Le 09/08/2017 à 18:53, David Jones a écrit :
> On 08/09/2017 10:19 AM, Felix Defrance wrote:
>> Do you have any idea why the body has been altered sometimes ? I
>> don't have any log about amavis alterate body message.
> This happens when any server in the path modify some of the headers or
> the body of the email after it was signed by the originator. Older
> Exchange servers are known to mess with DKIM signing. I think
> Exchange 2016 and Office 365 now properly handle mail so that DKIM
> doesn't break.
> It could be any of the Received: mail servers that broke DKIM. I
> don't think it was your Amavis that caused it. You could install
> OpenDKIM and OpenDMARC as a milter on the MTA to get some extra
> information before the message was passed to Amavis.
In the first lines on log, you could see opendkim results are success.
Aug 9 10:25:42 vmail opendkim: 0D81A778B1D: DKIM verification
Aug 9 10:25:43 vmail opendmarc: 0D81A778B1D: groupeastek.fr none
That why I think Amavis or Spamassassin is in cause.
>> You don't think the problem came from this line ?
>> SA dbg: dkim: FAILED DKIM, email@example.com,
>> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
>> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
> No. This didn't cause the problem. It's just showing that the
> envelope-from domain didn't match the DKIM d= domain.
> groupeastek.fr <> groupeastek365.onmicrosoft.com
> Microsoft is trying to be helpful here and automatically DKIM signing
> with their own domain.
Ok - i don't read the rfc - but, could I suppose
Mail::SpamAssassin::Plugin::DKIM or Microsoft don't respect the standard ?
Maybe I need to update Mail::SpamAssassin::Plugin::DKIM.
I use libmail-dkim-perl 0.40-1 from Debian Jessie. Do you think the
version is too old ?
Microsoft is helpful, but they should be not..
>> Le 09/08/2017 à 16:37, David Jones a écrit :
>>> On 08/09/2017 09:33 AM, Felix Defrance wrote:
>>>> Hi all,
>>>> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
>>>> signature verification instead of opendkim success..
>>>> I see thats issues on domain which use onmicrosoft.com or
>>>> Here is the mail trace on my MTA, if anybody could help me.
>>>> Aug 9 10:25:43 vmail amavis: (01524-06) SA dbg: dkim:
>>>> signature verification result: FAIL (BODY HAS BEEN ALTERED)
>>>> PGP: 0x0F04DC57
>>> This is in the logs above:
>>> dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)
>> Félix Defrance
>> PGP: 0x0F04DC57