Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Felix Defrance skrev den 2017-08-10 17:09: Ok but in many other cases, spamassassin not failed at this point and validate the signing.. why it fail sometimes, and not all time ? verify when it fails what size the failed mail have, if that its truncated with amavisd, then extend mailtruncateing size in amavisd, its not a spamassassin problem, if its truncated data you provide for sa else drop amavisd, and use spampd, where it does not make that problem at all
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Le 10/08/2017 à 16:33, RW a écrit : > On Thu, 10 Aug 2017 16:12:11 +0200 > Felix Defrance wrote: > > >> In the first lines on log, you could see opendkim results are success. >> >> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification >> successful >> Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr >> none >> >> That why I think Amavis or Spamassassin is in cause. > As I already pointed out, Amavis passed SpamAssassin a truncated, > i.e. incomplete, email; it's inevitable that this will fail > SpamAssassin's DKIM test. The opendkim result is on the full email. Ok but in many other cases, spamassassin not failed at this point and validate the signing.. why it fail sometimes, and not all time ? -- Félix Defrance PGP: 0x0F04DC57
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
On Thu, 10 Aug 2017 15:12:11 +0100, Felix Defrancewrote: In the first lines on log, you could see opendkim results are success. Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification successful Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none That why I think Amavis or Spamassassin is in cause. If you read the limitations section regarding milters in postfix http://www.postfix.org/MILTER_README.html#limitations you'll see that if you call both a milter and a before-queue content scanner they can't both process the full untampered with message (as RW has mentioned). I forget the exact details, it's a long time since I had to look into it, but if you skip opendkim and opendmarc you should find that the DKIM check in SpamAssassin succeeds. Microsoft is helpful, but they should be not.. When companies sign up to use Microsoft email it is sent out signed using a domain MS control. It seems to work well for them and apparently makes it user friendly. I see a lot of ham that is DKIM invalid but I don't recall the last time it was from a Microsoft account. (That's probably tempting fate.)
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
On Thu, 10 Aug 2017 16:12:11 +0200 Felix Defrance wrote: > In the first lines on log, you could see opendkim results are success. > > Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification > successful > Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr > none > > That why I think Amavis or Spamassassin is in cause. As I already pointed out, Amavis passed SpamAssassin a truncated, i.e. incomplete, email; it's inevitable that this will fail SpamAssassin's DKIM test. The opendkim result is on the full email.
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Le 09/08/2017 à 18:53, David Jones a écrit : > On 08/09/2017 10:19 AM, Felix Defrance wrote: >> Do you have any idea why the body has been altered sometimes ? I >> don't have any log about amavis alterate body message. >> > > This happens when any server in the path modify some of the headers or > the body of the email after it was signed by the originator. Older > Exchange servers are known to mess with DKIM signing. I think > Exchange 2016 and Office 365 now properly handle mail so that DKIM > doesn't break. > > It could be any of the Received: mail servers that broke DKIM. I > don't think it was your Amavis that caused it. You could install > OpenDKIM and OpenDMARC as a milter on the MTA to get some extra > information before the message was passed to Amavis. In the first lines on log, you could see opendkim results are success. Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification successful Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none That why I think Amavis or Spamassassin is in cause. > >> You don't think the problem came from this line ? >> >> SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com, >> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, >> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain >> > > No. This didn't cause the problem. It's just showing that the > envelope-from domain didn't match the DKIM d= domain. > > groupeastek.fr <> groupeastek365.onmicrosoft.com > > Microsoft is trying to be helpful here and automatically DKIM signing > with their own domain. Ok - i don't read the rfc - but, could I suppose Mail::SpamAssassin::Plugin::DKIM or Microsoft don't respect the standard ? Maybe I need to update Mail::SpamAssassin::Plugin::DKIM. I use libmail-dkim-perl 0.40-1 from Debian Jessie. Do you think the version is too old ? Or Microsoft is helpful, but they should be not.. > > > >> Thx, >> >> Le 09/08/2017 à 16:37, David Jones a écrit : >>> On 08/09/2017 09:33 AM, Felix Defrance wrote: Hi all, I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on signature verification instead of opendkim success.. I see thats issues on domain which use onmicrosoft.com or gappssmtp.com Here is the mail trace on my MTA, if anybody could help me. Thx, Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED) -- Félix PGP: 0x0F04DC57 >>> >>> This is in the logs above: >>> >>> dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED) >>> >> >> -- >> Félix Defrance >> PGP: 0x0F04DC57 >> > -- Félix Defrance PGP: 0x0F04DC57
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Le 10/08/2017 à 14:46, Benny Pedersen a écrit : > RW skrev den 2017-08-10 02:06: > >> If amavis only passes part of the email to SA, it isn't going to pass >> DKIM. > > i think there is more underlaying problems there, amavisd have its own > dkim verify and signer, even if spamassassin does not see the > fullmail, amavisd can verify and sign it still, so my next trolling is > does sa dkim module respect mime ? > > is dkim respecting mime verify and signing of mime parts ?, good > qeustion imho to answer the first problem > > one thing i know is that dkim does not support 8bitmime, so why mime > parts ? :( > > why dkim sign all mime parts ? In my setup, i don't use $enable_dkim_verification, $enable_dkim_signing amavis. -- Félix Defrance PGP: 0x0F04DC57
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
RW skrev den 2017-08-10 02:06: If amavis only passes part of the email to SA, it isn't going to pass DKIM. i think there is more underlaying problems there, amavisd have its own dkim verify and signer, even if spamassassin does not see the fullmail, amavisd can verify and sign it still, so my next trolling is does sa dkim module respect mime ? is dkim respecting mime verify and signing of mime parts ?, good qeustion imho to answer the first problem one thing i know is that dkim does not support 8bitmime, so why mime parts ? :( why dkim sign all mime parts ?
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
On Wed, 9 Aug 2017 16:33:57 +0200 Felix Defrance wrote: > Hi all, > > I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on > signature verification instead of opendkim success.. > > I see thats issues on domain which use onmicrosoft.com or > gappssmtp.com ... > Aug 9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message > passed to SA at 211221 bytes, orig 558708 If amavis only passes part of the email to SA, it isn't going to pass DKIM.
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
On 08/09/2017 10:19 AM, Felix Defrance wrote: Do you have any idea why the body has been altered sometimes ? I don't have any log about amavis alterate body message. This happens when any server in the path modify some of the headers or the body of the email after it was signed by the originator. Older Exchange servers are known to mess with DKIM signing. I think Exchange 2016 and Office 365 now properly handle mail so that DKIM doesn't break. It could be any of the Received: mail servers that broke DKIM. I don't think it was your Amavis that caused it. You could install OpenDKIM and OpenDMARC as a milter on the MTA to get some extra information before the message was passed to Amavis. You don't think the problem came from this line ? SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com, d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain No. This didn't cause the problem. It's just showing that the envelope-from domain didn't match the DKIM d= domain. groupeastek.fr <> groupeastek365.onmicrosoft.com Microsoft is trying to be helpful here and automatically DKIM signing with their own domain. Thx, Le 09/08/2017 à 16:37, David Jones a écrit : On 08/09/2017 09:33 AM, Felix Defrance wrote: Hi all, I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on signature verification instead of opendkim success.. I see thats issues on domain which use onmicrosoft.com or gappssmtp.com Here is the mail trace on my MTA, if anybody could help me. Thx, Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED) -- Félix PGP: 0x0F04DC57 This is in the logs above: dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED) -- Félix Defrance PGP: 0x0F04DC57 -- David Jones
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Do you have any idea why the body has been altered sometimes ? I don't have any log about amavis alterate body message. You don't think the problem came from this line ? SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com, d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain Thx, Le 09/08/2017 à 16:37, David Jones a écrit : > On 08/09/2017 09:33 AM, Felix Defrance wrote: >> Hi all, >> >> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on >> signature verification instead of opendkim success.. >> >> I see thats issues on domain which use onmicrosoft.com or gappssmtp.com >> >> Here is the mail trace on my MTA, if anybody could help me. >> >> Thx, >> >> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: >> mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135] >> not internal >> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated >> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain >> match for 'groupeastek.fr' >> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing >> subdomain match for 'groupeastek.fr' >> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse >> authentication-results: header field >> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification >> successful >> Aug 9 10:25:43 vmail opendkim[21923]: 0D81A778B1D: >> s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL >> Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none >> Aug 9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D: >> from=, size=558389, nrcpt=1 (queue active) >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024 >> /var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S: >> -> SIZE=558389 Received: from >> vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com >> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for >> ; Wed, 9 Aug 2017 10:25:43 +0200 (CEST) >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr >> [104.47.0.135] -> >> Aug 9 10:25:43 vmail postfix/smtpd[4885]: disconnect from >> mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135] >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type: >> multipart/mixed >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type: >> multipart/related >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1 >> Content-Type: multipart/alternative >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1 >> Content-Type: text/plain, size: 968 B, name: >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2 >> Content-Type: text/html, size: 5183 B, name: >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2 >> Content-Type: image/png, size: 4414 B, name: image001.png >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type: >> application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message >> passed to SA at 211221 bytes, orig 558708 >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: >> performing public key lookup and signature verification >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED >> DKIM, i=@groupeastek365.onmicrosoft.com, >> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, >> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: >> signature verification result: FAIL (BODY HAS BEEN ALTERED) >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp: >> performing lookup on _adsp._domainkey.groupeastek.fr >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp >> result: U/unknown (dns: unknown), author domain 'groupeastek.fr' >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking >> to see if the message has a Received-SPF header that we can use >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a >> Received-SPF header added by an internal host: Received-SPF: Pass >> (sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135; >> helo=eur01-he1-obe.outbound.protection.outlook.com; >> envelope-from=t...@groupeastek.fr; receiver=t...@tata.com >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using >> mfrom result from Received-SPF header: pass >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking >> HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com, >> ip=104.47.0.135) >> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for >> /104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result: >> pass, comment: , text: Mechanism 'include:spf.protection.outlook.com' >> matched >> Aug 9 10:25:43 vmail amavis[1524]:
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
On 08/09/2017 09:33 AM, Felix Defrance wrote: Hi all, I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on signature verification instead of opendkim success.. I see thats issues on domain which use onmicrosoft.com or gappssmtp.com Here is the mail trace on my MTA, if anybody could help me. Thx, Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135] not internal Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain match for 'groupeastek.fr' Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing subdomain match for 'groupeastek.fr' Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse authentication-results: header field Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification successful Aug 9 10:25:43 vmail opendkim[21923]: 0D81A778B1D: s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none Aug 9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D: from=, size=558389, nrcpt=1 (queue active) Aug 9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024 /var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S: -> SIZE=558389 Received: from vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for ; Wed, 9 Aug 2017 10:25:43 +0200 (CEST) Aug 9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr [104.47.0.135] -> Aug 9 10:25:43 vmail postfix/smtpd[4885]: disconnect from mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135] Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type: multipart/mixed Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type: multipart/related Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1 Content-Type: multipart/alternative Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1 Content-Type: text/plain, size: 968 B, name: Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2 Content-Type: text/html, size: 5183 B, name: Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2 Content-Type: image/png, size: 4414 B, name: image001.png Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type: application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf Aug 9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message passed to SA at 211221 bytes, orig 558708 Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: performing public key lookup and signature verification Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com, d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED) Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp: performing lookup on _adsp._domainkey.groupeastek.fr Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp result: U/unknown (dns: unknown), author domain 'groupeastek.fr' Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking to see if the message has a Received-SPF header that we can use Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a Received-SPF header added by an internal host: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135; helo=eur01-he1-obe.outbound.protection.outlook.com; envelope-from=t...@groupeastek.fr; receiver=t...@tata.com Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using mfrom result from Received-SPF header: pass Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com, ip=104.47.0.135) Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for /104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result: pass, comment: , text: Mechanism 'include:spf.protection.outlook.com' matched Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: def_whitelist_from_spf: t...@groupeastek.fr is not in DEF_WHITELIST_FROM_SPF Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED signature by groupeastek365.onmicrosoft.com, author t...@groupeastek.fr, no valid matches Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: author t...@groupeastek.fr, not in any dkim whitelist Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: whitelist_from_spf: t...@groupeastek.fr is not in user's WHITELIST_FROM_SPF Aug 9 10:25:44 vmail amavis[1524]: (01524-06) spam-tag, -> ,