You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by zespri <na...@brutsoft.com> on 2014/06/06 09:44:03 UTC
I'm getting T_DKIM_INVALID from gmail
I realize that this is not directly related to spam assassin, but I appeal to
all you helpful folk here.
For whatever reason if I send an email from gmail when it arrives it's
marked with T_DKIM_INVALID. I inspected the original and the result and
there are a few differences. Dkim header has this:
"h=mime-version:in-reply-to:references:date:message-id:subject:from:to:content-type;"
I'm guessing these are the fields that are being signed.
The differences are:
1) Delivered-To header was gmail address became target address
2) New headers: Return-Path, X-Spam-Checker-Version, X-Spam-Level,
X-Spam-Status, Received, DKIM-Signature, X-Received
3) The last and I'm guessing the most important difference is that
Content-Type header is different.
Here is what Content-Type header looks like:
Content-Type: multipart/alternative; boundary=089e013cb942d5a93f04fb25badd
Everything that goes after boundary= is different in the original message
and what ends up in the inbox.
I'm receiving the emails with postfix and it then goes to spamc and then to
dovecot. This is from master.cf:
> flags=DRhu user=vmail:vmail argv=/usr/bin/spamc -u ${recipient} -e
> /usr/lib/dovecot/deliver -d ${recipient}
Do you happen to have an idea why this is happening?
Cheers,
Andrew
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/I-m-getting-T-DKIM-INVALID-from-gmail-tp109464.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: I'm getting T_DKIM_INVALID from gmail
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-06-06 at 00:44 -0700, a pseudonymous Nabble user wrote:
> For whatever reason if I send an email from gmail when it arrives it's
> marked with T_DKIM_INVALID. I inspected the original and the result and
> there are a few differences. [...]
> 3) The last and I'm guessing the most important difference is that
> Content-Type header is different.
Turns out this is entirely unrelated to (message structure) modification
or invalidating the signature.
DKIM_INVALID is a meta rule, requiring the existence of a DKIM-Signature
header, and the stock DKIM_VALID rule to not match.
meta DKIM_INVALID __DKIM_EXISTS && !DKIM_VALID
Since there are no other DKIM related test hits, it appears you do not
have the Mail::DKIM Perl module installed. It's an optional third-party
module, though required for DKIM support in SA.
The problem is logic failure. Invalid is NOT the opposite of valid, in
case the absence of validation is possible.
In other words, DKIM_INVALID will hit on any DKIM signed message, if the
optional Mail::DKIM Perl module is not installed.
Since that rule is in testing mode only (the T_ prefix), its score is
informational only and negligible. To get rid of that rule anyway,
without installing Mail::DKIM, just overwrite its score in local.cf.
score T_DKIM_INVALID 0
With a zeroed out score, that rule will not be evaluated at all.
That said, there are a few possible things to improve for that meta rule
in development in Adam's sandbox.
First of all, the custom check for the existence of a header is bad.
That better should use DKIM_SIGNED of 25_dkim.cf.
The logic of !rule could be improved, though that's not necessary if the
above is corrected.
Cc'ing Adam, in case he missed this thread.
In a related topic, the DKIM_INVALID rule in 20_khop_bl.cf is properly
guarded by ifplugin checking for M::SA::Plugin::DKIM. However, that is
insufficient in this case, since it only checks loading the SA plugin,
not verifying it being functional (depending on a third-party module).
FWIW, this was surprising for me, too. I verified by actually setting up
a test environment lacking Mail::DKIM, but still triggering an ifplugin
guarded test rule.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: I'm getting T_DKIM_INVALID from gmail
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 06.06.14 00:44, zespri wrote:
>For whatever reason if I send an email from gmail when it arrives it's
>marked with T_DKIM_INVALID. I inspected the original and the result and
>there are a few differences. Dkim header has this:
>"h=mime-version:in-reply-to:references:date:message-id:subject:from:to:content-type;"
>I'm guessing these are the fields that are being signed.
>3) The last and I'm guessing the most important difference is that
>Content-Type header is different.
This is apparently what causes the issue.
btw: get rid of dnjbdns and replace it with something supported.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Re: I'm getting T_DKIM_INVALID from gmail
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-06-06 at 14:47 -0700, a pseudonymous Nabble user wrote:
> Thank you for you reply
>
> 1) I used gmail web interface, [...]
> 2) I looked at the original by going to the gmail web interface and
> selecting "show original"
In that case, it is not necessarily guaranteed the multipart boundary
matches the received message. One would assume this to be true, but it
depends on gmail internal storage and representation. It is entirely
possible internal storage focuses on content, with some vital meta-data
like e.g. time and date. The multipart boundary is a technical detail,
that might as well be generated when needed.
That part of a MIME message's structure is guaranteed to match, though,
if the source is a local copy of the actual message sent via SMTP.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: I'm getting T_DKIM_INVALID from gmail
Posted by zespri <na...@brutsoft.com>.
Thank you for you reply
1) I used gmail web interface, but now after you asked I tried sending from
iPad. Result is somewhat different. There is no multipart content type now,
but T_DKIM_INVALID is still present.
2) I looked at the original by going to the gmail web interface and
selecting "show original"
3) Here is the paste of my last test email from iPad:
http://poshcode.com/paste/285/36Uo97csiWPrXBQfEla5AMJnI
--
View this message in context: http://spamassassin.1065346.n5.nabble.com/I-m-getting-T-DKIM-INVALID-from-gmail-tp109464p109484.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: I'm getting T_DKIM_INVALID from gmail
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-06-06 at 00:44 -0700, a pseudonymous Nabble user wrote:
> For whatever reason if I send an email from gmail when it arrives it's
> marked with T_DKIM_INVALID. I inspected the original and the result and
> there are a few differences.
By sending "from gmail", are you referring to using the web interface,
or a local client with IMAP / SMTP?
And how exactly did you retrieve the "original"?
> Here is what Content-Type header looks like:
> Content-Type: multipart/alternative; boundary=089e013cb942d5a93f04fb25badd
Don't paste single headers inline. Instead, put the raw, original
messages up a pastebin and provide the links.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}