Hi, On 27 Jan 2024 at 18:08:36, Henrik Morsing via GLLUG wrote: > > I'm now getting the same from the Land Registry: > > Jan 27 18:05:24 emil postfix/smtpd[734113]: DA88621F91: > client=d218-4.smtp-out.eu-west-2.amazonses.com[23.249.218.4] > Jan 27 18:05:24 emil postfix/cleanup[734121]: DA88621F91: > message-id=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000...@eu-west-2.amazonses.com> > Jan 27 18:05:24 emil opendkim[768]: DA88621F91: > d218-4.smtp-out.eu-west-2.amazonses.com [23.249.218.4] not internal > Jan 27 18:05:24 emil opendkim[768]: DA88621F91: not authenticated > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: message has signatures from > accounts.landregistry.gov.uk, amazonses.com > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: > s=s7vtg5zfwt6jcj77lxzbi3rmck6i6vrp d=accounts.landregistry.gov.uk > a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: bad signature data
DKIM (signature from the server) for this email is not valid. Why? I
think (this is a copy-paste from a... ChatGPT conversation):
Email Tampering: The email content might have been altered in transit,
causing a mismatch between the content and the signature.
Incorrect Signature: The sender's mail server might have incorrectly signed
the email, possibly due to a misconfiguration.
DKIM Record Issues: There could be issues with the DKIM public key record
in the DNS. This might include errors in the DNS entry or propagation delays.
Header Modification: Some intermediate mail servers might modify headers,
which can invalidate the DKIM signature.
> Jan 27 18:05:25 emil opendmarc[1652567]: DA88621F91:
> accounts.landregistry.gov.uk fail
> Jan 27 18:05:25 emil postfix/cleanup[734121]: DA88621F91: milter-reject:
> END-OF-MESSAGE from d218-4.smtp-out.eu-west-2.amazonses.com[23.249.218.4]:
> 5.7.1 rejected by DMARC policy for accounts.landregistry.gov.uk;
> from=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000...@eu-west-2.amazonses.com>
> to=<mors...@morsing.cc> proto=ESMTP
> helo=<d218-4.smtp-out.eu-west-2.amazonses.com>
Their DMARC policy can be seen here:
https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3alandregistry.gov.uk&run=toolpage
It says that if DKIM fails it should be rejected (strict mode). Your
opendmarc does this.
> I wish there was a test I could do to check what is actually wrong...
I don't remember, do you control your own postfix mail setup?
Two ideas:
-disable opendmarc - so an invalid dkim would still be allowed. I think
that this is a setup that I have. Spamassassin still give good/bad
points I think based on DKIM_INVALID, etc. if you used something like
spamassassin
-Check opendmarc configuration. I don't have it handy but
https://manpages.ubuntu.com/manpages/jammy/en/man5/opendmarc.conf.5.html
(so, man 5 opendmarc) suggests "CopyFailuresTo" where, somehow, maybe
you could keep the failures somewhere? See them, check then manually the
DKIM signature? It also has FailureReportsBcc, maybe even IgnoreHosts
might be interesting?
I haven't used the opendmarc options. I'd be interested in knowing how
you get on.
Cheers,
>
> Regards,
> Henrik Morsing
>
>
> On Fri, Jan 12, 2024 at 03:48:17PM +0000, Henrik Morsing via GLLUG wrote:
> >
> > Good afternoon,
> >
> > Not dircetly Linux, sorry, but British Gas has spent the last year sending
> > me letters saying they can't email me. When I look into it, their emails
> > are rejected based on a bad DKIM signature.
> >
> > The problem is, not receiving the email, how can I find out what the
> > problem is? mxtoolbox says their setup is fine, but that surely can't check
> > the signature inside one of their emails.
> >
> > What is slightly odd is that DMARC policy is set to none, so shouldn't
> > reject anything anyway.
> >
> > I can't say I'm a DKIM/DMARC expert, but this is what I see:
> >
> > Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet
> > d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa
> > routines:int_rsa_verify:bad signature
> > Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail
> > Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject:
> > END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by
> > DMARC policy for britishgas.co.uk;
> > from=<296f63a1.caaabphwdncaaaaaaaaaakg7asyaaycquv4aaaaaabbdggblh...@a1065858.bnc3.mailjet.com>
> > to=<mors...@morsing.cc> proto=ESMTP helo=<o94.p12.mailjet.com>
> >
> > Not sure where to go from here though. Smells like their problem to me, but
> > I don't want to tell them that without proof. Any hints?
> >
> > Regards,
> > Henrik Morsing
> > --
> >
> >
> > --
> > GLLUG mailing list
> > GLLUG@mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/gllug
>
> --
>
>
> --
> GLLUG mailing list
> GLLUG@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/gllug
--
Carles Pina i Estany
https://carles.pina.cat
signature.asc
Description: PGP signature
-- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
