Re: [gentoo-user] OT: amavis and DKIM verification

[Matt Harrison <iwasinnamuknow@genestate.com>]

[-- Attachment #1: Type: text/plain, Size: 3163 bytes --]

On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote:
> Le 10/01/2010 22:26, Matt Harrison a ??crit :
> > I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm
> > just not sure who to ask or even if it could be something Gentoo related.
> > 
> > I've recently updated my postfix home mail server to use amavis-new for virus and spam
> > filtering rather than procmail/spamassassin.
> > 
> > It seems to be working well and I've also enabled some other goodies like DKIM signing
> > and verification. I haven't confirmed signing is working yet, so maybe a side effect
> > of this email is that someone can confirm this for me ;)
> 
> Your mail is not DKIM-Signed, check your setup.

Ok, thanks for checking, it appears that outbound messages weren't being passed to
amavis, I think I've rectified that now.

I can see the message being scanned in the logs, but not necessarily being signed
though. Inbound messages generate warnings such as:

dkim: not signing, no applicable private key for domains ruby-forum.com.....

but my outbound messages just scan clean. I've tried without sender maps and with
limiting them to my domain.

> > The main query I have is that a lot of the mail I get, in this case from various
> > mailing lists, appears to failed DKIM verification.
> > 
> > For example, several of the posters on this list are DKIM signing their mail either as
> > part of gmail policy (or another big provider) or personal intent. Something in the
> > region of 50% of signed mail on this list contains headers such as:
> > 
> > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail
> >         (fail, message has been altered) header.i=@gmail.com
> > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=softfail
> >         (fail, message has been altered) header.from=xxxxxx@gmail.com
> > 
> > Whereas the rest looks like this:
> > 
> > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass
> >         header.i=@gmail.com
> > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass
> >         header.from=xxxxxx@gmail.com
> > 
> > Now I find it unreasonable to assume that 50% of the mail I receive is being actively
> > tampered with, so it must be something getting twisted out of shape. All I'm trying to
> > discover is whether it's something at my end that I need to fiddle with. I followed a
> > few different guides to piece my setup together so it's quite possible I've overlooked
> > or misconfigured something.
> 
> 90% chance the emails failing DKIM verification had their email subject modified
> to add "[gentoo-user]" in it by the mlmmj program that manage the mailing-list,
> which mainly concerns topic starts (ie first mails about one topic).

That would make a lot of sense, I'm not sure if it's just the first messages that are
doing it, but I have a feeling that others in a thread are also failing.

Thanks for your input Xavier, I think I need to get over to the amavis or postfix
guys, like Stroller said, to really figure out what is happening.

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]