Hi, On 27 Jan 2024 at 18:08:36, Henrik Morsing via GLLUG wrote: > > I'm now getting the same from the Land Registry: > > Jan 27 18:05:24 emil postfix/smtpd[734113]: DA88621F91: > client=d218-4.smtp-out.eu-west-2.amazonses.com[23.249.218.4] > Jan 27 18:05:24 emil postfix/cleanup[734121]: DA88621F91: > message-id=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000...@eu-west-2.amazonses.com> > Jan 27 18:05:24 emil opendkim[768]: DA88621F91: > d218-4.smtp-out.eu-west-2.amazonses.com [23.249.218.4] not internal > Jan 27 18:05:24 emil opendkim[768]: DA88621F91: not authenticated > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: message has signatures from > accounts.landregistry.gov.uk, amazonses.com > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: > s=s7vtg5zfwt6jcj77lxzbi3rmck6i6vrp d=accounts.landregistry.gov.uk > a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: bad signature data
DKIM (signature from the server) for this email is not valid. Why? I think (this is a copy-paste from a... ChatGPT conversation): Email Tampering: The email content might have been altered in transit, causing a mismatch between the content and the signature. Incorrect Signature: The sender's mail server might have incorrectly signed the email, possibly due to a misconfiguration. DKIM Record Issues: There could be issues with the DKIM public key record in the DNS. This might include errors in the DNS entry or propagation delays. Header Modification: Some intermediate mail servers might modify headers, which can invalidate the DKIM signature. > Jan 27 18:05:25 emil opendmarc[1652567]: DA88621F91: > accounts.landregistry.gov.uk fail > Jan 27 18:05:25 emil postfix/cleanup[734121]: DA88621F91: milter-reject: > END-OF-MESSAGE from d218-4.smtp-out.eu-west-2.amazonses.com[23.249.218.4]: > 5.7.1 rejected by DMARC policy for accounts.landregistry.gov.uk; > from=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000...@eu-west-2.amazonses.com> > to=<mors...@morsing.cc> proto=ESMTP > helo=<d218-4.smtp-out.eu-west-2.amazonses.com> Their DMARC policy can be seen here: https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3alandregistry.gov.uk&run=toolpage It says that if DKIM fails it should be rejected (strict mode). Your opendmarc does this. > I wish there was a test I could do to check what is actually wrong... I don't remember, do you control your own postfix mail setup? Two ideas: -disable opendmarc - so an invalid dkim would still be allowed. I think that this is a setup that I have. Spamassassin still give good/bad points I think based on DKIM_INVALID, etc. if you used something like spamassassin -Check opendmarc configuration. I don't have it handy but https://manpages.ubuntu.com/manpages/jammy/en/man5/opendmarc.conf.5.html (so, man 5 opendmarc) suggests "CopyFailuresTo" where, somehow, maybe you could keep the failures somewhere? See them, check then manually the DKIM signature? It also has FailureReportsBcc, maybe even IgnoreHosts might be interesting? I haven't used the opendmarc options. I'd be interested in knowing how you get on. Cheers, > > Regards, > Henrik Morsing > > > On Fri, Jan 12, 2024 at 03:48:17PM +0000, Henrik Morsing via GLLUG wrote: > > > > Good afternoon, > > > > Not dircetly Linux, sorry, but British Gas has spent the last year sending > > me letters saying they can't email me. When I look into it, their emails > > are rejected based on a bad DKIM signature. > > > > The problem is, not receiving the email, how can I find out what the > > problem is? mxtoolbox says their setup is fine, but that surely can't check > > the signature inside one of their emails. > > > > What is slightly odd is that DMARC policy is set to none, so shouldn't > > reject anything anyway. > > > > I can't say I'm a DKIM/DMARC expert, but this is what I see: > > > > Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet > > d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa > > routines:int_rsa_verify:bad signature > > Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail > > Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: > > END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by > > DMARC policy for britishgas.co.uk; > > from=<296f63a1.caaabphwdncaaaaaaaaaakg7asyaaycquv4aaaaaabbdggblh...@a1065858.bnc3.mailjet.com> > > to=<mors...@morsing.cc> proto=ESMTP helo=<o94.p12.mailjet.com> > > > > Not sure where to go from here though. Smells like their problem to me, but > > I don't want to tell them that without proof. Any hints? > > > > Regards, > > Henrik Morsing > > -- > > > > > > -- > > GLLUG mailing list > > GLLUG@mailman.lug.org.uk > > https://mailman.lug.org.uk/mailman/listinfo/gllug > > -- > > > -- > GLLUG mailing list > GLLUG@mailman.lug.org.uk > https://mailman.lug.org.uk/mailman/listinfo/gllug -- Carles Pina i Estany https://carles.pina.cat
signature.asc
Description: PGP signature
-- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug