Re: [gentoo-user] OT: amavis and DKIM verification

Mon, 11 Jan 2010 08:09:47 -0800 

Le 11/01/2010 16:31, Matt Harrison a écrit :
> On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote:
>> Le 10/01/2010 22:26, Matt Harrison a ??crit :
>>> I say OT because it's my understanding of DKIM that lets me down here, not 
>>> Gentoo. I'm
>>> just not sure who to ask or even if it could be something Gentoo related.
>>>
>>> I've recently updated my postfix home mail server to use amavis-new for 
>>> virus and spam
>>> filtering rather than procmail/spamassassin.
>>>
>>> It seems to be working well and I've also enabled some other goodies like 
>>> DKIM signing
>>> and verification. I haven't confirmed signing is working yet, so maybe a 
>>> side effect
>>> of this email is that someone can confirm this for me ;)
>>
>> Your mail is not DKIM-Signed, check your setup.
> 
> Ok, thanks for checking, it appears that outbound messages weren't being 
> passed to
> amavis, I think I've rectified that now.
> 
> I can see the message being scanned in the logs, but not necessarily being 
> signed
> though. Inbound messages generate warnings such as:
> 
> dkim: not signing, no applicable private key for domains ruby-forum.com.....

Seems that either you forgot to setup the DNS for ruby-forum.com with the public
key, or you don't own ruby-forum.com, as well as his private key.

Keep in mind that signing is done according to the "From:" header content.

> but my outbound messages just scan clean. I've tried without sender maps and 
> with
> limiting them to my domain.
> 
>>> The main query I have is that a lot of the mail I get, in this case from 
>>> various
>>> mailing lists, appears to failed DKIM verification.
[SNIP]
>>
>> 90% chance the emails failing DKIM verification had their email subject 
>> modified
>> to add "[gentoo-user]" in it by the mlmmj program that manage the 
>> mailing-list,
>> which mainly concerns topic starts (ie first mails about one topic).
> 
> That would make a lot of sense, I'm not sure if it's just the first messages 
> that are
> doing it, but I have a feeling that others in a thread are also failing.

After some checking, it appears that Reply-To: header is also modified by mlmmj,
and so DKIM verification fails too for these ones.

> 
> Thanks for your input Xavier, I think I need to get over to the amavis or 
> postfix
> guys, like Stroller said, to really figure out what is happening.


-- 
      Xavier Parizet
YaGB :   http://gentooist.com
GPG  :    C7DC B10E FC21 63BE
B453 D239 F6E6 DF65 1569 91BF

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to