Hello,
I'm running postfix 2.7.0 and OpenDKIM Filter v2.0.2 on Ubuntu 10.04.4 LTS.
I managed to get DKIM signature working, but I still have a problem with
multipart Content-Type. When it is so, I get dkim=neutral (bad format)
header.i=@devisubox.com as authentication result.
I suspect that i'm missing something that postfix does to my email after it
has been signed, thus invalidating the signature.
Here is an example of what I get when the signature is invalid :
[... message header ...]
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of www-d...@devisubox.com
designates 88.190.26.21 as permitted sender)
smtp.mail=www-d...@devisubox.com;
dkim=neutral (bad format) header.i=@devisubox.com
Received: by devisubox.com (Postfix, from userid 33)
id 2448C64E621F; Thu, 21 Nov 2013 11:21:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com; s=mail;
t=1385029298; bh=ATpHt+VUEoQCTgXX7I94lQqflcgT7sgxti12mBUDEtk=;
h=To:Subject:MIME-Version:From:Content-Type:Message-ID:Date;
b=TY1Ta6BY/GpzF8cP2DnRdNgsHLLm1HXIC6/+JsXaJ5HBZwp8uoW2HfEwyPOJHrf4W
nSbuKvMYRMwwSAFz6jdRV+DWhwBtUICVejP3LGhCfBqDB3Ezusug+HdFpC8fajS5LY
ccp+JO55DSWBkBqOvh0SEM4iUJKSGZytzLUzD+Mg=
To: salutcop...@gmail.com
Subject: Photo chantier - binomic ( cbaralotto )
X-PHP-Originating-Script: 33:htmlMimeMail5.php
MIME-Version: 1.0
X-Mailer: htmlMimeMail5 <http://www.phpguru.org/>
From: Devisubox Photos <ph...@devisubox.com>
Content-Type: multipart/related;
boundary="=_2664b299b06652137daf3e016e5ee890"
Message-ID: <mwlzg2.cq8...@www.devisubox.com>
Date: Thu, 21 Nov 2013 11:21:38 +0100 (CET)
--=_2664b299b06652137daf3e016e5ee890
Content-Type: multipart/alternative;
boundary="=_2c5b7d49393071bc293500a67b88e633"
--=_2c5b7d49393071bc293500a67b88e633
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
[... message content ...]
And what i get when the signature is valid :
[... message header ...]
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of www-d...@devisubox.com
designates 88.190.26.21 as permitted sender)
smtp.mail=www-d...@devisubox.com;
dkim=pass (test mode) header.i=@devisubox.com
Received: by devisubox.com (Postfix, from userid 33)
id 496C964E621F; Thu, 21 Nov 2013 11:16:05 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=devisubox.com; s=mail;
t=1385028965; bh=75o/sAM/Vtv41UrIwg0b4q1zZtrst1XwSPtjrKyZij0=;
h=To:Subject:From:Reply-To:Content-Type:Content-Transfer-Encoding:
Message-Id:Date;
b=RdHIj/TNeotb5TwnX57hP207bf2MXjNppsg+WJ0Qze6X7ctV/3gVJuoT++PuSkqBt
iyf7AOxDWWTqXDSdX7LTFD6FfJjkwliS2JhDyQ10DGO4TjVJCfhB4mlrOB0clAS92p
t7HJt2XY2BR88qCNElfmSWwuxceP/tccgI0co36k=
To: salutcop...@gmail.com
Subject: sujet
X-PHP-Originating-Script: 33:lib_tmp.php
From: intervent...@devisubox.com
Reply-To:
Content-Type:text/html;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <20131121101605.496c964e6...@devisubox.com>
Date: Thu, 21 Nov 2013 11:16:05 +0100 (CET)
[... message content ...]
Here is my postfix configuration :
main.cf :
inet_protocols = all
inet_interfaces = all
virtual_mailbox_domains = $virtual_mailbox_maps,
hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
alias_maps = hash:/etc/aliases, nis:mail.aliases,
hash:/var/spool/postfix/plesk/aliases
transport_maps = hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = 127.0.0.0/8 [::1]/128 88.190.26.21/32
[2a01:e0b:1000:26:be30:5bff:fed9:986]/128
smtpd_sender_restrictions = check_sender_access
hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated,
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
mydestination = localhost.$mydomain, localhost, localhost.localdomain
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, check_client_access
pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,
reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:110
virtual_gid_maps = static:31
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
smtpd_client_restrictions = permit_mynetworks, check_client_access
pcre:/var/spool/postfix/plesk/no_relay.re
myhostname = devisubox.com
myhostname = devisubox.com
myorigin = devisubox.com
#DKIM
milter_default_action = accept
#milter_protocol = 2
#smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
sender_dependent_default_transport_maps =
hash:/var/spool/postfix/plesk/sdd_transport_maps
mailbox_size_limit = 1024000000
message_size_limit = 102400000
recipient_bcc_maps = regexp:/etc/postfix/googlemail.rxp
virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox
master.cf :
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 1 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
-o smtpd_milters=inet:127.0.0.1:8891
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/lemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=R user=list:list
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes
88.190.26.21- unix - n n - - smtp -o smtp_bind_address=88.190.26.21 -o
smtp_bind_address6= -o smtp_address_preference=ipv4
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions=
----- end of master.cf
I suspect th mail to be edited between the DKIM signature and the actual
send. But I can't figure out how to verify if it's the case. Here is the
content of /var/log/mail.log when i send a faulty message:
Nov 21 13:36:40 sd-30478 postfix/pickup[13771]: 0977264E621F: uid=33
from=<www-data>
Nov 21 13:36:40 sd-30478 postfix/cleanup[18292]: 0977264E621F: message-id=<
mwm5p3.4sy...@www.devisubox.com>
Nov 21 13:36:40 sd-30478 postfix/qmgr[8755]: 0977264E621F: from=<
www-d...@devisubox.com>, size=362976, nrcpt=1 (queue active)
Nov 21 13:37:01 sd-30478 postfix/smtp[18391]: connect to
gmail-smtp-in.l.google.com[2a00:1450:400c:c05::1a]:25: Connection timed out
Nov 21 13:37:01 sd-30478 postfix/smtp[18391]: certificate verification
failed for gmail-smtp-in.l.google.com[173.194.67.26]:25: untrusted issuer
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Nov 21 13:37:01 sd-30478 postfix/smtp[18391]: 0977264E621F: to=<
salutcop...@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.67.26]:25,
delay=22, delays=0.15/0/21/0.48, dsn=2.0.0, status=sent (250 2.0.0 OK
1385037421 u5si5467501wjw.66 - gsmtp)
Nov 21 13:37:01 sd-30478 postfix/qmgr[8755]: 0977264E621F: removed
----- end of log
I tried to remove some header fields from the signature (because i thought
they could be changed in path), in editing /etc/opendkim.conf :
OmitHeaders Message-ID,MIME-Version,Content-Type,Date
But the signature is still not valid.
Is my hypothesis "the message is edited after it has been signed" possibly
right? How can I check that?
Do you have an idea of what is possibly wrong with this? Could it come from
DKIM? (I'll post the same question on it's mailing list)
Jean-Christophe BEGUE
Ingénieur R&D - Devisubox
Marseille - France
+33 6 89 64 45 88
http://www.devisubox.com
