Re: dkimsign uses unexpected domain in signature on message from Ubuntu/Postfix relay client
On Sun, 2022-01-23 at 09:29 -0800, Paul Pace wrote: > On 2021-11-24 04:01, Martijn van Duren wrote: > > On Tue, 2021-11-23 at 08:47 -0800, Paul Pace wrote: > > > Hello! > > > > > > I have an Ubuntu 18.04 server running Postfix 3.3 that relays through > > > a > > > local OpenSMTPD mail relay on OpenBSD 7.0. Messages sent from system > > > messages and directly from mail command are signed by dkimsign as > > > expected. > > > > > > Messages sent from letstencrypt run through cron.weekly are not being > > > signed by dkimsign with the expected domain. Log entries for correctly > > > signed and incorrectly signed messages are identical on both client > > > and > > > relay server. > > > > > > Here are the key portions of the header in the received inbox for the > > > cron.weekly job: > > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021; > > > bh=rNFy7e0QC/J > > > YFcHTI8wUywlRSY3eJ4LLLsOZrSC0XBc=; h=date:subject:to:from; > > > d=example.com; > > > b=KqmB7rxJfpLcF6Nif/4bQRAbcQDDhVmFh+8KDeCqc9ujlr8ogK7... > > > Received: from relayclient.example.com ( [172.16.13.2]) > > > by smtp.example.com (OpenSMTPD) with ESMTPS id 44fa8358 > > > (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) > > > for ; > > > Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > Received: by relayclient.example.com (Postfix) > > > id 881F75F401; Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > Delivered-To: r...@relayclient.example.com > > > Received: by relayclient.example.com (Postfix, from userid 0) > > > id 81D885F402; Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > From: r...@relayclient.example.com (Cron Daemon) > > > To: r...@relayclient.example.com > > > Subject: Cron test -x /usr/sbin/anacron || ( cd / > > > && > > > run-parts --report /etc/cron.weekly ) > > > MIME-Version: 1.0 > > > Content-Type: text/plain; charset=ISO-8859-1 > > > Content-Transfer-Encoding: 8bit > > > X-Cron-Env: > > > X-Cron-Env: > > > > > > X-Cron-Env: > > > X-Cron-Env: > > > Message-Id: <2024144703.81d885f...@relayclient.example.com> > > > Date: Sun, 14 Nov 2021 06:47:03 -0800 (PST) > > > > > > > > > Note in this above headers that d=example.com and expected is > > > d=relayclient.example.com > > > > > > Here are the key portions of the headers in the received inbox from > > > the > > > same client but for some other system message: > > > > > > > > > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021; > > > bh=r8XLAjeCvrx > > > jCndiJeywanw7UmGo9LRF4gIb07HheJc=; h=date:to:from:subject; > > > d=relayclient.example.com; > > > b=QfD3av5+JxEZyCgzeZ7GcnhIf3/sMmeCNDtEvz/4/hGZf... > > > Received: from relayclient.example.com ( [172.16.13.2]) > > > by relayclient.example.com (OpenSMTPD) with ESMTPS id b3c796f1 > > > (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) > > > for ; > > > Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > Received: by relayclient.example.com (Postfix) > > > id AFFC95E476; Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > Delivered-To: r...@relayclient.example.com > > > Received: by relayclient.example.com (Postfix, from userid 0) > > > id A961A5F42E; Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > Subject: unattended-upgrades result for relayclient.example.com: True > > > From: r...@relayclient.example.com > > > To: r...@relayclient.example.com > > > Auto-Submitted: auto-generated > > > MIME-Version: 1.0 > > > Content-Type: text/plain; charset="utf-8" > > > Content-Transfer-Encoding: quoted-printable > > > Message-Id: <20211120144029.a961a5f...@relayclient.example.com> > > > Date: Sat, 20 Nov 2021 06:40:29 -0800 (PST) > > > > > > > > > Note in this above headers that d=relayclient.example.com, as > > > expected. > > > > > > Here is smtpd.conf: > > > > > > > > > pki int_net cert "/etc/ssl/176.16.13.1.crt" > > > pki int_net key "/etc/ssl/private/smtp.example.com.key" > > > > > > table aliases file:/etc/mail/aliases > > > > > > filter "dkimsign_loc_rsa" proc-exec "filter-dkimsign \ > > > -d smtp.example.com -s 10172021 \ > > > -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group _dkimsign > > > > > > filter "dkimsign_int_rsa" proc-exec "filter-dkimsign \ > > > -d example.com \ > > > -d smtp.example.com \ > > > -d relayclient.example.com > > > -s 10172021 -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group > > > _dkimsign > > > > > > listen on socket > > > listen on lo0 filter "dkimsign_loc_rsa" > > > listen on vio1 tls pki int_net filter "dkimsign_int_rsa" > > > > > > action "local_mail" mbox alias > > > action "local_redirect" relay host smtp+notls://127.0.0.1:25 > > > action "outbound" relay > > > > > > match from socket action "local_redirect" > > > match for local action "local_mail" > > > match from any for any action "outbound" > > > > > > > > > The vio1 interface is on the private network and access is controlled > > > through PF. > > > > > > Thank you! > > > > > > Paul > > > > > I can't reproduce this in the most simple form and I don't notice > > anything in the code
Re: dkimsign uses unexpected domain in signature on message from Ubuntu/Postfix relay client
On 2021-11-24 04:01, Martijn van Duren wrote: On Tue, 2021-11-23 at 08:47 -0800, Paul Pace wrote: Hello! I have an Ubuntu 18.04 server running Postfix 3.3 that relays through a local OpenSMTPD mail relay on OpenBSD 7.0. Messages sent from system messages and directly from mail command are signed by dkimsign as expected. Messages sent from letstencrypt run through cron.weekly are not being signed by dkimsign with the expected domain. Log entries for correctly signed and incorrectly signed messages are identical on both client and relay server. Here are the key portions of the header in the received inbox for the cron.weekly job: DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021; bh=rNFy7e0QC/J YFcHTI8wUywlRSY3eJ4LLLsOZrSC0XBc=; h=date:subject:to:from; d=example.com; b=KqmB7rxJfpLcF6Nif/4bQRAbcQDDhVmFh+8KDeCqc9ujlr8ogK7... Received: from relayclient.example.com ( [172.16.13.2]) by smtp.example.com (OpenSMTPD) with ESMTPS id 44fa8358 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Sun, 14 Nov 2021 06:47:03 -0800 (PST) Received: by relayclient.example.com (Postfix) id 881F75F401; Sun, 14 Nov 2021 06:47:03 -0800 (PST) Delivered-To: r...@relayclient.example.com Received: by relayclient.example.com (Postfix, from userid 0) id 81D885F402; Sun, 14 Nov 2021 06:47:03 -0800 (PST) From: r...@relayclient.example.com (Cron Daemon) To: r...@relayclient.example.com Subject: Cron test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: Message-Id: <2024144703.81d885f...@relayclient.example.com> Date: Sun, 14 Nov 2021 06:47:03 -0800 (PST) Note in this above headers that d=example.com and expected is d=relayclient.example.com Here are the key portions of the headers in the received inbox from the same client but for some other system message: DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021; bh=r8XLAjeCvrx jCndiJeywanw7UmGo9LRF4gIb07HheJc=; h=date:to:from:subject; d=relayclient.example.com; b=QfD3av5+JxEZyCgzeZ7GcnhIf3/sMmeCNDtEvz/4/hGZf... Received: from relayclient.example.com ( [172.16.13.2]) by relayclient.example.com (OpenSMTPD) with ESMTPS id b3c796f1 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Sat, 20 Nov 2021 06:40:29 -0800 (PST) Received: by relayclient.example.com (Postfix) id AFFC95E476; Sat, 20 Nov 2021 06:40:29 -0800 (PST) Delivered-To: r...@relayclient.example.com Received: by relayclient.example.com (Postfix, from userid 0) id A961A5F42E; Sat, 20 Nov 2021 06:40:29 -0800 (PST) Subject: unattended-upgrades result for relayclient.example.com: True From: r...@relayclient.example.com To: r...@relayclient.example.com Auto-Submitted: auto-generated MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20211120144029.a961a5f...@relayclient.example.com> Date: Sat, 20 Nov 2021 06:40:29 -0800 (PST) Note in this above headers that d=relayclient.example.com, as expected. Here is smtpd.conf: pki int_net cert "/etc/ssl/176.16.13.1.crt" pki int_net key "/etc/ssl/private/smtp.example.com.key" table aliases file:/etc/mail/aliases filter "dkimsign_loc_rsa" proc-exec "filter-dkimsign \ -d smtp.example.com -s 10172021 \ -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group _dkimsign filter "dkimsign_int_rsa" proc-exec "filter-dkimsign \ -d example.com \ -d smtp.example.com \ -d relayclient.example.com -s 10172021 -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group _dkimsign listen on socket listen on lo0 filter "dkimsign_loc_rsa" listen on vio1 tls pki int_net filter "dkimsign_int_rsa" action "local_mail" mbox alias action "local_redirect" relay host smtp+notls://127.0.0.1:25 action "outbound" relay match from socket action "local_redirect" match for local action "local_mail" match from any for any action "outbound" The vio1 interface is on the private network and access is controlled through PF. Thank you! Paul I can't reproduce this in the most simple form and I don't notice anything in the code that might point to a bug of this kind. (tried with smtp(1) and a single filter with the subdomains in the same order as you have) What the code does: it starts with the first domain in the list (in this case example.com) and then gets the domain part of the first e-mail address in the from-list and compares it to all the specified domains, if a match is found that domain is used. If none is found labels are stripped from the from-domain until a match is found. If none is found at all we stick with the first domain in the list. Since I highly doubt that example.com is the domain you're signing with my primary suspicion is that there's a discrepancy between the from- domain and the -d (which causes it to use the default
