On 08/07/16 20:44, Scott Kitterman wrote: > On Friday, July 08, 2016 06:23:58 PM Daniel Pocock wrote: >> Package: opendkim >> Version: 2.9.2-2 >> >> I'm using OpenDKIM and Postfix on Debian >> >> Outlook 365 and Hotmail users regularly have trouble receiving email >> from some of the sending domains. >> >> One Outlook 365 user checked with their IT helpdesk and they sent me a >> copy of the message headers. In some of the messages they receive, it >> has something like: >> >> >> >> >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.net; s=mail; >> t=1467730175; bh=......; >> h=Subject:To:References:From:Date:In-Reply-To:From; >> b=........= >> >> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.net; s=mail; >> t=1467730151; bh=(matches the previous message); >> h=Subject:To:References:From:Date:In-Reply-To:From; >> b=(doesn't match the previous header) >> >> Authentication-Results: spf=pass (sender IP is 195.8.117.5) >> smtp.mailfrom=example.net; example.org; dkim=fail (body hash did >> not verify) header.d=example.net;example.org; dmarc=bestguesspass >> action=none header.from=example.net;example.org; dkim=fail (body >> hash did not verify) header.d=example.net; >> >> X-DkimResult-Test: Failed >> >> Subject: This email has been identified as potential SPAM. Please >> verify. (original subject follows.....) >> >> I notice that the DKIM-Signature header is repeated with different >> values for "b=..." and "t=" while all other values appear the same. >> >> Are there known issues with OpenDKIM? Is there any way to add any debug >> headers to the message to help troubleshoot? > > I'm not aware of any outstanding issues that would cause this. Do you host > any mailing lists on this server that might result in messages being > processed > (and signed) twice by the MTA? If so, what you might be seeing is body > modifications by the MLM. > > OpenDKIM will only sign once, so the likely answer is something in your > Postfix configuration is causing the milter to be triggered twice (I once did > this to myself by signing mail received via the Submission port - as an > example). >
It isn't a mailing list server and I haven't configured it to modify messages. The server does have Amavis and Spamassassin, could they clash with OpenDKIM in some way?