Re: [GLLUG] British Gas DKIM failure?
Hi again, I just installed the DKIM Verifier extension to Thunderbird on my laptop and that fails the email as well. My laptop has OpenSSL 3.1.4, so that has the bug as well. Still no closer to fixing this though. Regards, Henrik Morsing On Sun, Mar 31, 2024 at 03:30:47PM +0100, Henrik Morsing via GLLUG wrote: Hi all, Happy Easter. I have some days off, so finally had some time to look at this. Having disabled rejection in January gave me some more data to look at and it became obvious that anyone using 1024-bit keys failed the check and anyone using 2048-bit passed. I found one person out there who said his DKIM checks started failing on 1024-bit keys after he upgraded from OpenSSL 0.9.8 to 1.1.1 (My current version) but sadly no replies. So, my OpenSSL has a bug, I assume, but it's not really publicly known and no-one seems very concerned about it? Seem very odd. Tried to find somewhere in the configuration where a limit was set but couldn't find anything and also find it odd if that was the case. Regards, Henrik Morsing On Fri, Jan 12, 2024 at 03:48:17PM +, Henrik Morsing via GLLUG wrote: Good afternoon, Not dircetly Linux, sorry, but British Gas has spent the last year sending me letters saying they can't email me. When I look into it, their emails are rejected based on a bad DKIM signature. The problem is, not receiving the email, how can I find out what the problem is? mxtoolbox says their setup is fine, but that surely can't check the signature inside one of their emails. What is slightly odd is that DMARC policy is set to none, so shouldn't reject anything anyway. I can't say I'm a DKIM/DMARC expert, but this is what I see: Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@a1065858.bnc3.mailjet.com> to= proto=ESMTP helo= Not sure where to go from here though. Smells like their problem to me, but I don't want to tell them that without proof. Any hints? Regards, Henrik Morsing -- -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug -- -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug -- -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hi all, Happy Easter. I have some days off, so finally had some time to look at this. Having disabled rejection in January gave me some more data to look at and it became obvious that anyone using 1024-bit keys failed the check and anyone using 2048-bit passed. I found one person out there who said his DKIM checks started failing on 1024-bit keys after he upgraded from OpenSSL 0.9.8 to 1.1.1 (My current version) but sadly no replies. So, my OpenSSL has a bug, I assume, but it's not really publicly known and no-one seems very concerned about it? Seem very odd. Tried to find somewhere in the configuration where a limit was set but couldn't find anything and also find it odd if that was the case. Regards, Henrik Morsing On Fri, Jan 12, 2024 at 03:48:17PM +, Henrik Morsing via GLLUG wrote: Good afternoon, Not dircetly Linux, sorry, but British Gas has spent the last year sending me letters saying they can't email me. When I look into it, their emails are rejected based on a bad DKIM signature. The problem is, not receiving the email, how can I find out what the problem is? mxtoolbox says their setup is fine, but that surely can't check the signature inside one of their emails. What is slightly odd is that DMARC policy is set to none, so shouldn't reject anything anyway. I can't say I'm a DKIM/DMARC expert, but this is what I see: Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@a1065858.bnc3.mailjet.com> to= proto=ESMTP helo= Not sure where to go from here though. Smells like their problem to me, but I don't want to tell them that without proof. Any hints? Regards, Henrik Morsing -- -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug -- -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hi, On 28 Jan 2024 at 14:37:43, Marco van Beek via GLLUG wrote: > On 27/01/2024 18:08, Henrik Morsing via GLLUG wrote: > > > > I'm now getting the same from the Land Registry: > > > > I wish there was a test I could do to check what is actually wrong... > > > Okay, so this would indicate that it is more likely something wrong at your > end rather than at theirs. I think that this point, I would start to wonder > if there is anything at your end that is altering the email before it gets > to the DKIM check. this makes sense. I would also check if DKIM can be verified by, for example, mails coming from gmail.com. In my mail client: I view the headers to see the "Authentication-Results". For an email from gmail.com to my mail server with DKIM I see that it says "dkim=pass". But, note, that DMARC for gmail.com says policy "none" and for the British Gas / Land registry I think that says "policy=reject". So, I wonder, does DKIM verification always fails for Henrik? (e.g. wrong DNS lookups from DKIM, it happened to me). And, for some domains, this is a reject and other domains, is "nothing happens". [...] > Maybe something in your system is altering something in a field that is > being used by the British Gas and Land registry emails, like adding an > "EXTERNAL" into the subject line before the DKIM test? that's a good idea to check as well. For reference, an email that I am checking the headers says: Subject:From:To:Date:message-id:x-mailer-recipientid:fe +edback-id:list-unsubscribe-post:list-unsubscribe:precedence:x-mailru-msgtype:x-campaignid:rep +ly-to:MIME-Version:Content-Type So, if the subject changed before verifying DKIM, it would not pass. Cheers, -- Carles Pina i Estany https://carles.pina.cat signature.asc Description: PGP signature -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
On 27/01/2024 18:08, Henrik Morsing via GLLUG wrote: I'm now getting the same from the Land Registry: I wish there was a test I could do to check what is actually wrong... Okay, so this would indicate that it is more likely something wrong at your end rather than at theirs. I think that this point, I would start to wonder if there is anything at your end that is altering the email before it gets to the DKIM check. So, I suggest you check good DKIM signatures against "bad" DKIM signatures, and look at which headers are being used to create the signature (the "h" in the DKIM header) and see if there is a patterns. On an email directly from me, you would see "h=Date:Cc:Subject:To:References:From:In-Reply-To:From;" in the header. Maybe something in your system is altering something in a field that is being used by the British Gas and Land registry emails, like adding an "EXTERNAL" into the subject line before the DKIM test? Regards Marco -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hi, On 27 Jan 2024 at 18:08:36, Henrik Morsing via GLLUG wrote: > > I'm now getting the same from the Land Registry: > > Jan 27 18:05:24 emil postfix/smtpd[734113]: DA88621F91: > client=d218-4.smtp-out.eu-west-2.amazonses.com[23.249.218.4] > Jan 27 18:05:24 emil postfix/cleanup[734121]: DA88621F91: > message-id=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000...@eu-west-2.amazonses.com> > Jan 27 18:05:24 emil opendkim[768]: DA88621F91: > d218-4.smtp-out.eu-west-2.amazonses.com [23.249.218.4] not internal > Jan 27 18:05:24 emil opendkim[768]: DA88621F91: not authenticated > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: message has signatures from > accounts.landregistry.gov.uk, amazonses.com > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: > s=s7vtg5zfwt6jcj77lxzbi3rmck6i6vrp d=accounts.landregistry.gov.uk > a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature > Jan 27 18:05:25 emil opendkim[768]: DA88621F91: bad signature data DKIM (signature from the server) for this email is not valid. Why? I think (this is a copy-paste from a... ChatGPT conversation): Email Tampering: The email content might have been altered in transit, causing a mismatch between the content and the signature. Incorrect Signature: The sender's mail server might have incorrectly signed the email, possibly due to a misconfiguration. DKIM Record Issues: There could be issues with the DKIM public key record in the DNS. This might include errors in the DNS entry or propagation delays. Header Modification: Some intermediate mail servers might modify headers, which can invalidate the DKIM signature. > Jan 27 18:05:25 emil opendmarc[1652567]: DA88621F91: > accounts.landregistry.gov.uk fail > Jan 27 18:05:25 emil postfix/cleanup[734121]: DA88621F91: milter-reject: > END-OF-MESSAGE from d218-4.smtp-out.eu-west-2.amazonses.com[23.249.218.4]: > 5.7.1 rejected by DMARC policy for accounts.landregistry.gov.uk; > from=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000...@eu-west-2.amazonses.com> > to= proto=ESMTP > helo= Their DMARC policy can be seen here: https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3alandregistry.gov.uk=toolpage It says that if DKIM fails it should be rejected (strict mode). Your opendmarc does this. > I wish there was a test I could do to check what is actually wrong... I don't remember, do you control your own postfix mail setup? Two ideas: -disable opendmarc - so an invalid dkim would still be allowed. I think that this is a setup that I have. Spamassassin still give good/bad points I think based on DKIM_INVALID, etc. if you used something like spamassassin -Check opendmarc configuration. I don't have it handy but https://manpages.ubuntu.com/manpages/jammy/en/man5/opendmarc.conf.5.html (so, man 5 opendmarc) suggests "CopyFailuresTo" where, somehow, maybe you could keep the failures somewhere? See them, check then manually the DKIM signature? It also has FailureReportsBcc, maybe even IgnoreHosts might be interesting? I haven't used the opendmarc options. I'd be interested in knowing how you get on. Cheers, > > Regards, > Henrik Morsing > > > On Fri, Jan 12, 2024 at 03:48:17PM +, Henrik Morsing via GLLUG wrote: > > > > Good afternoon, > > > > Not dircetly Linux, sorry, but British Gas has spent the last year sending > > me letters saying they can't email me. When I look into it, their emails > > are rejected based on a bad DKIM signature. > > > > The problem is, not receiving the email, how can I find out what the > > problem is? mxtoolbox says their setup is fine, but that surely can't check > > the signature inside one of their emails. > > > > What is slightly odd is that DMARC policy is set to none, so shouldn't > > reject anything anyway. > > > > I can't say I'm a DKIM/DMARC expert, but this is what I see: > > > > Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet > > d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa > > routines:int_rsa_verify:bad signature > > Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail > > Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: > > END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by > > DMARC policy for britishgas.co.uk; > > from=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@a1065858.bnc3.mailjet.com> > > to= proto=ESMTP helo= > > > > Not sure where to go from here though. Smells like their problem to me, but > > I don't want to tell them that without proof. Any hints? > > > > Regards, > > Henrik Morsing > > -- > > > > > > -- > > GLLUG mailing list > > GLLUG@mailman.lug.org.uk > > https://mailman.lug.org.uk/mailman/listinfo/gllug > > -- > > > -- > GLLUG mailing list > GLLUG@mailman.lug.org.uk > https://mailman.lug.org.uk/mailman/listinfo/gllug -- Carles Pina i Estany https://carles.pina.cat signature.asc Description: PGP signature -- GLLUG mailing list
Re: [GLLUG] British Gas DKIM failure?
I'm now getting the same from the Land Registry: Jan 27 18:05:24 emil postfix/smtpd[734113]: DA88621F91: client=d218-4.smtp-out.eu-west-2.amazonses.com[23.249.218.4] Jan 27 18:05:24 emil postfix/cleanup[734121]: DA88621F91: message-id=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000...@eu-west-2.amazonses.com> Jan 27 18:05:24 emil opendkim[768]: DA88621F91: d218-4.smtp-out.eu-west-2.amazonses.com [23.249.218.4] not internal Jan 27 18:05:24 emil opendkim[768]: DA88621F91: not authenticated Jan 27 18:05:25 emil opendkim[768]: DA88621F91: message has signatures from accounts.landregistry.gov.uk, amazonses.com Jan 27 18:05:25 emil opendkim[768]: DA88621F91: s=s7vtg5zfwt6jcj77lxzbi3rmck6i6vrp d=accounts.landregistry.gov.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Jan 27 18:05:25 emil opendkim[768]: DA88621F91: bad signature data Jan 27 18:05:25 emil opendmarc[1652567]: DA88621F91: accounts.landregistry.gov.uk fail Jan 27 18:05:25 emil postfix/cleanup[734121]: DA88621F91: milter-reject: END-OF-MESSAGE from d218-4.smtp-out.eu-west-2.amazonses.com[23.249.218.4]: 5.7.1 rejected by DMARC policy for accounts.landregistry.gov.uk; from=<010b018d4c1902e5-14919a91-2793-4c5e-8d86-4091eaeb1175-000...@eu-west-2.amazonses.com> to= proto=ESMTP helo= I wish there was a test I could do to check what is actually wrong... Regards, Henrik Morsing On Fri, Jan 12, 2024 at 03:48:17PM +, Henrik Morsing via GLLUG wrote: Good afternoon, Not dircetly Linux, sorry, but British Gas has spent the last year sending me letters saying they can't email me. When I look into it, their emails are rejected based on a bad DKIM signature. The problem is, not receiving the email, how can I find out what the problem is? mxtoolbox says their setup is fine, but that surely can't check the signature inside one of their emails. What is slightly odd is that DMARC policy is set to none, so shouldn't reject anything anyway. I can't say I'm a DKIM/DMARC expert, but this is what I see: Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@a1065858.bnc3.mailjet.com> to= proto=ESMTP helo= Not sure where to go from here though. Smells like their problem to me, but I don't want to tell them that without proof. Any hints? Regards, Henrik Morsing -- -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug -- -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
On Wed, Jan 17, 2024 at 11:26:22PM +, Carles Pina i Estany via GLLUG wrote: Nothing top secret. It's not a public script because I have it in a repo with internal tools for the personal server. [...] Cheers, -- Carles Pina i Estany https://carles.pina.cat Thanks! Regards, Henrik Morsing -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hi, On 17 Jan 2024 at 12:30:15, Henrik Morsing via GLLUG wrote: > On Mon, Jan 15, 2024 at 07:45:25PM +, Carles Pina i Estany via GLLUG > wrote: > > > > Hi, > > > > Hi, > > > > > Side note, almost unrelated. > > > > In a personal/family server I have a nightly script that sends me which > > emails have been rejected by the server. Why? Postfix, in my > > configuration, rejects some emails. For example, from the Birmingham > > Zoo, bto.org, etc. so I get an email in the morning with the rejections > > of the day before and if I want to I add them in sender_access. In 1.5 > > years I have 14 domains there. > > > > When time allows, I will add the DKIM rejections as well, based on your > > case. Just in case. So thanks for sharing. I wonder if DKIM is rejecting > > some "legit" (or "expected") email. > > > > Sounds very useful, something you can share or is it top secret? Nothing top secret. It's not a public script because I have it in a repo with internal tools for the personal server. What I have detects the emails rejected by "Client host rejected: cannot find your reverse hostname" and "Client host rejected: cannot find your hostname". This is the script that parses the Postfix logs for those errors: https://gist.github.com/cpina/e97c0da58f42a0db83b3886674de4410 I call (from cron) it from this Bash script: https://gist.github.com/cpina/79b4f425facb6b97aaea4c572307de3a The email looks like this: https://gist.github.com/cpina/4c49df824742c5ae1d273170939795be The reason that I wrote it was, as I said, I set up postfix to reject emails based on the hostname (it reduced Spam) but some, very few services, have the email set up in a way that is wrong. Then I can see them and I add them in sender_access in Postfix. What I will do, some day, is make sure that emails rejected because of DMARC, are also there. So, if I expected an email from britishgas or whoever and it appears in the morning email the day after, I would know faster. Not ideal, but email seems full of not-ideal things :-) Cheers, -- Carles Pina i Estany https://carles.pina.cat signature.asc Description: PGP signature -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
On Mon, Jan 15, 2024 at 07:45:25PM +, Carles Pina i Estany via GLLUG wrote: Hi, Hi, Side note, almost unrelated. In a personal/family server I have a nightly script that sends me which emails have been rejected by the server. Why? Postfix, in my configuration, rejects some emails. For example, from the Birmingham Zoo, bto.org, etc. so I get an email in the morning with the rejections of the day before and if I want to I add them in sender_access. In 1.5 years I have 14 domains there. When time allows, I will add the DKIM rejections as well, based on your case. Just in case. So thanks for sharing. I wonder if DKIM is rejecting some "legit" (or "expected") email. Sounds very useful, something you can share or is it top secret? Regards, Henrik Morsing -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
On Sun, Jan 14, 2024 at 06:06:56PM +, Marco van Beek via GLLUG wrote: Hi, Hi, So looking at this, and Andy's email with what he sees, it looks like his British Gas emails are coming from a different place to yours. His are coming from SalesForce, and yours are coming from Mail Jet, so I don't think we can draw much from that. I think the next thing to look at is maybe this is an SSL issue, so I found thse: https://github.com/openssl/openssl/issues/8010 https://portal.microfocus.com/s/article/KM15515?language=en_US Good find, very odd issue. Can try if that helps, I might have to contact BG to find out what they are emailing me and how frequent, to verify if it works. That would indicate a possible issue within some Intel Goldmont processors, and can be fixed with telling OpenSSL not to use the hardware for this This is running on a nanode though, and I am getting: vendor_id : AuthenticAMD Regards, Henrik Morsing -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hi, On 15 Jan 2024 at 18:07:08, Andy Smith via GLLUG wrote: > Hi, > > On Sun, Jan 14, 2024 at 06:06:56PM +, Marco van Beek via GLLUG wrote: > > So looking at this, and Andy's email with what he sees, it looks like his > > British Gas emails are coming from a different place to yours. His are > > coming from SalesForce, and yours are coming from Mail Jet, so I don't think > > we can draw much from that. > > I should maybe have gone a bit further back, as those last two > emails were both about the upcoming changes to the price cap, so > conceivably might have been sent from a different system than, say, > an account statement. > > I shall have a look when I'm not camped out on a datacentre floor… Side note, almost unrelated. In a personal/family server I have a nightly script that sends me which emails have been rejected by the server. Why? Postfix, in my configuration, rejects some emails. For example, from the Birmingham Zoo, bto.org, etc. so I get an email in the morning with the rejections of the day before and if I want to I add them in sender_access. In 1.5 years I have 14 domains there. When time allows, I will add the DKIM rejections as well, based on your case. Just in case. So thanks for sharing. I wonder if DKIM is rejecting some "legit" (or "expected") email. Cheers, -- Carles Pina i Estany https://carles.pina.cat signature.asc Description: PGP signature -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hi, On Sun, Jan 14, 2024 at 06:06:56PM +, Marco van Beek via GLLUG wrote: > So looking at this, and Andy's email with what he sees, it looks like his > British Gas emails are coming from a different place to yours. His are > coming from SalesForce, and yours are coming from Mail Jet, so I don't think > we can draw much from that. I should maybe have gone a bit further back, as those last two emails were both about the upcoming changes to the price cap, so conceivably might have been sent from a different system than, say, an account statement. I shall have a look when I'm not camped out on a datacentre floor… Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hi, So looking at this, and Andy's email with what he sees, it looks like his British Gas emails are coming from a different place to yours. His are coming from SalesForce, and yours are coming from Mail Jet, so I don't think we can draw much from that. I think the next thing to look at is maybe this is an SSL issue, so I found thse: https://github.com/openssl/openssl/issues/8010 https://portal.microfocus.com/s/article/KM15515?language=en_US That would indicate a possible issue within some Intel Goldmont processors, and can be fixed with telling OpenSSL not to use the hardware for this Maybe that is worth looking in to. Regards, Marco On 12/01/2024 18:28, Henrik Morsing via GLLUG wrote: On Fri, Jan 12, 2024 at 04:20:34PM +, Marco van Beek via GLLUG wrote: Hi, I suggest grepping your logs for "2F7612233E" as that should pull up all the the info related to that email from the point Postfix accepts the connection until it closes, and see if that tells you some more. Regards, Marco Hi Marco, This is what I see: Dec 22 12:37:12 emil postfix/smtpd[3996527]: 2F7612233E: client=o94.p12.mailjet.com[87.253.237.94] Dec 22 12:37:12 emil postfix/cleanup[3996586]: 2F7612233E: message-id=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@mailjet.com> Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: o94.p12.mailjet.com [87.253.237.94] not internal Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: not authenticated Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: bad signature data Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@a1065858.bnc3.mailjet.com> to= proto=ESMTP helo= Regards, Henrik Morsing -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hello, On Fri, Jan 12, 2024 at 03:48:17PM +, Henrik Morsing via GLLUG wrote: > The problem is, not receiving the email, how can I find out what > the problem is? mxtoolbox says their setup is fine, but that > surely can't check the signature inside one of their emails. The last two emails I got from britishgas were as follows KIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=50dkim1; d=mail.energy.britishgas.co.uk; h=From:To:Subject:Date:List-Help:MIME-Version:Reply-To:List-ID: X-CSA-Complaints:Message-ID:Content-Type; i=serv...@mail.energy.britishgas.co.uk; bh=QMYT+RDkU4FYUyf7M4FXTSUBCO1hzJNcsLmSKfzziAs=; b=hfEOZ/D56Cu8Rq3xGoqQ8gl0r3DkeHnoOD0a8VhimuW8NX111M4dZrW16lwjTzI6sMK/mimu8/fq uilPS//eo9auRP63DzW6nMXls/0yFga1YTqRIB2Jra5qx82L23BOdIbltllAM9F2nQ9uw5ndg+7L C2woxf/xLEqSeCWZoG6NM5vyG1/hTxvReikCLwMe5ZIvVc4+So2TTIj56+LL/NfvuWaQd6K02JLQ 53qIHHxmeODjdBbY9d0hwonw75Y13qxLZWM8Rt+LkscAp5+YXt7PleTSwmBO4BeRYO3mianhQQ9T dXg1JbS0QZMV4mTCPN582dSVdIrM4WmVmtvm4g== From: British Gas Energy Date: Wed, 22 Nov 2023 07:36:27 -0600 X-Spam-ASN: AS14340 161.71.0.0/17 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=50dkim1; d=mail.energy.britishgas.co.uk; h=From:To:Subject:Date:List-Help:MIME-Version:Reply-To:List-ID: X-CSA-Complaints:Message-ID:Content-Type; i=serv...@mail.energy.britishgas.co.uk; bh=B+srJaEDKRO05DxBfcpT59B2n5VWQfXHWAmvNYAA4vo=; b=Gxs6BnfoCDd45O/19TTBdE032a3Pzboox3XiSKEFzfp25HvWOpgwISOvNQB9yDtvM1Rh/Xna0K2r 9ZiErJKjDKyospCH+EQr+zGxVES3M+HYWu4bWumZoFP9mUMH4WGqAEec75HTzBjntDUmbHglOLiN /AaFB0JmPiVub4sxrSAz1g1T7RzzMuWHjwhsJs89wEqcJe7nmd7iEAQ02dipPdxnWKfh0l2EUBwY kjHZP8gdJkBlHjgJtkpqMpHc8aP92qqBGIZZnrXTbwM2rn7Gpf0HdyR7T8RrXpqbBPbpdiJj7NIt rDnpxUjSxM+HtRjY5mMjV/0xHEgobmHW63bpuw== From: British Gas Energy Date: Fri, 08 Dec 2023 05:03:30 -0600 X-Spam-ASN: AS14340 161.71.0.0/17 They both passed DKIM, and both came from Salesforce IP space. From 161.71.69.229 to be exact. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
On Fri, Jan 12, 2024 at 04:20:34PM +, Marco van Beek via GLLUG wrote: Hi, I suggest grepping your logs for "2F7612233E" as that should pull up all the the info related to that email from the point Postfix accepts the connection until it closes, and see if that tells you some more. Regards, Marco Hi Marco, This is what I see: Dec 22 12:37:12 emil postfix/smtpd[3996527]: 2F7612233E: client=o94.p12.mailjet.com[87.253.237.94] Dec 22 12:37:12 emil postfix/cleanup[3996586]: 2F7612233E: message-id=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@mailjet.com> Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: o94.p12.mailjet.com [87.253.237.94] not internal Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: not authenticated Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: bad signature data Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@a1065858.bnc3.mailjet.com> to= proto=ESMTP helo= Regards, Henrik Morsing -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] British Gas DKIM failure?
Hi, So first of all, as far as I can see, British Gas's DMARC policy is set to "reject". BUT, the email is actually coming from MailJet, from the limited info below. I think what you need to check if you can, is what the name of the DKIM signature they are using actually is, and maybe that will give you some more info. I also can't see any reference to MailJet in their SPF, but my guess is that they are using MailJet in the envelope and then British Gas in the header. And no, what MX toolbox can do in terms of DKIM is limited. It can look up the key, but that is about it. The DKIM tester I use require you to send them a test email, which you can't do. So yes, there is a DKIM key for mailjet in their DNS, but no idea if they are using it correctly. I suggest grepping your logs for "2F7612233E" as that should pull up all the the info related to that email from the point Postfix accepts the connection until it closes, and see if that tells you some more. Regards, Marco On 12/01/2024 15:48, Henrik Morsing via GLLUG wrote: Good afternoon, Not dircetly Linux, sorry, but British Gas has spent the last year sending me letters saying they can't email me. When I look into it, their emails are rejected based on a bad DKIM signature. The problem is, not receiving the email, how can I find out what the problem is? mxtoolbox says their setup is fine, but that surely can't check the signature inside one of their emails. What is slightly odd is that DMARC policy is set to none, so shouldn't reject anything anyway. I can't say I'm a DKIM/DMARC expert, but this is what I see: Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@a1065858.bnc3.mailjet.com> to= proto=ESMTP helo= Not sure where to go from here though. Smells like their problem to me, but I don't want to tell them that without proof. Any hints? Regards, Henrik Morsing -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
[GLLUG] British Gas DKIM failure?
Good afternoon, Not dircetly Linux, sorry, but British Gas has spent the last year sending me letters saying they can't email me. When I look into it, their emails are rejected based on a bad DKIM signature. The problem is, not receiving the email, how can I find out what the problem is? mxtoolbox says their setup is fine, but that surely can't check the signature inside one of their emails. What is slightly odd is that DMARC policy is set to none, so shouldn't reject anything anyway. I can't say I'm a DKIM/DMARC expert, but this is what I see: Dec 22 12:37:12 emil opendkim[768]: 2F7612233E: s=mailjet d=britishgas.co.uk a=rsa-sha256 SSL error:04091068:rsa routines:int_rsa_verify:bad signature Dec 22 12:37:13 emil opendmarc[3858740]: 2F7612233E: britishgas.co.uk fail Dec 22 12:37:13 emil postfix/cleanup[3996586]: 2F7612233E: milter-reject: END-OF-MESSAGE from o94.p12.mailjet.com[87.253.237.94]: 5.7.1 rejected by DMARC policy for britishgas.co.uk; from=<296f63a1.caaabphwdncaakg7asyaaycquv4aabbdggblh...@a1065858.bnc3.mailjet.com> to= proto=ESMTP helo= Not sure where to go from here though. Smells like their problem to me, but I don't want to tell them that without proof. Any hints? Regards, Henrik Morsing -- -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
