Aug  9 10:25:43 vmail amavis[1524]: 

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

[David Jones]

On 08/09/2017 09:33 AM, Felix Defrance wrote:

Hi all,

I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on 
signature verification instead of opendkim success..


I see thats issues on domain which use onmicrosoft.com or gappssmtp.com

Here is the mail trace on my MTA, if anybody could help me.

Thx,

Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: 
mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135] not 
internal

Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain 
match for 'groupeastek.fr'
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing subdomain 
match for 'groupeastek.fr'
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse 
authentication-results: header field
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification 
successful
Aug  9 10:25:43 vmail opendkim[21923]: 0D81A778B1D: 
s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL

Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
Aug  9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D: 
from=, size=558389, nrcpt=1 (queue active)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024 
/var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S: 
 ->  SIZE=558389 Received: from 
vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com [127.0.0.1]) 
(amavisd-new, port 10024) with ESMTP for ; Wed,  9 Aug 
2017 10:25:43 +0200 (CEST)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr 
[104.47.0.135]  -> 
Aug  9 10:25:43 vmail postfix/smtpd[4885]: disconnect from 
mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135]
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type: 
multipart/mixed
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type: 
multipart/related
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1 Content-Type: 
multipart/alternative
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1 
Content-Type: text/plain, size: 968 B, name:
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2 
Content-Type: text/html, size: 5183 B, name:
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2 Content-Type: 
image/png, size: 4414 B, name: image001.png
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type: 
application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message 
passed to SA at 211221 bytes, orig 558708
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: performing 
public key lookup and signature verification
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED 
DKIM, i=@groupeastek365.onmicrosoft.com, 
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, 
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: signature 
verification result: FAIL (BODY HAS BEEN ALTERED)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp: 
performing lookup on _adsp._domainkey.groupeastek.fr
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp 
result: U/unknown (dns: unknown), author domain 'groupeastek.fr'
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking to 
see if the message has a Received-SPF header that we can use
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a 
Received-SPF header added by an internal host: Received-SPF: Pass 
(sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135; 
helo=eur01-he1-obe.outbound.protection.outlook.com; 
envelope-from=t...@groupeastek.fr; receiver=t...@tata.com
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using 
mfrom result from Received-SPF header: pass
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking 
HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com, ip=104.47.0.135)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for 
/104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result: 
pass, comment: , text: Mechanism 'include:spf.protection.outlook.com' 
matched
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: 
def_whitelist_from_spf: t...@groupeastek.fr is not in DEF_WHITELIST_FROM_SPF
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED 
signature by groupeastek365.onmicrosoft.com, author t...@groupeastek.fr, 
no valid matches
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: author 
t...@groupeastek.fr, not in any dkim whitelist
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: 
whitelist_from_spf: t...@groupeastek.fr is not in user's WHITELIST_FROM_SPF
Aug  9 10:25:44 vmail amavis[1524]: (01524-06) spam-tag, 
 -> ,