1 |
On Mon, Jan 11, 2010 at 04:09:07PM +0100, Xavier Parizet wrote: |
2 |
> Le 10/01/2010 22:26, Matt Harrison a ??crit : |
3 |
> > I say OT because it's my understanding of DKIM that lets me down here, not Gentoo. I'm |
4 |
> > just not sure who to ask or even if it could be something Gentoo related. |
5 |
> > |
6 |
> > I've recently updated my postfix home mail server to use amavis-new for virus and spam |
7 |
> > filtering rather than procmail/spamassassin. |
8 |
> > |
9 |
> > It seems to be working well and I've also enabled some other goodies like DKIM signing |
10 |
> > and verification. I haven't confirmed signing is working yet, so maybe a side effect |
11 |
> > of this email is that someone can confirm this for me ;) |
12 |
> |
13 |
> Your mail is not DKIM-Signed, check your setup. |
14 |
|
15 |
Ok, thanks for checking, it appears that outbound messages weren't being passed to |
16 |
amavis, I think I've rectified that now. |
17 |
|
18 |
I can see the message being scanned in the logs, but not necessarily being signed |
19 |
though. Inbound messages generate warnings such as: |
20 |
|
21 |
dkim: not signing, no applicable private key for domains ruby-forum.com..... |
22 |
|
23 |
but my outbound messages just scan clean. I've tried without sender maps and with |
24 |
limiting them to my domain. |
25 |
|
26 |
> > The main query I have is that a lot of the mail I get, in this case from various |
27 |
> > mailing lists, appears to failed DKIM verification. |
28 |
> > |
29 |
> > For example, several of the posters on this list are DKIM signing their mail either as |
30 |
> > part of gmail policy (or another big provider) or personal intent. Something in the |
31 |
> > region of 50% of signed mail on this list contains headers such as: |
32 |
> > |
33 |
> > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=softfail |
34 |
> > (fail, message has been altered) header.i=@gmail.com |
35 |
> > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=softfail |
36 |
> > (fail, message has been altered) header.from=xxxxxx@×××××.com |
37 |
> > |
38 |
> > Whereas the rest looks like this: |
39 |
> > |
40 |
> > Authentication-Results: genesis.genestate.com (amavisd-new); dkim=pass |
41 |
> > header.i=@gmail.com |
42 |
> > Authentication-Results: genesis.genestate.com (amavisd-new); domainkeys=pass |
43 |
> > header.from=xxxxxx@×××××.com |
44 |
> > |
45 |
> > Now I find it unreasonable to assume that 50% of the mail I receive is being actively |
46 |
> > tampered with, so it must be something getting twisted out of shape. All I'm trying to |
47 |
> > discover is whether it's something at my end that I need to fiddle with. I followed a |
48 |
> > few different guides to piece my setup together so it's quite possible I've overlooked |
49 |
> > or misconfigured something. |
50 |
> |
51 |
> 90% chance the emails failing DKIM verification had their email subject modified |
52 |
> to add "[gentoo-user]" in it by the mlmmj program that manage the mailing-list, |
53 |
> which mainly concerns topic starts (ie first mails about one topic). |
54 |
|
55 |
That would make a lot of sense, I'm not sure if it's just the first messages that are |
56 |
doing it, but I have a feeling that others in a thread are also failing. |
57 |
|
58 |
Thanks for your input Xavier, I think I need to get over to the amavis or postfix |
59 |
guys, like Stroller said, to really figure out what is happening. |