You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Felix Defrance <fe...@d2france.fr> on 2017/08/09 14:33:57 UTC
SA dbg: dkim: FAILED DKIM .. does not match author domain
Hi all,
I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
signature verification instead of opendkim success..
I see thats issues on domain which use onmicrosoft.com or gappssmtp.com
Here is the mail trace on my MTA, if anybody could help me.
Thx,
Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D:
mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135] not
internal
Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated
Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain
match for 'groupeastek.fr'
Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing subdomain
match for 'groupeastek.fr'
Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse
authentication-results: header field
Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
successful
Aug 9 10:25:43 vmail opendkim[21923]: 0D81A778B1D:
s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL
Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
Aug 9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D:
from=<tu...@groupeastek.fr>, size=558389, nrcpt=1 (queue active)
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024
/var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S:
<tu...@groupeastek.fr> -> <to...@tata.com> SIZE=558389 Received: from
vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com [127.0.0.1])
(amavisd-new, port 10024) with ESMTP for <to...@tata.com>; Wed, 9 Aug
2017 10:25:43 +0200 (CEST)
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr
[104.47.0.135] <tu...@groupeastek.fr> -> <to...@tata.com>
Aug 9 10:25:43 vmail postfix/smtpd[4885]: disconnect from
mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135]
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type:
multipart/mixed
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type:
multipart/related
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1 Content-Type:
multipart/alternative
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1
Content-Type: text/plain, size: 968 B, name:
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2
Content-Type: text/html, size: 5183 B, name:
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2 Content-Type:
image/png, size: 4414 B, name: image001.png
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type:
application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
passed to SA at 211221 bytes, orig 558708
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: performing
public key lookup and signature verification
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
DKIM, i=@groupeastek365.onmicrosoft.com,
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: signature
verification result: FAIL (BODY HAS BEEN ALTERED)
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp:
performing lookup on _adsp._domainkey.groupeastek.fr
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp
result: U/unknown (dns: unknown), author domain 'groupeastek.fr'
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking to
see if the message has a Received-SPF header that we can use
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a
Received-SPF header added by an internal host: Received-SPF: Pass
(sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135;
helo=eur01-he1-obe.outbound.protection.outlook.com;
envelope-from=tutu@groupeastek.fr; receiver=toto@tata.com
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using
mfrom result from Received-SPF header: pass
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com, ip=104.47.0.135)
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for
/104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result:
pass, comment: , text: Mechanism 'include:spf.protection.outlook.com'
matched
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf:
def_whitelist_from_spf: tutu@groupeastek.fr is not in DEF_WHITELIST_FROM_SPF
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
signature by groupeastek365.onmicrosoft.com, author tutu@groupeastek.fr,
no valid matches
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: author
tutu@groupeastek.fr, not in any dkim whitelist
Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf:
whitelist_from_spf: tutu@groupeastek.fr is not in user's WHITELIST_FROM_SPF
Aug 9 10:25:44 vmail amavis[1524]: (01524-06) spam-tag,
<tu...@groupeastek.fr> -> <to...@tata.com>, No, score=3.189
tagged_above=-9999 required=5 tests=[BAYES_00=-1.9,
CUST_DKIM_SIGNED_INVALID=5, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
--
Félix
PGP: 0x0F04DC57
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by Felix Defrance <fe...@d2france.fr>.
Le 10/08/2017 à 14:46, Benny Pedersen a écrit :
> RW skrev den 2017-08-10 02:06:
>
>> If amavis only passes part of the email to SA, it isn't going to pass
>> DKIM.
>
> i think there is more underlaying problems there, amavisd have its own
> dkim verify and signer, even if spamassassin does not see the
> fullmail, amavisd can verify and sign it still, so my next trolling is
> does sa dkim module respect mime ?
>
> is dkim respecting mime verify and signing of mime parts ?, good
> qeustion imho to answer the first problem
>
> one thing i know is that dkim does not support 8bitmime, so why mime
> parts ? :(
>
> why dkim sign all mime parts ?
In my setup, i don't use $enable_dkim_verification, $enable_dkim_signing
amavis.
--
Félix Defrance
PGP: 0x0F04DC57
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by Benny Pedersen <me...@junc.eu>.
RW skrev den 2017-08-10 02:06:
> If amavis only passes part of the email to SA, it isn't going to pass
> DKIM.
i think there is more underlaying problems there, amavisd have its own
dkim verify and signer, even if spamassassin does not see the fullmail,
amavisd can verify and sign it still, so my next trolling is does sa
dkim module respect mime ?
is dkim respecting mime verify and signing of mime parts ?, good
qeustion imho to answer the first problem
one thing i know is that dkim does not support 8bitmime, so why mime
parts ? :(
why dkim sign all mime parts ?
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by RW <rw...@googlemail.com>.
On Wed, 9 Aug 2017 16:33:57 +0200
Felix Defrance wrote:
> Hi all,
>
> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
> signature verification instead of opendkim success..
>
> I see thats issues on domain which use onmicrosoft.com or
> gappssmtp.com
...
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
> passed to SA at 211221 bytes, orig 558708
If amavis only passes part of the email to SA, it isn't going to pass
DKIM.
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by Kevin Golding <kp...@caomhin.org>.
On Thu, 10 Aug 2017 15:12:11 +0100, Felix Defrance <fe...@d2france.fr>
wrote:
> In the first lines on log, you could see opendkim results are success.
>
> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
> successful
> Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
>
> That why I think Amavis or Spamassassin is in cause.
If you read the limitations section regarding milters in postfix
http://www.postfix.org/MILTER_README.html#limitations you'll see that if
you call both a milter and a before-queue content scanner they can't both
process the full untampered with message (as RW has mentioned).
I forget the exact details, it's a long time since I had to look into it,
but if you skip opendkim and opendmarc you should find that the DKIM check
in SpamAssassin succeeds.
> Microsoft is helpful, but they should be not..
When companies sign up to use Microsoft email it is sent out signed using
a domain MS control. It seems to work well for them and apparently makes
it user friendly. I see a lot of ham that is DKIM invalid but I don't
recall the last time it was from a Microsoft account. (That's probably
tempting fate.)
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by Benny Pedersen <me...@junc.eu>.
Felix Defrance skrev den 2017-08-10 17:09:
> Ok but in many other cases, spamassassin not failed at this point and
> validate the signing.. why it fail sometimes, and not all time ?
verify when it fails what size the failed mail have, if that its
truncated with amavisd, then extend mailtruncateing size in amavisd, its
not a spamassassin problem, if its truncated data you provide for sa
else drop amavisd, and use spampd, where it does not make that problem
at all
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by Felix Defrance <fe...@d2france.fr>.
Le 10/08/2017 à 16:33, RW a écrit :
> On Thu, 10 Aug 2017 16:12:11 +0200
> Felix Defrance wrote:
>
>
>> In the first lines on log, you could see opendkim results are success.
>>
>> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
>> successful
>> Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr
>> none
>>
>> That why I think Amavis or Spamassassin is in cause.
> As I already pointed out, Amavis passed SpamAssassin a truncated,
> i.e. incomplete, email; it's inevitable that this will fail
> SpamAssassin's DKIM test. The opendkim result is on the full email.
Ok but in many other cases, spamassassin not failed at this point and
validate the signing.. why it fail sometimes, and not all time ?
--
Félix Defrance
PGP: 0x0F04DC57
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by RW <rw...@googlemail.com>.
On Thu, 10 Aug 2017 16:12:11 +0200
Felix Defrance wrote:
> In the first lines on log, you could see opendkim results are success.
>
> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
> successful
> Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr
> none
>
> That why I think Amavis or Spamassassin is in cause.
As I already pointed out, Amavis passed SpamAssassin a truncated,
i.e. incomplete, email; it's inevitable that this will fail
SpamAssassin's DKIM test. The opendkim result is on the full email.
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by Felix Defrance <fe...@d2france.fr>.
Le 09/08/2017 à 18:53, David Jones a écrit :
> On 08/09/2017 10:19 AM, Felix Defrance wrote:
>> Do you have any idea why the body has been altered sometimes ? I
>> don't have any log about amavis alterate body message.
>>
>
> This happens when any server in the path modify some of the headers or
> the body of the email after it was signed by the originator. Older
> Exchange servers are known to mess with DKIM signing. I think
> Exchange 2016 and Office 365 now properly handle mail so that DKIM
> doesn't break.
>
> It could be any of the Received: mail servers that broke DKIM. I
> don't think it was your Amavis that caused it. You could install
> OpenDKIM and OpenDMARC as a milter on the MTA to get some extra
> information before the message was passed to Amavis.
In the first lines on log, you could see opendkim results are success.
Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
successful
Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
That why I think Amavis or Spamassassin is in cause.
>
>> You don't think the problem came from this line ?
>>
>> SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com,
>> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
>> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
>>
>
> No. This didn't cause the problem. It's just showing that the
> envelope-from domain didn't match the DKIM d= domain.
>
> groupeastek.fr <> groupeastek365.onmicrosoft.com
>
> Microsoft is trying to be helpful here and automatically DKIM signing
> with their own domain.
Ok - i don't read the rfc - but, could I suppose
Mail::SpamAssassin::Plugin::DKIM or Microsoft don't respect the standard ?
Maybe I need to update Mail::SpamAssassin::Plugin::DKIM.
I use libmail-dkim-perl 0.40-1 from Debian Jessie. Do you think the
version is too old ?
Or
Microsoft is helpful, but they should be not..
>
>
>
>> Thx,
>>
>> Le 09/08/2017 à 16:37, David Jones a écrit :
>>> On 08/09/2017 09:33 AM, Felix Defrance wrote:
>>>> Hi all,
>>>>
>>>> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
>>>> signature verification instead of opendkim success..
>>>>
>>>> I see thats issues on domain which use onmicrosoft.com or
>>>> gappssmtp.com
>>>>
>>>> Here is the mail trace on my MTA, if anybody could help me.
>>>>
>>>> Thx,
>>>>
>>>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
>>>> signature verification result: FAIL (BODY HAS BEEN ALTERED)
>>>>
>>>> --
>>>> Félix
>>>> PGP: 0x0F04DC57
>>>>
>>>
>>> This is in the logs above:
>>>
>>> dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)
>>>
>>
>> --
>> Félix Defrance
>> PGP: 0x0F04DC57
>>
>
--
Félix Defrance
PGP: 0x0F04DC57
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by David Jones <dj...@ena.com>.
On 08/09/2017 10:19 AM, Felix Defrance wrote:
> Do you have any idea why the body has been altered sometimes ? I don't
> have any log about amavis alterate body message.
>
This happens when any server in the path modify some of the headers or
the body of the email after it was signed by the originator. Older
Exchange servers are known to mess with DKIM signing. I think Exchange
2016 and Office 365 now properly handle mail so that DKIM doesn't break.
It could be any of the Received: mail servers that broke DKIM. I don't
think it was your Amavis that caused it. You could install OpenDKIM and
OpenDMARC as a milter on the MTA to get some extra information before
the message was passed to Amavis.
> You don't think the problem came from this line ?
>
> SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com,
> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
>
No. This didn't cause the problem. It's just showing that the
envelope-from domain didn't match the DKIM d= domain.
groupeastek.fr <> groupeastek365.onmicrosoft.com
Microsoft is trying to be helpful here and automatically DKIM signing
with their own domain.
> Thx,
>
> Le 09/08/2017 à 16:37, David Jones a écrit :
>> On 08/09/2017 09:33 AM, Felix Defrance wrote:
>>> Hi all,
>>>
>>> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
>>> signature verification instead of opendkim success..
>>>
>>> I see thats issues on domain which use onmicrosoft.com or gappssmtp.com
>>>
>>> Here is the mail trace on my MTA, if anybody could help me.
>>>
>>> Thx,
>>>
>>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
>>> signature verification result: FAIL (BODY HAS BEEN ALTERED)
>>>
>>> --
>>> Félix
>>> PGP: 0x0F04DC57
>>>
>>
>> This is in the logs above:
>>
>> dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)
>>
>
> --
> Félix Defrance
> PGP: 0x0F04DC57
>
--
David Jones
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by Felix Defrance <fe...@d2france.fr>.
Do you have any idea why the body has been altered sometimes ? I don't
have any log about amavis alterate body message.
You don't think the problem came from this line ?
SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com,
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
Thx,
Le 09/08/2017 à 16:37, David Jones a écrit :
> On 08/09/2017 09:33 AM, Felix Defrance wrote:
>> Hi all,
>>
>> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
>> signature verification instead of opendkim success..
>>
>> I see thats issues on domain which use onmicrosoft.com or gappssmtp.com
>>
>> Here is the mail trace on my MTA, if anybody could help me.
>>
>> Thx,
>>
>> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D:
>> mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135]
>> not internal
>> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated
>> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain
>> match for 'groupeastek.fr'
>> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing
>> subdomain match for 'groupeastek.fr'
>> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse
>> authentication-results: header field
>> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
>> successful
>> Aug 9 10:25:43 vmail opendkim[21923]: 0D81A778B1D:
>> s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL
>> Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
>> Aug 9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D:
>> from=<tu...@groupeastek.fr>, size=558389, nrcpt=1 (queue active)
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024
>> /var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S:
>> <tu...@groupeastek.fr> -> <to...@tata.com> SIZE=558389 Received: from
>> vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com
>> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for
>> <to...@tata.com>; Wed, 9 Aug 2017 10:25:43 +0200 (CEST)
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr
>> [104.47.0.135] <tu...@groupeastek.fr> -> <to...@tata.com>
>> Aug 9 10:25:43 vmail postfix/smtpd[4885]: disconnect from
>> mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135]
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type:
>> multipart/mixed
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type:
>> multipart/related
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1
>> Content-Type: multipart/alternative
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1
>> Content-Type: text/plain, size: 968 B, name:
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2
>> Content-Type: text/html, size: 5183 B, name:
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2
>> Content-Type: image/png, size: 4414 B, name: image001.png
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type:
>> application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
>> passed to SA at 211221 bytes, orig 558708
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
>> performing public key lookup and signature verification
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
>> DKIM, i=@groupeastek365.onmicrosoft.com,
>> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
>> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
>> signature verification result: FAIL (BODY HAS BEEN ALTERED)
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp:
>> performing lookup on _adsp._domainkey.groupeastek.fr
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp
>> result: U/unknown (dns: unknown), author domain 'groupeastek.fr'
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
>> to see if the message has a Received-SPF header that we can use
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a
>> Received-SPF header added by an internal host: Received-SPF: Pass
>> (sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135;
>> helo=eur01-he1-obe.outbound.protection.outlook.com;
>> envelope-from=tutu@groupeastek.fr; receiver=toto@tata.com
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using
>> mfrom result from Received-SPF header: pass
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
>> HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com,
>> ip=104.47.0.135)
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for
>> /104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result:
>> pass, comment: , text: Mechanism 'include:spf.protection.outlook.com'
>> matched
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf:
>> def_whitelist_from_spf: tutu@groupeastek.fr is not in
>> DEF_WHITELIST_FROM_SPF
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
>> signature by groupeastek365.onmicrosoft.com, author
>> tutu@groupeastek.fr, no valid matches
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: author
>> tutu@groupeastek.fr, not in any dkim whitelist
>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf:
>> whitelist_from_spf: tutu@groupeastek.fr is not in user's
>> WHITELIST_FROM_SPF
>> Aug 9 10:25:44 vmail amavis[1524]: (01524-06) spam-tag,
>> <tu...@groupeastek.fr> -> <to...@tata.com>, No, score=3.189
>> tagged_above=-9999 required=5 tests=[BAYES_00=-1.9,
>> CUST_DKIM_SIGNED_INVALID=5, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001,
>> RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
>> RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
>> T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
>>
>> --
>> Félix
>> PGP: 0x0F04DC57
>>
>
> This is in the logs above:
>
> dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)
>
--
Félix Defrance
PGP: 0x0F04DC57
Re: SA dbg: dkim: FAILED DKIM .. does not match author domain
Posted by David Jones <dj...@ena.com>.
On 08/09/2017 09:33 AM, Felix Defrance wrote:
> Hi all,
>
> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
> signature verification instead of opendkim success..
>
> I see thats issues on domain which use onmicrosoft.com or gappssmtp.com
>
> Here is the mail trace on my MTA, if anybody could help me.
>
> Thx,
>
> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D:
> mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135] not
> internal
> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated
> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain
> match for 'groupeastek.fr'
> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing subdomain
> match for 'groupeastek.fr'
> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse
> authentication-results: header field
> Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
> successful
> Aug 9 10:25:43 vmail opendkim[21923]: 0D81A778B1D:
> s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL
> Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
> Aug 9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D:
> from=<tu...@groupeastek.fr>, size=558389, nrcpt=1 (queue active)
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024
> /var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S:
> <tu...@groupeastek.fr> -> <to...@tata.com> SIZE=558389 Received: from
> vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com [127.0.0.1])
> (amavisd-new, port 10024) with ESMTP for <to...@tata.com>; Wed, 9 Aug
> 2017 10:25:43 +0200 (CEST)
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr
> [104.47.0.135] <tu...@groupeastek.fr> -> <to...@tata.com>
> Aug 9 10:25:43 vmail postfix/smtpd[4885]: disconnect from
> mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135]
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type:
> multipart/mixed
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type:
> multipart/related
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1 Content-Type:
> multipart/alternative
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1
> Content-Type: text/plain, size: 968 B, name:
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2
> Content-Type: text/html, size: 5183 B, name:
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2 Content-Type:
> image/png, size: 4414 B, name: image001.png
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type:
> application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
> passed to SA at 211221 bytes, orig 558708
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: performing
> public key lookup and signature verification
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
> DKIM, i=@groupeastek365.onmicrosoft.com,
> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: signature
> verification result: FAIL (BODY HAS BEEN ALTERED)
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp:
> performing lookup on _adsp._domainkey.groupeastek.fr
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp
> result: U/unknown (dns: unknown), author domain 'groupeastek.fr'
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking to
> see if the message has a Received-SPF header that we can use
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a
> Received-SPF header added by an internal host: Received-SPF: Pass
> (sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135;
> helo=eur01-he1-obe.outbound.protection.outlook.com;
> envelope-from=tutu@groupeastek.fr; receiver=toto@tata.com
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using
> mfrom result from Received-SPF header: pass
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
> HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com, ip=104.47.0.135)
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for
> /104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result:
> pass, comment: , text: Mechanism 'include:spf.protection.outlook.com'
> matched
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf:
> def_whitelist_from_spf: tutu@groupeastek.fr is not in DEF_WHITELIST_FROM_SPF
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
> signature by groupeastek365.onmicrosoft.com, author tutu@groupeastek.fr,
> no valid matches
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: author
> tutu@groupeastek.fr, not in any dkim whitelist
> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf:
> whitelist_from_spf: tutu@groupeastek.fr is not in user's WHITELIST_FROM_SPF
> Aug 9 10:25:44 vmail amavis[1524]: (01524-06) spam-tag,
> <tu...@groupeastek.fr> -> <to...@tata.com>, No, score=3.189
> tagged_above=-9999 required=5 tests=[BAYES_00=-1.9,
> CUST_DKIM_SIGNED_INVALID=5, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001,
> RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
> RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
> T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
>
> --
> Félix
> PGP: 0x0F04DC57
>
This is in the logs above:
dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)
--
David Jones