On Sun, 2022-01-23 at 09:29 -0800, Paul Pace wrote: > On 2021-11-24 04:01, Martijn van Duren wrote: > > On Tue, 2021-11-23 at 08:47 -0800, Paul Pace wrote: > > > Hello! > > > > > > I have an Ubuntu 18.04 server running Postfix 3.3 that relays through > > > a > > > local OpenSMTPD mail relay on OpenBSD 7.0. Messages sent from system > > > messages and directly from mail command are signed by dkimsign as > > > expected. > > > > > > Messages sent from letstencrypt run through cron.weekly are not being > > > signed by dkimsign with the expected domain. Log entries for correctly > > > signed and incorrectly signed messages are identical on both client > > > and > > > relay server. > > > > > > Here are the key portions of the header in the received inbox for the > > > cron.weekly job: > > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021; > > > bh=rNFy7e0QC/J > > > YFcHTI8wUywlRSY3eJ4LLLsOZrSC0XBc=; h=date:subject:to:from; > > > d=example.com; > > > b=KqmB7rxJfpLcF6Nif/4bQRAbcQDDhVmFh+8KDeCqc9ujlr8ogK7... > > > Received: from relayclient.example.com (<unknown> [172.16.13.2]) > > > by smtp.example.com (OpenSMTPD) with ESMTPS id 44fa8358 > > > (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) > > > for <u...@example.net>; > > > Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > Received: by relayclient.example.com (Postfix) > > > id 881F75F401; Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > Delivered-To: r...@relayclient.example.com > > > Received: by relayclient.example.com (Postfix, from userid 0) > > > id 81D885F402; Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > From: r...@relayclient.example.com (Cron Daemon) > > > To: r...@relayclient.example.com > > > Subject: Cron <root@relayclient> test -x /usr/sbin/anacron || ( cd / > > > && > > > run-parts --report /etc/cron.weekly ) > > > MIME-Version: 1.0 > > > Content-Type: text/plain; charset=ISO-8859-1 > > > Content-Transfer-Encoding: 8bit > > > X-Cron-Env: <SHELL=/bin/sh> > > > X-Cron-Env: > > > <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin> > > > X-Cron-Env: <HOME=/root> > > > X-Cron-Env: <LOGNAME=root> > > > Message-Id: <20211114144703.81d885f...@relayclient.example.com> > > > Date: Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > > > > > > > Note in this above headers that d=example.com and expected is > > > d=relayclient.example.com > > > > > > Here are the key portions of the headers in the received inbox from > > > the > > > same client but for some other system message: > > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021; > > > bh=r8XLAjeCvrx > > > jCndiJeywanw7UmGo9LRF4gIb07HheJc=; h=date:to:from:subject; > > > d=relayclient.example.com; > > > b=QfD3av5+JxEZyCgzeZ7GcnhIf3/sMmeCNDtEvz/4/hGZf... > > > Received: from relayclient.example.com (<unknown> [172.16.13.2]) > > > by relayclient.example.com (OpenSMTPD) with ESMTPS id b3c796f1 > > > (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) > > > for <u...@example.net>; > > > Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > Received: by relayclient.example.com (Postfix) > > > id AFFC95E476; Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > Delivered-To: r...@relayclient.example.com > > > Received: by relayclient.example.com (Postfix, from userid 0) > > > id A961A5F42E; Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > Subject: unattended-upgrades result for relayclient.example.com: True > > > From: r...@relayclient.example.com > > > To: r...@relayclient.example.com > > > Auto-Submitted: auto-generated > > > MIME-Version: 1.0 > > > Content-Type: text/plain; charset="utf-8" > > > Content-Transfer-Encoding: quoted-printable > > > Message-Id: <20211120144029.a961a5f...@relayclient.example.com> > > > Date: Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > > > > > > > Note in this above headers that d=relayclient.example.com, as > > > expected. > > > > > > Here is smtpd.conf: > > > > > > > > > pki int_net cert "/etc/ssl/176.16.13.1.crt" > > > pki int_net key "/etc/ssl/private/smtp.example.com.key" > > > > > > table aliases file:/etc/mail/aliases > > > > > > filter "dkimsign_loc_rsa" proc-exec "filter-dkimsign \ > > > -d smtp.example.com -s 10172021 \ > > > -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group _dkimsign > > > > > > filter "dkimsign_int_rsa" proc-exec "filter-dkimsign \ > > > -d example.com \ > > > -d smtp.example.com \ > > > -d relayclient.example.com > > > -s 10172021 -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group > > > _dkimsign > > > > > > listen on socket > > > listen on lo0 filter "dkimsign_loc_rsa" > > > listen on vio1 tls pki int_net filter "dkimsign_int_rsa" > > > > > > action "local_mail" mbox alias <aliases> > > > action "local_redirect" relay host smtp+notls://127.0.0.1:25 > > > action "outbound" relay > > > > > > match from socket action "local_redirect" > > > match for local action "local_mail" > > > match from any for any action "outbound" > > > > > > > > > The vio1 interface is on the private network and access is controlled > > > through PF. > > > > > > Thank you! > > > > > > Paul > > > > > I can't reproduce this in the most simple form and I don't notice > > anything in the code that might point to a bug of this kind. > > (tried with smtp(1) and a single filter with the subdomains in the > > same order as you have) > > > > What the code does: it starts with the first domain in the list (in > > this > > case example.com) and then gets the domain part of the first e-mail > > address in the from-list and compares it to all the specified domains, > > if a match is found that domain is used. If none is found labels are > > stripped from the from-domain until a match is found. If none is found > > at all we stick with the first domain in the list. > > > > Since I highly doubt that example.com is the domain you're signing with > > my primary suspicion is that there's a discrepancy between the from- > > domain and the -d (which causes it to use the default name of > > example.com), but that this mismatch is obfuscated because of your > > redaction in this mail. > > > > If that's not the case, please provide me with a simple proof of > > concept, so that I can analyse this further. > > > > martijn@ > > Hi Martin, > > Apologies for taking so long to get back on this, but the messages still > inbox, so technically not breaking anything. However, I wanted to ask: > > The only time dkimsign is not using the correct domain for 'd=' is when > the From: header looks exactly like this:
You haven't given a reproducer for me to verify, so below is just my best guess of what goes wrong. > > From: r...@relayclient.example.com (Cron Daemon) According to RFC5322 section 3.4[0] this is not a valid e-mail format. It should either be (shortened for convenience): From: localpart@domain or From: display-name <localpart@domain> Since filter-dkimsign uses that syntax to find the domain name it fails and falls back to the first domain in the parameter list, which I assume is not relayclient.example.com. > > Versus: > > From: r...@relayclient.example.com > > Is it possible that somehow the '(Cron Daemon)' on the end is causing an > issue? > Most likely. > Unfortunately, I cannot read source to answer this question > myself, but I'm not clear that format is RFC compliant, as I've only > previously seen '<usern...@example.com>', 'usern...@example.com', or > 'Agent Smith <usern...@example.com>' formats in the RFCs. I really can't > find any other difference and I can send the unredacted headers, if this > isn't the issue. > > Thank you, > > > Paul > https://datatracker.ietf.org/doc/html/rfc5322#section-3.4
