| 1 |
On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote: |
| 2 |
> Le 10/01/2010 22:26, Matt Harrison a ??crit : |
| 3 |
> > I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm |
| 4 |
> > just not sure who to ask or even if it could be something Gentoo related. |
| 5 |
> > |
| 6 |
> > I've recently updated my postfix home mail server to use amavis-new for virus and spam |
| 7 |
> > filtering rather than procmail/spamassassin. |
| 8 |
> > |
| 9 |
> > It seems to be working well and I've also enabled some other goodies like DKIM signing |
| 10 |
> > and verification. I haven't confirmed signing is working yet, so maybe a side effect |
| 11 |
> > of this email is that someone can confirm this for me ;) |
| 12 |
> |
| 13 |
> Your mail is not DKIM-Signed, check your setup. |
| 14 |
|
| 15 |
Ok, thanks for checking, it appears that outbound messages weren't being passed to |
| 16 |
amavis, I think I've rectified that now. |
| 17 |
|
| 18 |
I can see the message being scanned in the logs, but not necessarily being signed |
| 19 |
though. Inbound messages generate warnings such as: |
| 20 |
|
| 21 |
dkim: not signing, no applicable private key for domains ruby-forum.com..... |
| 22 |
|
| 23 |
but my outbound messages just scan clean. I've tried without sender maps and with |
| 24 |
limiting them to my domain. |
| 25 |
|
| 26 |
> > The main query I have is that a lot of the mail I get, in this case from various |
| 27 |
> > mailing lists, appears to failed DKIM verification. |
| 28 |
> > |
| 29 |
> > For example, several of the posters on this list are DKIM signing their mail either as |
| 30 |
> > part of gmail policy (or another big provider) or personal intent. Something in the |
| 31 |
> > region of 50% of signed mail on this list contains headers such as: |
| 32 |
> > |
| 33 |
> > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail |
| 34 |
> > (fail, message has been altered) header.i=@gmail.com |
| 35 |
> > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=softfail |
| 36 |
> > (fail, message has been altered) header.from=xxxxxx@×××××.com |
| 37 |
> > |
| 38 |
> > Whereas the rest looks like this: |
| 39 |
> > |
| 40 |
> > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass |
| 41 |
> > header.i=@gmail.com |
| 42 |
> > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass |
| 43 |
> > header.from=xxxxxx@×××××.com |
| 44 |
> > |
| 45 |
> > Now I find it unreasonable to assume that 50% of the mail I receive is being actively |
| 46 |
> > tampered with, so it must be something getting twisted out of shape. All I'm trying to |
| 47 |
> > discover is whether it's something at my end that I need to fiddle with. I followed a |
| 48 |
> > few different guides to piece my setup together so it's quite possible I've overlooked |
| 49 |
> > or misconfigured something. |
| 50 |
> |
| 51 |
> 90% chance the emails failing DKIM verification had their email subject modified |
| 52 |
> to add "[gentoo-user]" in it by the mlmmj program that manage the mailing-list, |
| 53 |
> which mainly concerns topic starts (ie first mails about one topic). |
| 54 |
|
| 55 |
That would make a lot of sense, I'm not sure if it's just the first messages that are |
| 56 |
doing it, but I have a feeling that others in a thread are also failing. |
| 57 |
|
| 58 |
Thanks for your input Xavier, I think I need to get over to the amavis or postfix |
| 59 |
guys, like Stroller said, to really figure out what is happening. |
Archives