From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NUMFG-0005P3-Uv for garchives@archives.gentoo.org; Mon, 11 Jan 2010 15:31:55 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C3FB5E0683; Mon, 11 Jan 2010 15:31:15 +0000 (UTC) Received: from genesis.genestate.com (unknown [212.21.116.18]) by pigeon.gentoo.org (Postfix) with ESMTP id 49D22E0683 for ; Mon, 11 Jan 2010 15:31:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by genesis.genestate.com (Postfix) with ESMTP id 6094FA124 for ; Mon, 11 Jan 2010 15:31:14 +0000 (GMT) X-Scanned-By: amavis(spamassassin/clamav) at genestate.com Received: from genesis.genestate.com ([127.0.0.1]) by localhost (genesis.genestate.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YogVoyKrxFrl for ; Mon, 11 Jan 2010 15:31:10 +0000 (GMT) Received: by genesis.genestate.com (Postfix, from userid 1000) id D6590A004; Mon, 11 Jan 2010 15:31:10 +0000 (GMT) Date: Mon, 11 Jan 2010 15:31:10 +0000 From: Matt Harrison To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OT: amavis and DKIM verification Message-ID: <20100111153110.GB7076@genestate.com> References: <20100110212602.GA6296@genestate.com> <4B4B3F13.50105@gentooist.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline In-Reply-To: <4B4B3F13.50105@gentooist.com> X-Operating-System: Linux/2.6.27-gentoo-r8 (i686) X-Uptime: 2 days X-GPG-Key-ID: 0x177990AA X-GPG-Fingerprint: CAA7 F771 AACA DFF4 DA51 1A6F 746F AA31 1779 90AA User-Agent: Mutt/1.5.20 (2009-06-14) X-Archives-Salt: 075d8b8b-bc69-4790-b7fc-2ba6cbb8f614 X-Archives-Hash: 221e7b151a58ef40e9d3ce9c94b150ff --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote: > Le 10/01/2010 22:26, Matt Harrison a ??crit : > > I say OT because it's my understanding of DKIM that lets me down here, = not Gentoo. I'm > > just not sure who to ask or even if it could be something Gentoo relate= d. > >=20 > > I've recently updated my postfix home mail server to use amavis-new for= virus and spam > > filtering rather than procmail/spamassassin. > >=20 > > It seems to be working well and I've also enabled some other goodies li= ke DKIM signing > > and verification. I haven't confirmed signing is working yet, so maybe = a side effect > > of this email is that someone can confirm this for me ;) >=20 > Your mail is not DKIM-Signed, check your setup. Ok, thanks for checking, it appears that outbound messages weren't being pa= ssed to amavis, I think I've rectified that now. I can see the message being scanned in the logs, but not necessarily being = signed though. Inbound messages generate warnings such as: dkim: not signing, no applicable private key for domains ruby-forum.com..... but my outbound messages just scan clean. I've tried without sender maps an= d with limiting them to my domain. > > The main query I have is that a lot of the mail I get, in this case fro= m various > > mailing lists, appears to failed DKIM verification. > >=20 > > For example, several of the posters on this list are DKIM signing their= mail either as > > part of gmail policy (or another big provider) or personal intent. Some= thing in the > > region of 50% of signed mail on this list contains headers such as: > >=20 > > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=3Dsof= tfail > > (fail, message has been altered) header.i=3D@gmail.com > > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys= =3Dsoftfail > > (fail, message has been altered) header.from=3Dxxxxxx@gmail.com > >=20 > > Whereas the rest looks like this: > >=20 > > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=3Dpass > > header.i=3D@gmail.com > > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys= =3Dpass > > header.from=3Dxxxxxx@gmail.com > >=20 > > Now I find it unreasonable to assume that 50% of the mail I receive is = being actively > > tampered with, so it must be something getting twisted out of shape. Al= l I'm trying to > > discover is whether it's something at my end that I need to fiddle with= =2E I followed a > > few different guides to piece my setup together so it's quite possible = I've overlooked > > or misconfigured something. >=20 > 90% chance the emails failing DKIM verification had their email subject m= odified > to add "[gentoo-user]" in it by the mlmmj program that manage the mailing= -list, > which mainly concerns topic starts (ie first mails about one topic). That would make a lot of sense, I'm not sure if it's just the first message= s that are doing it, but I have a feeling that others in a thread are also failing. Thanks for your input Xavier, I think I need to get over to the amavis or p= ostfix guys, like Stroller said, to really figure out what is happening. --h31gzZEtNLTqOjlF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAktLRD4ACgkQdG+qMRd5kKoE0QCdFbCahsRc0qWQckI2H1saF9La aDMAnRPMw/i7QBPA8c8Ss7+DbufWsjt7 =RipO -----END PGP SIGNATURE----- --h31gzZEtNLTqOjlF--