On Monday, July 11, 2016 09:00:18 AM Daniel Pocock wrote: > On 08/07/16 20:57, Scott Kitterman wrote: > > On Friday, July 08, 2016 08:46:24 PM Daniel Pocock wrote: > >> On 08/07/16 20:44, Scott Kitterman wrote: > >>> On Friday, July 08, 2016 06:23:58 PM Daniel Pocock wrote: > >>>> Package: opendkim > >>>> Version: 2.9.2-2 > > > > ... > > > >>>> I notice that the DKIM-Signature header is repeated with different > >>>> values for "b=..." and "t=" while all other values appear the same. > >>>> > >>>> Are there known issues with OpenDKIM? Is there any way to add any > >>>> debug > >>>> headers to the message to help troubleshoot? > >>> > >>> I'm not aware of any outstanding issues that would cause this. Do you > >>> host > >>> any mailing lists on this server that might result in messages being > >>> processed (and signed) twice by the MTA? If so, what you might be > >>> seeing > >>> is body modifications by the MLM. > >>> > >>> OpenDKIM will only sign once, so the likely answer is something in your > >>> Postfix configuration is causing the milter to be triggered twice (I > >>> once > >>> did this to myself by signing mail received via the Submission port - as > >>> an example). > >> > >> It isn't a mailing list server and I haven't configured it to modify > >> messages. > >> > >> The server does have Amavis and Spamassassin, could they clash with > >> OpenDKIM in some way? > > > > It's possible. I'd like to see unsanitized output of postconf -n and your > > master.cf. Direct mail is fine if you'd prefer they weren't memorialized > > in the BTS. > > Details sent privately > > After discussion, I commented out the global milter settings in my > main.cf file: > > #smtpd_milters = inet:localhost:12301 > #non_smtpd_milters = inet:localhost:12301 > > > and added the milter directive to the "smtpd" and post-amavis services > for inbound authentication and outbound signing respectively: > > # inbound messages from internet > # will be authenticated by OpenDKIM milter on port 12301 > smtp inet n - - - - smtpd > ....... > -o smtpd_milters=inet:localhost:12301 > > > # outbound messages have been through amavis > # will be signed by OpenDKIM milter on port 12301 > 127.0.0.1:10025 inet n - - - - smtpd > ....... > -o smtpd_milters=inet:localhost:12301 > > > Looking at the logs, I observe that inbound messages are being > authenticated: > > Jul 11 07:31:27 mail opendkim[765]: ......: DKIM verification successful > > > and outbound messages are being signed: > > Jul 11 07:31:14 mail opendkim[765]: .......: DKIM-Signature field added > (s=mail, d=example.org)
Excellent > Should there be a bug report about amavis modifying the messages? It is > only meant to pass them through SpamAssassin and clamav. I think so, although without knowing what the modification is, I don't know how useful it would be, but that may be worth taking up with the amavisd-new maintainer. > Should OpenDKIM detect when the header already exists and log a warning > about adding it twice? I don't think so. There's nothing inherently wrong in this and there may be circumstances where it's desired. > Is it ultimately a bug in the receiving system (Office 365), should it > accept messages with multiple signaturesr? After all, the port25.com > verification appears to do that. > > Looking at the spec: > > https://tools.ietf.org/html/rfc6376#section-4.2 > > > If a Verifier module reports signatures whose evaluations produced > PERMFAIL results, Identity Assessors SHOULD ignore those signatures > (see Section 6.1), acting as though they were not present in the > message. > > So, the spec says Office 365 should have ignored the original signature > that is no longer valid, found the good signature in the other header > and accepted the message. I agree they should have used the valid signature and ignored the invalid one. So yes, I think it's also a bug in the receiving system. I think I could document the postfix configuration bits somewhat better, so I'll leave this bug open for that. Thanks for following up, Scott K
