I'm running spamass-milter. /etc/mail/spamassassin/v312.pre already has loadplugin Mail::SpamAssassin::Plugin::DKIM. Not seeing AuthRes anywhere in /etc/mail/spamassassin. So, I'm assuming the X-Spam-Status: tests=DKIM_INVALID,DKIM_SIGNED are SpamAssassin's agreement with OpenDKIM's Authentication-Results: dkim=fail reason="signature verification failed". I haven't seen any conflict between the dkim validation results so far.
It's great to know Matus is using the same combination and not seeing frequent DKIM failures, so it's my setup somehow. I'm not using smtp proxy and I don't believe I have any content filter set up. I've tried running opendkim as the only milter (commenting out opendmarc and spamassassin). There were no changes to validation results. > On May 9, 2025, at 6:17 AM, Matus UHLAR - fantomas via Postfix-users > <postfix-users@postfix.org> wrote: > > On 09.05.25 12:58, Dmitriy Alekseev via Postfix-users wrote: >> Did maybe you considering spin up rspamd proxy + normal instead of >> sa+opendkim+opendmarc, even if you do not move in end to rspamd you will at >> least get what issue relates to. It useless to honestly trying to analyze >> eml with modifications due to anonymization in scope of understanding why >> dkim broken, because now it's definitely broken ;) > > This makes no sense. I use the mentioned combination and have no issue with > it. > > If OP uses content filter in front of the mailserver, changing spam filtering > will not fix the issue. > > Dan has already recommended checking DKIM in SpamAssassin to see if it helps. > >> On Fri, 9 May 2025, 09:30 Matus UHLAR - fantomas via Postfix-users, < >> postfix-users@postfix.org> wrote: >> >>> On 08.05.25 15:06, Ken Biggs via Postfix-users wrote: >>> > OpenDKIM is failing signature verification on most incoming emails. Out >>> of >>> > 1,146 incoming emails, 173 have been successfully verified and 973 have >>> > "bad signature data". The failing emails include email from google, >>> > amazon, sailthru, and many other reasonably technically capable firms >>> > that I would expect to verify successfully. I have tested DNS lookups >>> and >>> > have found no issues with querying for the DKIM record. I have >>> researched >>> > for hours trying to find something helpful, but the few posts that >>> aren't >>> > specifically dealing with signing emails don't seem to address the >>> issues >>> > I'm seeing. BTW ... outgoing emails are signed properly and passing >>> DKIM >>> > validation. >>> > >>> >I'm running: >>> >Rocky Linux release 9.5 >>> >Postfix 3.5.25 >>> >OpenDKIM 2.11.0-0.34 >>> >OpenDMARC 1.4.2-22 >>> >SpamAssassin 3.4.6-5 >>> > >>> >main.cf has the following milter declarations: >>> >milter_default_action = accept >>> >milter_protocol = 6 >>> >smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893 >>> ,unix:/run/spamass-milter/spamass-milter.sock >>> >non_smtpd_milters = $smtpd_milters >>> > >>> >master.cf has: >>> >policyd-spf unix - n n - 0 spawn >>> > user=policyd-spf argv=/usr/libexec/postfix/policyd-sp >>> > >>> >I currently have opendmarc config RejectFailures set to false due to this >>> issue. I would like to set it back to true. >>> >>> is your server behind a content filter? >>> Don't you use smtp proxy by any chance? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > I feel like I'm diagonally parked in a parallel universe. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
