[gentoo-user] OT: amavis and DKIM verification

[gentoo-user] OT: amavis and DKIM verification

[Matt Harrison]

[-- Attachment #1: Type: text/plain, Size: 1979 bytes --]

I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm
just not sure who to ask or even if it could be something Gentoo related.

I've recently updated my postfix home mail server to use amavis-new for virus and spam
filtering rather than procmail/spamassassin.

It seems to be working well and I've also enabled some other goodies like DKIM signing
and verification. I haven't confirmed signing is working yet, so maybe a side effect
of this email is that someone can confirm this for me ;)

The main query I have is that a lot of the mail I get, in this case from various
mailing lists, appears to failed DKIM verification.

For example, several of the posters on this list are DKIM signing their mail either as
part of gmail policy (or another big provider) or personal intent. Something in the
region of 50% of signed mail on this list contains headers such as:

Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail
        (fail, message has been altered) header.i=@gmail.com
Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=softfail
        (fail, message has been altered) header.from=xxxxxx@gmail.com

Whereas the rest looks like this:

Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass
        header.i=@gmail.com
Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass
        header.from=xxxxxx@gmail.com

Now I find it unreasonable to assume that 50% of the mail I receive is being actively
tampered with, so it must be something getting twisted out of shape. All I'm trying to
discover is whether it's something at my end that I need to fiddle with. I followed a
few different guides to piece my setup together so it's quite possible I've overlooked
or misconfigured something.

If anyone knows about DKIM and might be able to shed a light on this, I'd love to
hear. It's not a big problem, just a puzzle I'm interested in.

Thanks

Matt Harrison

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] OT: amavis and DKIM verification

[Stroller]

On 10 Jan 2010, at 21:26, Matt Harrison wrote:

> I say OT because it's my understanding of DKIM that lets me down  
> here, not Gentoo. I'm
> just not sure who to ask or even if it could be something Gentoo  
> related.
>
> I've recently updated my postfix home mail server ...

I'm not able to help with this, but it's something I want to look at  
myself this year. However the postfix-users mailing list <postfix-users@postfix.org 
 > would probably be a useful resource.

Stroller.

Re: [gentoo-user] OT: amavis and DKIM verification

[Xavier Parizet]

[-- Attachment #1: Type: text/plain, Size: 2557 bytes --]

Le 10/01/2010 22:26, Matt Harrison a écrit :
> I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm
> just not sure who to ask or even if it could be something Gentoo related.
> 
> I've recently updated my postfix home mail server to use amavis-new for virus and spam
> filtering rather than procmail/spamassassin.
> 
> It seems to be working well and I've also enabled some other goodies like DKIM signing
> and verification. I haven't confirmed signing is working yet, so maybe a side effect
> of this email is that someone can confirm this for me ;)

Your mail is not DKIM-Signed, check your setup.

> The main query I have is that a lot of the mail I get, in this case from various
> mailing lists, appears to failed DKIM verification.
> 
> For example, several of the posters on this list are DKIM signing their mail either as
> part of gmail policy (or another big provider) or personal intent. Something in the
> region of 50% of signed mail on this list contains headers such as:
> 
> Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail
>         (fail, message has been altered) header.i=@gmail.com
> Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=softfail
>         (fail, message has been altered) header.from=xxxxxx@gmail.com
> 
> Whereas the rest looks like this:
> 
> Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass
>         header.i=@gmail.com
> Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass
>         header.from=xxxxxx@gmail.com
> 
> Now I find it unreasonable to assume that 50% of the mail I receive is being actively
> tampered with, so it must be something getting twisted out of shape. All I'm trying to
> discover is whether it's something at my end that I need to fiddle with. I followed a
> few different guides to piece my setup together so it's quite possible I've overlooked
> or misconfigured something.

90% chance the emails failing DKIM verification had their email subject modified
to add "[gentoo-user]" in it by the mlmmj program that manage the mailing-list,
which mainly concerns topic starts (ie first mails about one topic).

> If anyone knows about DKIM and might be able to shed a light on this, I'd love to
> hear. It's not a big problem, just a puzzle I'm interested in.
> 
> Thanks
> 
> Matt Harrison

-- 
      Xavier Parizet
YaGB :   http://gentooist.com
GPG  :    C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] OT: amavis and DKIM verification

[Matt Harrison]

[-- Attachment #1: Type: text/plain, Size: 3163 bytes --]

On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote:
> Le 10/01/2010 22:26, Matt Harrison a ??crit :
> > I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm
> > just not sure who to ask or even if it could be something Gentoo related.
> > 
> > I've recently updated my postfix home mail server to use amavis-new for virus and spam
> > filtering rather than procmail/spamassassin.
> > 
> > It seems to be working well and I've also enabled some other goodies like DKIM signing
> > and verification. I haven't confirmed signing is working yet, so maybe a side effect
> > of this email is that someone can confirm this for me ;)
> 
> Your mail is not DKIM-Signed, check your setup.

Ok, thanks for checking, it appears that outbound messages weren't being passed to
amavis, I think I've rectified that now.

I can see the message being scanned in the logs, but not necessarily being signed
though. Inbound messages generate warnings such as:

dkim: not signing, no applicable private key for domains ruby-forum.com.....

but my outbound messages just scan clean. I've tried without sender maps and with
limiting them to my domain.

> > The main query I have is that a lot of the mail I get, in this case from various
> > mailing lists, appears to failed DKIM verification.
> > 
> > For example, several of the posters on this list are DKIM signing their mail either as
> > part of gmail policy (or another big provider) or personal intent. Something in the
> > region of 50% of signed mail on this list contains headers such as:
> > 
> > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail
> >         (fail, message has been altered) header.i=@gmail.com
> > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=softfail
> >         (fail, message has been altered) header.from=xxxxxx@gmail.com
> > 
> > Whereas the rest looks like this:
> > 
> > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass
> >         header.i=@gmail.com
> > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass
> >         header.from=xxxxxx@gmail.com
> > 
> > Now I find it unreasonable to assume that 50% of the mail I receive is being actively
> > tampered with, so it must be something getting twisted out of shape. All I'm trying to
> > discover is whether it's something at my end that I need to fiddle with. I followed a
> > few different guides to piece my setup together so it's quite possible I've overlooked
> > or misconfigured something.
> 
> 90% chance the emails failing DKIM verification had their email subject modified
> to add "[gentoo-user]" in it by the mlmmj program that manage the mailing-list,
> which mainly concerns topic starts (ie first mails about one topic).

That would make a lot of sense, I'm not sure if it's just the first messages that are
doing it, but I have a feeling that others in a thread are also failing.

Thanks for your input Xavier, I think I need to get over to the amavis or postfix
guys, like Stroller said, to really figure out what is happening.

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] OT: amavis and DKIM verification

[Xavier Parizet]

[-- Attachment #1: Type: text/plain, Size: 2490 bytes --]

Le 11/01/2010 16:31, Matt Harrison a écrit :
> On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote:
>> Le 10/01/2010 22:26, Matt Harrison a ??crit :
>>> I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm
>>> just not sure who to ask or even if it could be something Gentoo related.
>>>
>>> I've recently updated my postfix home mail server to use amavis-new for virus and spam
>>> filtering rather than procmail/spamassassin.
>>>
>>> It seems to be working well and I've also enabled some other goodies like DKIM signing
>>> and verification. I haven't confirmed signing is working yet, so maybe a side effect
>>> of this email is that someone can confirm this for me ;)
>>
>> Your mail is not DKIM-Signed, check your setup.
> 
> Ok, thanks for checking, it appears that outbound messages weren't being passed to
> amavis, I think I've rectified that now.
> 
> I can see the message being scanned in the logs, but not necessarily being signed
> though. Inbound messages generate warnings such as:
> 
> dkim: not signing, no applicable private key for domains ruby-forum.com.....

Seems that either you forgot to setup the DNS for ruby-forum.com with the public
key, or you don't own ruby-forum.com, as well as his private key.

Keep in mind that signing is done according to the "From:" header content.

> but my outbound messages just scan clean. I've tried without sender maps and with
> limiting them to my domain.
> 
>>> The main query I have is that a lot of the mail I get, in this case from various
>>> mailing lists, appears to failed DKIM verification.
[SNIP]
>>
>> 90% chance the emails failing DKIM verification had their email subject modified
>> to add "[gentoo-user]" in it by the mlmmj program that manage the mailing-list,
>> which mainly concerns topic starts (ie first mails about one topic).
> 
> That would make a lot of sense, I'm not sure if it's just the first messages that are
> doing it, but I have a feeling that others in a thread are also failing.

After some checking, it appears that Reply-To: header is also modified by mlmmj,
and so DKIM verification fails too for these ones.

> 
> Thanks for your input Xavier, I think I need to get over to the amavis or postfix
> guys, like Stroller said, to really figure out what is happening.


-- 
      Xavier Parizet
YaGB :   http://gentooist.com
GPG  :    C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]