You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jari Fredriksson <ja...@iki.fi> on 2019/09/23 05:00:42 UTC
Why I get DKIM_INVALID sometimes?
Hello again.
I have a problem that arises after my mail server has been up for maybe
two days. Suddenly all DKIM-verifications in SpamAssassin says
DKIM_INVALID while those look valid to be when looking to mail source
code. It works again correctly after I reboot the machine. This starter
as it is when I upgraded from Debian Stretch to Buster, I think.
Sample: https://pastebin.com/cZKSTZVC
--
jarif@iki.fi
Re: Why I get DKIM_INVALID sometimes?
Posted by Jari Fredriksson <ja...@iki.fi>.
Bill Cole kirjoitti 23.9.2019 20:11:
> On 23 Sep 2019, at 11:43, Jari Fredriksson wrote:
>
>> Bill Cole kirjoitti 23.9.2019 18:26:
>>> On 23 Sep 2019, at 1:00, Jari Fredriksson wrote:
>>>
>>>> Hello again.
>>>>
>>>> I have a problem that arises after my mail server has been up for
>>>> maybe two days. Suddenly all DKIM-verifications in SpamAssassin says
>>>> DKIM_INVALID while those look valid to be when looking to mail
>>>> source code. It works again correctly after I reboot the machine.
>>>> This starter as it is when I upgraded from Debian Stretch to Buster,
>>>> I think.
>>>>
>>>> Sample: https://pastebin.com/cZKSTZVC
>>>
>>> The signature on that message does not verify according to the
>>> dkimverify.pl from Mail::DKIM or the dkimverify from the Python
>>> 'dkimpy' package. Using the --debug-canonicalization option of
>>> dkimverify.pl shows that the 'bh' field matches, so the problem is in
>>> the headers.
>>>
>>> In short: it's probably not your problem *in this case*
>
> One side-note on this: In reviewing this I see that the first case is
> labeled as multipart/alternative but it contains only an unterminated
> text/plain part, so it seems to have been truncated, which is not
> consistent with the fact that dkimverify.pl comes up with the same
> body hash, so I'm questioning everything now...
>
Yes I attached only the headers of the mail, not the body as I
considered it to be wasteful. Maybe a bad decision... Such happens.
Thank You very much for your comments!
--
jarif@iki.fi
Re: Why I get DKIM_INVALID sometimes?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 23 Sep 2019, at 11:43, Jari Fredriksson wrote:
> Bill Cole kirjoitti 23.9.2019 18:26:
>> On 23 Sep 2019, at 1:00, Jari Fredriksson wrote:
>>
>>> Hello again.
>>>
>>> I have a problem that arises after my mail server has been up for
>>> maybe two days. Suddenly all DKIM-verifications in SpamAssassin says
>>> DKIM_INVALID while those look valid to be when looking to mail
>>> source code. It works again correctly after I reboot the machine.
>>> This starter as it is when I upgraded from Debian Stretch to Buster,
>>> I think.
>>>
>>> Sample: https://pastebin.com/cZKSTZVC
>>
>> The signature on that message does not verify according to the
>> dkimverify.pl from Mail::DKIM or the dkimverify from the Python
>> 'dkimpy' package. Using the --debug-canonicalization option of
>> dkimverify.pl shows that the 'bh' field matches, so the problem is in
>> the headers.
>>
>> In short: it's probably not your problem *in this case*
One side-note on this: In reviewing this I see that the first case is
labeled as multipart/alternative but it contains only an unterminated
text/plain part, so it seems to have been truncated, which is not
consistent with the fact that dkimverify.pl comes up with the same body
hash, so I'm questioning everything now...
>
> All right then. I just received a new mail from Twitter, this time it
> has DKIM_VALID_AU. How headers differ?
>
> https://pastebin.com/3p7QiDDj
I don't see anything obvious, but I expect that I wouldn't and that you
wouldn't in the delivered mail. Something in the non-verified message
got changed after signing but the verified message had no such change.
For many months I've been watching a mail system that was having chronic
occasional DKIM failures and writing code to work around and/or prevent
the root causes. This project has not taken so long merely because I'm
bad at coding. The ways that Sendmail in particular can innocently break
signatures are many, so ultimately I resorted to fully parsing existing
address list headers and rebuilding them in a subtly idiosyncratic form
that Sendmail likes.
There's a long-untouched bug report for OpenDKIM (which this system is
not using) due to Sendmail "fixing up" standard address headers. That
fixup is perfectly reasonable UNLESS you're signing them with a milter
ahead of the fixup. Or in your case: unless Twitter is signing them with
a milter before their Sendmail "fixes" headers.
--
Bill Cole
Re: Why I get DKIM_INVALID sometimes?
Posted by Jari Fredriksson <ja...@iki.fi>.
Bill Cole kirjoitti 23.9.2019 18:26:
> On 23 Sep 2019, at 1:00, Jari Fredriksson wrote:
>
>> Hello again.
>>
>> I have a problem that arises after my mail server has been up for
>> maybe two days. Suddenly all DKIM-verifications in SpamAssassin says
>> DKIM_INVALID while those look valid to be when looking to mail source
>> code. It works again correctly after I reboot the machine. This
>> starter as it is when I upgraded from Debian Stretch to Buster, I
>> think.
>>
>> Sample: https://pastebin.com/cZKSTZVC
>
> The signature on that message does not verify according to the
> dkimverify.pl from Mail::DKIM or the dkimverify from the Python
> 'dkimpy' package. Using the --debug-canonicalization option of
> dkimverify.pl shows that the 'bh' field matches, so the problem is in
> the headers.
>
> In short: it's probably not your problem *in this case*
All right then. I just received a new mail from Twitter, this time it
has DKIM_VALID_AU. How headers differ?
https://pastebin.com/3p7QiDDj
--
jarif@iki.fi
Re: Why I get DKIM_INVALID sometimes?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 23 Sep 2019, at 1:00, Jari Fredriksson wrote:
> Hello again.
>
> I have a problem that arises after my mail server has been up for
> maybe two days. Suddenly all DKIM-verifications in SpamAssassin says
> DKIM_INVALID while those look valid to be when looking to mail source
> code. It works again correctly after I reboot the machine. This
> starter as it is when I upgraded from Debian Stretch to Buster, I
> think.
>
> Sample: https://pastebin.com/cZKSTZVC
The signature on that message does not verify according to the
dkimverify.pl from Mail::DKIM or the dkimverify from the Python 'dkimpy'
package. Using the --debug-canonicalization option of dkimverify.pl
shows that the 'bh' field matches, so the problem is in the headers.
In short: it's probably not your problem *in this case*
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Re: Why I get DKIM_INVALID sometimes?
Posted by Jari Fredriksson <ja...@iki.fi>.
RW kirjoitti 23.9.2019 17:02:
> On Mon, 23 Sep 2019 16:33:35 +0300
> Jari Fredriksson wrote:
>
>> Axb kirjoitti 23.9.2019 8:42:
>> > UN_educated guess - I don't use DKIM... does it stop happening when
>> > you restart your DNS recursor instead of rebooting?
>> >
>
>> Oh well. That did not help, same for this day.
>
> Don't stop at DNS restart all daemons related to email, one at a time.
Actually my mail queue was halted for some other reason, but now as it
started to flow again it seems to work! So, I have something on DNS. One
master and two slaves. I now crontabbed a restart for the process via
ansible daily. It might be a work around if the real reason does not
come for me later...
Thanks Axb!
--
jarif@iki.fi
Re: Why I get DKIM_INVALID sometimes?
Posted by RW <rw...@googlemail.com>.
On Mon, 23 Sep 2019 16:33:35 +0300
Jari Fredriksson wrote:
> Axb kirjoitti 23.9.2019 8:42:
> > UN_educated guess - I don't use DKIM... does it stop happening when
> > you restart your DNS recursor instead of rebooting?
> >
> Oh well. That did not help, same for this day.
Don't stop at DNS restart all daemons related to email, one at a time.
Re: Why I get DKIM_INVALID sometimes?
Posted by Jari Fredriksson <ja...@iki.fi>.
Axb kirjoitti 23.9.2019 8:42:
> UN_educated guess - I don't use DKIM... does it stop happening when
> you restart your DNS recursor instead of rebooting?
>
> On 9/23/19 7:00 AM, Jari Fredriksson wrote:
>> Hello again.
>>
>> I have a problem that arises after my mail server has been up for
>> maybe two days. Suddenly all DKIM-verifications in SpamAssassin says
>> DKIM_INVALID while those look valid to be when looking to mail source
>> code. It works again correctly after I reboot the machine. This
>> starter as it is when I upgraded from Debian Stretch to Buster, I
>> think.
>>
>> Sample: https://pastebin.com/cZKSTZVC
>>
>>
Oh well. That did not help, same for this day.
--
jarif@iki.fi
Re: Why I get DKIM_INVALID sometimes?
Posted by Axb <ax...@gmail.com>.
UN_educated guess - I don't use DKIM... does it stop happening when you
restart your DNS recursor instead of rebooting?
On 9/23/19 7:00 AM, Jari Fredriksson wrote:
> Hello again.
>
> I have a problem that arises after my mail server has been up for maybe
> two days. Suddenly all DKIM-verifications in SpamAssassin says
> DKIM_INVALID while those look valid to be when looking to mail source
> code. It works again correctly after I reboot the machine. This starter
> as it is when I upgraded from Debian Stretch to Buster, I think.
>
> Sample: https://pastebin.com/cZKSTZVC
>
>