Re: [mailop] dkim signature failures sendmail/opendkim
In article <1495829062.1095.13.ca...@mailman-hosting.com> you write: >On Fri, 2017-05-26 at 17:13 +0100, Ken O'Driscoll wrote: >> Any suggestions would be very welcome as long they don't involve >> swapping out sendmail or Evolution! What is the order of operations. This is likely to break: Evolution -> dkim signer -> sendmail -> world This is likely to work: Evolution -> sendmail -> dkim signer -> sendmail -> world The first pass through sendmail cleans up whatever the MUA got wrong. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
On Fri, 26 May 2017 15:56:21 -0700, Carl Byington said: > Does that matter? The dkim signature (with t=) is generated on the mail > server, which has the proper time. I was considering what the introduction of an inaccurate Date: header or other MUA-generated timestamps might do... pgpGv01x_ZGya.pgp Description: PGP signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, 2017-05-26 at 17:09 -0400, valdis.kletni...@vt.edu wrote: > How many of the user agents are running on non-servers that don't have > NTP? Does that matter? The dkim signature (with t=) is generated on the mail server, which has the proper time. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlkoso0ACgkQL6j7milTFsHMJQCdGqiI08u1KY+7zkVqBwYDsR0q FUIAn3ZMZg1zqJemJkowlnaZ+MH2mA9i =G6EC -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
On Fri, 26 May 2017 13:53:40 -0700, Carl Byington said: > Yes, we have t= in the signature, but all the servers have clocks > corrected by NTP. We are using relaxed/relaxed canonization. > > I should have mentioned that all this mail is generated by a wide > variety of user agents (Outlook, Thunderbird, various iThings, etc). It How many of the user agents are running on non-servers that don't have NTP? pgpJa3sJINTwR.pgp Description: PGP signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, 2017-05-26 at 18:38 +0300, Vladimir Dubrovin via mailop wrote: > - Lines longer than 998 octets (unicode character takes few octets) > - Missed Date:, Message-ID: or another required header > - Unencoded 8-bit character in the header > - Malformed From: header (with missed domain e.g. From: mailer-daemon > or with unescaped special characters) > - Invalid line termination (e.g. LF instead of CRLF) > - Missed CRLF at the end of the message > Last 2 are important if you have "simple" canonization for message > body (use relaxed). > DKIM can also fail due to clock skew, if you have t= in DKIM- > Signature. Yes, we have t= in the signature, but all the servers have clocks corrected by NTP. We are using relaxed/relaxed canonization. I should have mentioned that all this mail is generated by a wide variety of user agents (Outlook, Thunderbird, various iThings, etc). It is all normal corporate 1-1 individual mail - not transactional stuff generated by some web form. I doubt anyone but me is using Evolution, but I have not been able to reproduce any of the dkim failures using that. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlkolRsACgkQL6j7milTFsEeLgCfRPA7v9DNcN40NO9zuwzTKL3+ waQAn1zY/wDeydOb68KuU6wHBvT4BeNc =TBxE -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
On Fri, 2017-05-26 at 17:13 +0100, Ken O'Driscoll wrote: > I encountered something similar. Running sendmail/opendkim for > outbound > mail and saw intermittent DKIM failures. > > On further investigation, I have narrowed my failures down to sending > from > my main MUA, Evolution. All my testing showed that other MUAs, > including > the Gmail mobile client, the BlackBerry mail client, Windows mail and > Outlook 2016 work fine and the mail gets signed correctly. Only > Evolution > causes the signature to break, and it seems to happen all the time, > regardless of any changes I make to the (rather limited) client-side > encoding options. > > However, Evolution relaying though a Google Apps domain with DKIM > enabled > works fine. So, I'm thinking it's a quirk somewhere between > Evolution, > sendmail and opendkim. > > There are some forum posts about Thunderbird users having similar > issues > but they don't seem to have any resolution. > > Would love to solve this issue but simply too busy at the moment to > do > further diagnostics. > > Any suggestions would be very welcome as long they don't involve > swapping > out sendmail or Evolution! I won't suggest it, but Evolution (3.24.2) with Postfix (3.1.0) and Amavisd-new (for DKIM signing) works perfectly. See https://www.mail-te ster.com/web-mvts8. > > Ken. > > On Fri, 2017-05-26 at 08:00 -0700, Carl Byington wrote: > > Using sendmail with opendkim for signing mostly works, but I have a > > few > > domains with dmarc p=reject, and looking at the aggregate reports, > > I am > > seeing some dkim=fail, spf=pass on a small amount of mail going to > > google, comcast, etc. The aggregate reports show that mail is > > signed > > with the right selector (default._domainkey.lynchexhibits.com). > > > > lynchexhibits.com mail leaving ns27.routerdog2.com. > > > > I have been unable to reproduce this by sending test messages to my > > google test account. It may not be specific to sendmail/opendkim, > > since > > I also see the same infrequent errors with another domain: > > > > mbmg-media.com mail leaving *.outbound.protection.outlook.com. > > > > Of course, that mail was never touched by sendmail/opendkim. > > > > Any ideas for debugging this? > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Jim Ohlstein Professional Mailman Hosting https://mailman-hosting.com/ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
>From our records, most of the errors are "Verify failed", which implies a header mismatch (there are also a few body hash mismatch, which would be a body issue instead). On Fri, May 26, 2017 at 9:55 AM, John Levine wrote: > In article <1495815209.2586.28.ca...@wemonitoremail.com> you write: > >Any suggestions would be very welcome as long they don't involve swapping > >out sendmail or Evolution! > > Put a shim between Evolution and sendmail so you can see what it's > sending, and how sendmail rewrote it. > > From what you said, this is almost certainly sendmail fixing up format > errors in the message after it was signed. > > R's, > John > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
In article <1495815209.2586.28.ca...@wemonitoremail.com> you write: >Any suggestions would be very welcome as long they don't involve swapping >out sendmail or Evolution! Put a shim between Evolution and sendmail so you can see what it's sending, and how sendmail rewrote it. From what you said, this is almost certainly sendmail fixing up format errors in the message after it was signed. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
I encountered something similar. Running sendmail/opendkim for outbound mail and saw intermittent DKIM failures. On further investigation, I have narrowed my failures down to sending from my main MUA, Evolution. All my testing showed that other MUAs, including the Gmail mobile client, the BlackBerry mail client, Windows mail and Outlook 2016 work fine and the mail gets signed correctly. Only Evolution causes the signature to break, and it seems to happen all the time, regardless of any changes I make to the (rather limited) client-side encoding options. However, Evolution relaying though a Google Apps domain with DKIM enabled works fine. So, I'm thinking it's a quirk somewhere between Evolution, sendmail and opendkim. There are some forum posts about Thunderbird users having similar issues but they don't seem to have any resolution. Would love to solve this issue but simply too busy at the moment to do further diagnostics. Any suggestions would be very welcome as long they don't involve swapping out sendmail or Evolution! Ken. On Fri, 2017-05-26 at 08:00 -0700, Carl Byington wrote: > Using sendmail with opendkim for signing mostly works, but I have a few > domains with dmarc p=reject, and looking at the aggregate reports, I am > seeing some dkim=fail, spf=pass on a small amount of mail going to > google, comcast, etc. The aggregate reports show that mail is signed > with the right selector (default._domainkey.lynchexhibits.com). > > lynchexhibits.com mail leaving ns27.routerdog2.com. > > I have been unable to reproduce this by sending test messages to my > google test account. It may not be specific to sendmail/opendkim, since > I also see the same infrequent errors with another domain: > > mbmg-media.com mail leaving *.outbound.protection.outlook.com. > > Of course, that mail was never touched by sendmail/opendkim. > > Any ideas for debugging this? ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
In most cases, DKIM check fails because message was improperly formatted and was normalized by MTA before sending after DKIM signature is applied. This usually means: - Lines longer than 998 octets (unicode character takes few octets) - Missed Date:, Message-ID: or another required header - Unencoded 8-bit character in the header - Malformed From: header (with missed domain e.g. From: mailer-daemon or with unescaped special characters) - Invalid line termination (e.g. LF instead of CRLF) - Missed CRLF at the end of the message Last 2 are important if you have "simple" canonization for message body (use relaxed). DKIM can also fail due to clock skew, if you have t= in DKIM-Signature. 26.05.2017 18:00, Carl Byington пишет: > Using sendmail with opendkim for signing mostly works, but I have a few > domains with dmarc p=reject, and looking at the aggregate reports, I am > seeing some dkim=fail, spf=pass on a small amount of mail going to > google, comcast, etc. The aggregate reports show that mail is signed > with the right selector (default._domainkey.lynchexhibits.com). > > lynchexhibits.com mail leaving ns27.routerdog2.com. > > I have been unable to reproduce this by sending test messages to my > google test account. It may not be specific to sendmail/opendkim, since > I also see the same infrequent errors with another domain: > > mbmg-media.com mail leaving *.outbound.protection.outlook.com. > > Of course, that mail was never touched by sendmail/opendkim. > > Any ideas for debugging this? > > > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @Mail.Ru ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
> On May 26, 2017, at 8:00 AM, Carl Byington wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Using sendmail with opendkim for signing mostly works, but I have a few > domains with dmarc p=reject, and looking at the aggregate reports, I am > seeing some dkim=fail, spf=pass on a small amount of mail going to > google, comcast, etc. The aggregate reports show that mail is signed > with the right selector (default._domainkey.lynchexhibits.com). > > lynchexhibits.com mail leaving ns27.routerdog2.com. > > I have been unable to reproduce this by sending test messages to my > google test account. It may not be specific to sendmail/opendkim, since > I also see the same infrequent errors with another domain: > > mbmg-media.com mail leaving *.outbound.protection.outlook.com. > > Of course, that mail was never touched by sendmail/opendkim. > > Any ideas for debugging this? Check for common factors in the content. A common-ish cause of DKIM failures is messages which are badly-formed - not necessarily spec-violating, but unusual in structure, encoding, line length and so on. Also check for common delivery paths - if it's being forwarded through, say, anything in outlook.com that's another sign. You'll likely need more than aggregate reports to diagnose fully. Cheers, Steve ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] dkim signature failures sendmail/opendkim
On Fri, May 26, 2017 at 11:00 AM, Carl Byington wrote: > Any ideas for debugging this? > Do your messages have non-ascii in them? If so, be sure to QP encode them, otherwise some intermediate transit relays may muck up the signatures by rewriting them. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] dkim signature failures sendmail/opendkim
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Using sendmail with opendkim for signing mostly works, but I have a few domains with dmarc p=reject, and looking at the aggregate reports, I am seeing some dkim=fail, spf=pass on a small amount of mail going to google, comcast, etc. The aggregate reports show that mail is signed with the right selector (default._domainkey.lynchexhibits.com). lynchexhibits.com mail leaving ns27.routerdog2.com. I have been unable to reproduce this by sending test messages to my google test account. It may not be specific to sendmail/opendkim, since I also see the same infrequent errors with another domain: mbmg-media.com mail leaving *.outbound.protection.outlook.com. Of course, that mail was never touched by sendmail/opendkim. Any ideas for debugging this? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlkoQtUACgkQL6j7milTFsHSsgCfbj5PElLpglQ+u0hHAqIuixMa /O4An3burc+9UDe7ao9F6Ruvju5rdrPj =zk4K -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
